Re: A REST challenge from Paul Prescod on 2002-07-16 (www-ws-arch@w3.org from July 2002)

From: Paul Prescod <paul@prescod.net>
Date: Tue, 16 Jul 2002 14:11:41 -0700
To: www-ws-arch@w3.org
Message-ID: <3D348C0D.A171033E@prescod.net>

Miles Sabin wrote:
> 
> ...
> 
> Hmm ... how about if I buy a stack of DVDs from Amazon but point further
> electronic (ie. billing) correspondance at mailto:paul@prescod.net?

I would not call that a protocol level issue. It's a business policy
issue.

If you express the business policy then I will tell you what protocol
interactions to use. For instance if you say that "customers must have a
pre-existing relationship with the corporation" then I'll say that
customers should be resources and they should have URIs and passwords
(or else "capability URIs).

If you say that anyone can be a customer as long as they give a
credit-card number and expiry date, then obviously you need to collect
that information before you accept that they have an incurred an
obligation.

> Yes, of course there are mechanisms aplenty which would prevent this
> kind of abuse, but, and I think this was Francis' point, they typically
> depend on being able to assert that party-X-in-sending-role ==
> party-X-in-receiving-role. 

Not at all. If the party in the receiving role is willing to respond
with a credit card number then why do I care whether they are the party
that initiated the transaction. They are willing to pay for the service,
whoever they are. If you tell your pizza guy: "I didn't order this, my
neighbour ordered it for me, here's the credit card number" is he going
to ask why your neighbour is helping you order pizza? The pizza is at
the right address and he is going to be paid before you get your hands
on it. 

But this doesn't really have anything to do with REST. REST can handle
either the identity-required or the identity-irrelevant models.

> .... Mark didn't accomodate that aspect of the
> challenge in his solution ... and it's not clear to me that REST on its
> own is capable of supporting that kind of assertion. 

REST/HTTP alone cannot support any kind of assertion. You need both
nouns and verbs to have a conversation and HTTP only supplies the verbs.
In the web architecture, the richest model for nouns and
assertions/business rules about nouns is RDF and its associated
specifications.

-- 
Come discuss XML and REST web services at:
  Open Source Conference: July 22-26, 2002, conferences.oreillynet.com
  Extreme Markup: Aug 4-9, 2002,  www.extrememarkup.com/extreme/

Received on Tuesday, 16 July 2002 17:12:33 UTC