Re: AG004 Closure Sought from Hugo Haas on 2002-07-22 (www-ws-arch@w3.org from July 2002)

From: Hugo Haas <hugo@w3.org>
Date: Mon, 22 Jul 2002 16:43:16 -0400
To: www-ws-arch@w3.org
Cc: Rigo Wenning <rigo@w3.org>
Message-ID: <20020722204316.GI4462@jibboom.w3.org>

[ Copying Rigo Wenning since the proposal originated from a discussion
  I had with him. ]

* Joseph Hui <Joseph.Hui@exodus.net> [2002-07-14 23:39-0700]
> 5) Privacy requirements to be solidified.
>    During the last F2F we did not get around to finalize
>    the verbiage for the Privacy req's.  So there seems
>    to be still considerable req-related work to be done.

Joseph asked me to champion AC020[1].

At the last face-to-face meeting[2], we accepted AC020, AC020.1,
AC020.2, AC020.3, rejected AC020.4, and proposed AC020.5

I would like to request two minor editorial change:
- AC020.3: I was told that it was better to use "user" instead of
  "consumer", because it was more general (at least in US law):
|          + AC020.3 The Web Services Architecture MUST enable a user
|            to access a Web Service's advertised privacy policy
|            statement.
- it seems that AC020.[1235] are more requirements than CSFs; it
  probably would be better to name them AR020.[1235].

So we need to get consensus on the proposed D-AC020.5 (or D-AR020.5).
The text reads:

|          + D-AC020.5 The Web Services Architecture MUST enable
|            delegation and propagation of privacy policy.

This requirements is trying to address the following problem: a Web
service A may use other Web services to fulfill a request. If a user U
and A do business based on a particular privacy policy P, any Web
service contacted by A in order to process U's request should not
violate P.

This is why P should be propagated along with any processing.

People seemed generally happy about this idea at the face-to-face
meeting, but I had echoes on the security task-force call that the
wording was obscure.

Maybe it comes from "delegation", which is actually confusing me too.
What about (two choices):

  The Web Services Architecture MUST enable propagation of privacy
  policy [during delegation of processing | across Web services].

Well, it's not crystal clear either, but we can use that as a starting
point.

Regards,

Hugo

  1. http://www.w3.org/2002/ws/arch/2/06/wd-wsa-reqs-20020605.html#AC020
  2. http://www.w3.org/2002/ws/arch/2/06/f2f-minutes#Review
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092

Received on Monday, 22 July 2002 16:43:17 UTC