RE: AG004 Closure Sought from Joseph Hui on 2002-07-23 (www-ws-arch@w3.org from July 2002)

From: Joseph Hui <Joseph.Hui@exodus.net>
Date: Mon, 22 Jul 2002 20:14:16 -0700
To: "Hugo Haas" <hugo@w3.org>, <www-ws-arch@w3.org>
Cc: "Rigo Wenning" <rigo@w3.org>
Message-ID: <45258A4365C6B24A9832BFE224837D551D1CC3@SJDCEX01.int.exodus.net>

Hugo,

Frankly I could happily and still can live with
the original wording of D-AR020.5.
It floated quite naturally, as opposed to the
"new and improved" version, which comes across
as, well: overworked. :-)

Joe Hui
Exodus, a Cable & Wireless service
===================================== 

-----Original Message-----
From:	Hugo Haas [mailto:hugo@w3.org]
Sent:	Mon 7/22/2002 1:43 PM
To:	www-ws-arch@w3.org
Cc:	Rigo Wenning
Subject:	Re: AG004 Closure Sought


[ Copying Rigo Wenning since the proposal originated from a discussion
  I had with him. ]

* Joseph Hui <Joseph.Hui@exodus.net> [2002-07-14 23:39-0700]
> 5) Privacy requirements to be solidified.
>    During the last F2F we did not get around to finalize
>    the verbiage for the Privacy req's.  So there seems
>    to be still considerable req-related work to be done.

Joseph asked me to champion AC020[1].

At the last face-to-face meeting[2], we accepted AC020, AC020.1,
AC020.2, AC020.3, rejected AC020.4, and proposed AC020.5

I would like to request two minor editorial change:
- AC020.3: I was told that it was better to use "user" instead of
  "consumer", because it was more general (at least in US law):
|          + AC020.3 The Web Services Architecture MUST enable a user
|            to access a Web Service's advertised privacy policy
|            statement.
- it seems that AC020.[1235] are more requirements than CSFs; it
  probably would be better to name them AR020.[1235].

So we need to get consensus on the proposed D-AC020.5 (or D-AR020.5).
The text reads:

|          + D-AC020.5 The Web Services Architecture MUST enable
|            delegation and propagation of privacy policy.

This requirements is trying to address the following problem: a Web
service A may use other Web services to fulfill a request. If a user U
and A do business based on a particular privacy policy P, any Web
service contacted by A in order to process U's request should not
violate P.

This is why P should be propagated along with any processing.

People seemed generally happy about this idea at the face-to-face
meeting, but I had echoes on the security task-force call that the
wording was obscure.

Maybe it comes from "delegation", which is actually confusing me too.
What about (two choices):

  The Web Services Architecture MUST enable propagation of privacy
  policy [during delegation of processing | across Web services].

Well, it's not crystal clear either, but we can use that as a starting
point.

Regards,

Hugo

  1. http://www.w3.org/2002/ws/arch/2/06/wd-wsa-reqs-20020605.html#AC020
  2. http://www.w3.org/2002/ws/arch/2/06/f2f-minutes#Review
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092

Received on Monday, 22 July 2002 23:14:04 UTC