RE: WS Privacy [Was RE: Status of D-AG006]

While I agree that privacy deserves its own "slot",
I am concerned that we are expanding the scope of WSA
and WS security w/o first agreeing what features 
should be in w.r.t. following scope control criteria
expressed recently:

>I'd add to your qualitative facets of security: supporting 
>end-to-end security for both seeking and providing Web 
>Services.

and another criteria:

>And say that the security facets apply to web service 
>message exchange, interface definition and discovery?

I mentioned previously:
>In my opinion privacy policies is web services application 
>dependent and is part of the domain of the web services 
>operation environment. Confidentiality policies need to be 
>addressed between a web services producer and consumer. 

My proposal is that we limit any features/reqmnts that do
not fall under above scope control criteria. Some features
may need to be addressed post WSA 1.0 outputs.

We should agree about the criteria that will get certain
features in and certain differed, or out.

Zahid Ahmed 
Commerce Security Architect 
Commerce One, Inc.
408-517-3903
 



-----Original Message-----
From: Joseph Hui [mailto:jhui@digisle.net]
Sent: Thursday, March 14, 2002 6:43 PM
To: Hugo Haas
Cc: www-ws-arch@w3.org
Subject: WS Privacy [Was RE: Status of D-AG006]


Hugo,

Thanks for coming forward.
(I was beginning to wonder if people got carried
away with their own interpretations of Privacy, say
incognito == incommunicado. :-)

To me, what you said clearly re-affirms that Privacy
deserves its own goal, separate from Security a la D-AG006.

Incidentally, I think the "protection against tracking
of users" use case you mentioned fits the Aaxx and xaxx
scenarios in the Privacy tabulation embedded in the
following (indented) Privacy text I've snagged from [1].
(I'm adding Aaxx in order to capture your example fully.)
 
   <Privacy_Text_snagged_from_[1]>
   We need to pin down what Privacy is supposed to mean in our
   WS-Arch first.  Was it tided over from P3P?

   I'm of the opinion that Privacy should be separate from Security.

   Mindful of a privacy role in commercial transactions, I've
   tabulated a set of scenarios where "privacy" is synonymous with
   "anonymity," i.e. hiding one's identity from others.  (Note that
   hiding one's data/message from other is Confidentiality, which
   we already address in the Security section.)

   Here's a web service model involving Alice as the provider and
   Bob as the consumer.  Alice is aka "A" to the public and "a" to Bob.
   Bob is aka "B" to the public and "b" to Alice.  Both Alice and Bob
   are members of the public.

   A privacy tabulation:

   AaBb: no anonymity (ACLU's nightmare ;-)
         The IDs of Alice and Bob are publicly known.
         Alice and Bob know each other's IDs.

   Aaxb: partial anonymity
         Alice's ID is publicly known.
         Bob's ID is not publicly known.
         Alice and Bob know each other's IDs.

   Aaxx: partial anonymity
         Alice's ID is publicly known.
         Alice's ID is known to Bob.
         Bob's ID is not publicly known.
         Bob's ID is not known to Alice.
         (Aaxx is added to capture the
          protection-against-tracking-of-user
          case in Hugo's comment in [2].)

   xaxb: partial anonymity
         Alice's ID is not publicly known.
         Bob's ID is not publicly known.
         Alice and Bob know each other's IDs.

   xaxx: partial anonymity
         Alice's ID is not publicly known.
         Bob's ID is not publicly known.
         Bob's ID is not known to Alice.


   xxxb: partial anonymity
         Alice's ID is not publicly known.
         Bob's ID is not publicly known.
         Alice's ID is not known to Bob.
         (Buyer doesn't know seller.  Escrow may be needed.)
         Bob's ID is known to Alice.  (Seller knows buyer.)

   xxxx: total anonymity (drug dealers' dreams come true ;-)
         Alice's ID is not publicly known.
         Bob's ID is not publicly known.
         Bob's ID is not known to Alice.  (Seller doesn't know buyer.)
         Alice's ID is not known to Bob.  (Buyer doesn't know seller.)

   My math says I can make (4**2) sixteen combinations out of AaBb.
   I've only picked out what I think the interesting ones in this
   rough cut.  Please feel free to add.

   If we're on track with the privacy definition (in our WS-Arch
   context), then we may start picking some from the tabulation to
   throw into a "bucket," so later we can use them for requirements.
   </Privacy_Text_snagged_from_[1]>

Now, looks like we've got two bits in the bucket.
So the time is right for someone to champion for it.
(Hugo shouldn't get stuck with this if he doesn't care to
volunteer.  More work is no way to reward good deeds.
Where are the privacy advocates when we need them, huh? ;-)

Well, in light of the scanty responses on Privacy,
my take is the following.

It would be great if someone picks up Privacy and run with it.
If not, then we need to start preparing for its eventuality.
IMHO, it's alright that we don't swing our bat at every pitch.
Privacy's beginnig to look like a wild pitch, to me at least. 

Here's one exist strategy we may consider,
comprising two options:
   1) punt Privacy to AG0016, e.g. doc it as a "gap"; or
   2) delete it from the charter.  

Option 1 ruins our chances to flunk AG0016, the one
goal that we should strive for its failure. ;-)
Option 2 comes across as traumatic.
Either is workable; neither is palatable.
New proposals are welcome.  
(Please, no quixotic one-liners.
Accompany your proposal with analysis/reasoning.)
 
So to Privacy,
cheers,

Joe Hui
Exodus, a Cable & Wireless service

[1] http://lists.w3.org/Archives/Public/www-ws-arch/2002Mar/0136.html
======================================================================
> -----Original Message-----
> From: Hugo Haas [mailto:hugo@w3.org]
> Sent: Thursday, March 14, 2002 11:31 AM
> To: www-ws-arch@w3.org
> Subject: Re: Status of D-AG006
> 
> 
> * Joseph Hui <jhui@digisle.net> [2002-03-13 14:53-0800]
> > Privacy:
> > Privacy can mean different things in different contexts.
> > We had no clue how it got into the charter to begin with.
> > We tried to get a clarification from anyone who might give
> > a definition of what privacy as stated next to security in
> > the WG charter was supposed to mean in the context of WS 
> > architecture.  Nobody's come forward yet.
> > An educated guess, coupled with a tabulation of some possible
> > privacy scenarios where "privacy" was presumed to be synonymous
> > with "anonymity," was set up to troll for responses.  No luck
> > there.  So, unless someone comes forward to stake out a
> > position for privacy, it may not get addressed in WS-Arch.
> > As of now, it's fair to presume privacy work, if any is to
> > be done at all in W3C's WS-Arch, will not be done under the
> > auspices of D-AG006.
> 
> Due to a huge email backlog, I might have missed that, but I haven't
> seen the thread where it was discussed.
> 
> Anyway, with Web service composition, long running transactions,
> maintenance of a context for operations involving several parties, I
> think that privacy (protection against tracking of users, etc) is
> important. One can think for example of the use of P3P[1] in the
> context of Web services.
> 
> Regards,
> 
> Hugo
> 
>   1. http://www.w3.org/P3P/
> -- 
> Hugo Haas - W3C
> mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - 
> tel:+1-617-452-2092
> 
> 

Received on Thursday, 14 March 2002 22:03:40 UTC