Re: WS Privacy [Was RE: Status of D-AG006] from Hugo Haas on 2002-03-20 (www-ws-arch@w3.org from March 2002)

From: Hugo Haas <hugo@w3.org>
Date: Wed, 20 Mar 2002 11:29:24 -0500
To: www-ws-arch@w3.org
Message-ID: <20020320162923.GA3477@jibboom.w3.org>

Hi Joe and Zahid.

* Joseph Hui <jhui@digisle.net> [2002-03-14 18:43-0800]
[..]
> It would be great if someone picks up Privacy and run with it.
> If not, then we need to start preparing for its eventuality.
> IMHO, it's alright that we don't swing our bat at every pitch.
> Privacy's beginnig to look like a wild pitch, to me at least. 
> 
> Here's one exist strategy we may consider,
> comprising two options:
>    1) punt Privacy to AG0016, e.g. doc it as a "gap"; or
>    2) delete it from the charter.  
> 
> Option 1 ruins our chances to flunk AG0016, the one
> goal that we should strive for its failure. ;-)
> Option 2 comes across as traumatic.
> Either is workable; neither is palatable.
> New proposals are welcome.  
> (Please, no quixotic one-liners.
> Accompany your proposal with analysis/reasoning.)

I don't think that ignoring privacy is an option. Web services will
not be able to succeed for private use, as opposed to corporate use,
if privacy protection is not addressed.

Moreover, there are, in Europe for example, legal issues about
privacy. There was a legal track at XML Europe 2001, and there were
interrogations about whether Web services would meet legal
requirements (see xmlhack's report[1]). We need to ensure that the
answer is yes.

* Ahmed, Zahid <zahid.ahmed@commerceone.com> [2002-03-14 19:03-0800]
[..]
> I mentioned previously:
> >In my opinion privacy policies is web services application 
> >dependent and is part of the domain of the web services 
> >operation environment. Confidentiality policies need to be 
> >addressed between a web services producer and consumer. 
> 
> My proposal is that we limit any features/reqmnts that do
> not fall under above scope control criteria. Some features
> may need to be addressed post WSA 1.0 outputs.

Hmmm... I wonder whether security wouldn't fit into that too, since in
a way it also is Web services application dependent. Note that I am
not questioning whether we should address security, I am just trying
to legitimize privacy.

Putting privacy hooks at the right place will keep us from trouble.
I think that we need to add a goal in the spirit of D-AG0006 about
privacy:

    enables privacy protection of the consumer of a Web service
    across domains and services.

"across domains and services" refers here to the case where the
consumer interacts with a series of individual services, as part of a
transaction.

Comments?

Regards,

Hugo

  1. http://www.xmlhack.com/read.php?item=1234
-- 
Hugo Haas - W3C
mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092

Received on Wednesday, 20 March 2002 11:29:24 UTC