P3P and web services

Dear Web Services Architecture Working Group,

I would like to bring to your attention the concerns that
the P3P working group has raised previously to the
the xmlp and ws-cg. We have now been told that our
concerns would most appropriately be addressed by
your group. In summary, our concern is that we need
somebody to specify  how a P3P policy can be associated
with a SOAP message. I am forwarding the relevant
messages from our previous conversation on this topic
for more details. Our original concerns are expressed in
http://lists.w3.org/Archives/Public/xmlp-comments/2002Jul/0031.html

We believe that given that web services deployment
efforts are already underway, we need to move forward
with specifying how to use P3P with web services as soon
as possible.  We do not believe this will be a time consuming effort.

Regards,

Lorrie Cranor
P3P Specification Working Group Chair


----- Original Message -----
From: "David Fallside" <fallside@us.ibm.com>
To: "Lorrie Cranor" <lorrie@research.att.com>
Cc: <xmlp-comments@w3.org>; <www-ws-cg@w3.org>; "P3P Specification Group"
<w3c-p3p-specification@w3.org>; "Hugo Haas" <hugo@w3.org>
Sent: Wednesday, October 16, 2002 12:41 PM
Subject: Re: XMLP WG Issue 240 Resolution


> Lorrie, as you requested, I will put your issue on the WS CG's next telcon
> agenda. I think the crux of this issue is that someone needs to take on
the
> work of actually demonstrating and specifying how a policy is associated
> with a SOAP meesage.
> Regards,
> David
>
> ...........................................
> David C. Fallside, IBM
> Ext Ph: 530.477.7169
> Int  Ph: 544.9665
> fallside@us.ibm.com
>
>
>
> Wednesday, October 16, 2002 10:28 AM
> To: "Hugo Haas" <hugo@w3.org>
> cc: <xmlp-comments@w3.org>, <www-ws-cg@w3.org>, "P3P Specification Group"
> <w3c-p3p-specification@w3.org>
> From: "Lorrie Cranor" <lorrie@research.att.com>
> Subject: Re: XMLP WG Issue 240 Resolution
>
>
>
>
> While I am quite glad to see the presence of AC020 in the
> web services architecture requirements document, I have
> two concerns:
>
> 1) We understood the XMLP requirement to mean that specific
> mechanisms would be specified, while the working group
> has instead intepreted it to mean simply to create a spec
> which would make it possible for someone else to specify
> specific mechanisms. Since AC020 uses the term "enable"
> I fear that this requirement may be interpreted in a similar
> way, and it might be argued that the requirement has already
> been met since nothing in the proposed architecture
> prevents mechanisms from being built to do these things -- there
> for it enables privacy protection. Therefore, I would like to see
> a requirement that actually mandates that a working group
> create something rather than just develop an architecture
> absent of obstacles to the future creation of something.
>
> 2) I am concerned about your statement "the Web
> Services Architecture Working Group will tackle the problem, or at
> least place some requirements on a Working Group which will craft a
> concrete solution to it." I think that it is important that privacy
> get built into web services sooner than later. Privacy protection
> can be relatively easy to build into systems when it is built
> in from the beginning, while retrofitting systems later tends
> to make it more expensive. Since web services technology
> is already being deployed, we need to get privacy built into
> it as soon as possible. We need someone to take on this
> task in the short term, and not leave open the possibility
> that a working group will think about this for a while and then
> delegate it to another working group.
>
> Lorrie
>
>
> ----- Original Message -----
> From: "Hugo Haas" <hugo@w3.org>
> To: "Lorrie Cranor" <lorrie@research.att.com>
> Cc: <xmlp-comments@w3.org>; <www-ws-cg@w3.org>; "P3P Specification Group"
> <w3c-p3p-specification@w3.org>
> Sent: Wednesday, October 16, 2002 11:33 AM
> Subject: Re: XMLP WG Issue 240 Resolution
>
>
> > Hi Lorrie.
> >
> > * Lorrie Cranor <lorrie@research.att.com> [2002-10-16 09:40-0400]
> > > The P3P Specification working group is not satisfied with
> > > the resolution to issue 240 [2]. We do not believe the XMLP
> > > group has met the requirement that it be possible "to associate
> > > a P3P Privacy Policy with an XMLP message." Nonetheless,
> > > given that the XMLP working group does not believe that
> > > further work on this issue is within their charter, we would
> > > be satisfied if the issue would be assigned to another web
> > > services working group which does have a charter that
> > > permits it to work on this.
> > >
> > > The P3P Specification working group hereby requests that
> > > the issue we raised with the XMLP group in [2]
> > > be considered by the WS CG so that a process can be
> > > put in place by which this issue can be resolved. It is critical
> > > that this issue not fall between the cracks simply because
> > > no group believes it fits within their charter. The P3P
> > > Specification working group would be happy to assist one
> > > of the web services groups in resolving this issue. Perhaps
> > > this issue could be resolved most expediantly by appointing
> > > a cross-group task force that inclues a couple of members
> > > from the P3P group and a couple of members from one of the
> > > web services groups.
> >
> > To understand the issue a little better, how does your request relate
> > to the Web services architecture requirement AR020.5[3]:
> >
> >   The WSA must enable delegation and propagation of privacy policy.
> >
> > It seems that this requirement covers this, and therefore that the Web
> > Services Architecture Working Group will tackle the problem, or at
> > least place some requirements on a Working Group which will craft a
> > concrete solution to it.
> >
> > AR020.5 came out of the following scenario, which needs to be
> > integrated into the Web Services Architecture Usage Scenarios
> > document:
> >
> >   http://lists.w3.org/Archives/Public/www-ws-arch/2002Jul/0368.html
> >
> > This scenario doesn't explicitely call out for a P3P policy concretely
> > traveling along with a message, but I think that it covers the
> > situations.
> >
> > Regards,
> >
> > Hugo
> >
> >   3. http://www.w3.org/TR/2002/WD-wsa-reqs-20021011#AC020
> > --
> > Hugo Haas - W3C
> > mailto:hugo@w3.org - http://www.w3.org/People/Hugo/
> >

Received on Monday, 9 December 2002 14:26:28 UTC