RE: [wsia][wsrp-interfaces] userHandle

[Rex Brooks <rexb@starbourne.com>]

Please pass this to wsrp-interface list please.

You should be aware that you will eventually, and inevitably, be 
dealing with levels or layers of profile information, some of which 
can only be released by the end-user and may include a requirement 
that it not be maintained separately from end-user beyond session. 
Enforcement of such is, of course, rather difficult, though, no doubt 
breaking trust may entail its own penalties, which can be enforced by 
the end-user creating a rule for its own system disallowing consumers 
who break trust from access to their profiles, or there may evolve a 
system whereby single-sign-on authentication providers are informed 
of such behavior and requested to deny access to any profile 
information for consumers who break trust. Depending on how egregious 
misbehavior gets, and it is pretty reprehensible on email lists now, 
such penalties are inevitable, and in their own turn will provide 
opportunities for abuse from malicious end-users.

We are finally getting down to brass tacks wrt profile info. I'm 
afraid it is a pandora's box inside a can of worms wrapped by several 
conundra. We can't base our work on pre-empting misbehavior, but we 
live in a world full of it so we must also make some allowance for 
it, so if there is a way, beyond security per se, in which we can 
discourage such, it would be wise to do so at this point in the 
process. Requiring call backs and final notification when session 
info is destroyed up the chain may be a good idea, regardless of the 
overhead in terms of performance.

Ciao,
Rex

At 4:58 PM -0700 7/15/02, Alan Kropp wrote:
>I'm not sure I agree.  I tend to think some profile information may be
>properly scoped at the request level.  I don't have any good examples
>though...roles maybe?
>
>To Yossi's point about a separate profile structure.  I don't think our
>factored structures should be nested, nor should there be stored
>"references" in one structure to another (is that what the userHandle is
>for?).  I think that would be too much complexity for too little gain.  I'd
>rather see longer signatures/return tuples on the operations.
>
>
>
>-----Original Message-----
>From: Rich Thompson [mailto:richt2@us.ibm.com]
>Sent: Monday, July 15, 2002 11:13 AM
>To: wsia@lists.oasis-open.org; wsrp-interfaces@lists.oasis-open.org
>Subject: [wsia][wsrp-interfaces] userHandle
>
>
>
>The security subgroup has been talking about how/when the user profile is
>transfered/referenced. The last proposal I heard was that this reference
>was not needed as once the profile is transferred, the entity may refer to
>it in its opaque state in any manner it wishes. As to what profile elements
>and when to transfer them, it has been proposed to use properties to
>indicate what profile elements and have the Consumer set these properties
>on or before the first getMarkup() invocation.
>
>
>
>
>
>                       "Tamari, Yossi"
>
>                       <yossi.tamari@sap        To:
>wsia@lists.oasis-open.org,                                
>                       .com>
>wsrp-interfaces@lists.oasis-open.org                               
>                                                cc:
>
>                       07/15/2002 12:47         Subject:  RE:
>[wsia][wsrp-interfaces] Refactoring the data objects  
>                       PM
>
>
>
>
>
>
>
>
>
>See my comments marked with [YT].
>(Most of them are in appendix A, since it seems appendix a is the real
>definition of the spec, which I think is wrong, and is a result of what
>Rich mentioned below about the obscurity of the interface.)
>
>The endless debate about putting WSIA concepts in the WSRP standard is
>still there...
>
>       Yossi.
>
>-----Original Message-----
>From: Rich Thompson [mailto:richt2@us.ibm.com]
>Sent: Friday, July 12, 2002 9:09 PM
>To: wsia@lists.oasis-open.org; wsrp-interfaces@lists.oasis-open.org
>Subject: [wsia][wsrp-interfaces] Refactoring the data objects
>
>
>As requested in Tuesday's Joint interfaces call, I have reworked the draft
>spec in an effort to factor the data items into the scopes presented at the
>June F2F. Personally I think this obscures too much and that some of the
>data items should move up to first class parameters in the interface.
>Hopefully this version can provide a reasonable basis for a discussion of
>which items should be promoted either for clarity or as part of supporting
>any factoring of the operations.
>
>Technical note: In order to make this readable but yet leave an indication
>of what was modified, I accepted the changes and then appended a space on
>the end of changed lines so that a change bar will appear on the left. So
>much changed in Appendix A that it all should be considered modified.
>
>(See attached file: WSIA - WSRP Interface Specification.doc)
>
>
>
>
>#### WSIA - WSRP Interface Specification1.doc has been removed from this
>note on July 15 2002 by Rich Thompson
>
>
>
>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>
>
>----------------------------------------------------------------
>To subscribe or unsubscribe from this elist use the subscription
>manager: <http://lists.oasis-open.org/ob/adm.pl>


--