OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wsrp-security message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [wsrp-security] [wsrp][security] minutes from last call and agenda for 7/24 telecon

<mc> comments below 

-----Original Message-----
From: Thomas Schaeck [mailto:SCHAECK@de.ibm.com]
Sent: Tuesday, July 23, 2002 12:53 PM
To: Cassidy, Mark
Cc: 'wsrp-security@lists.oasis-open.org'
Subject: Re: [wsrp-security] [wsrp][security] minutes from last call and
agenda for 7/24 telecon



I think P3P should not impact the WSRP protocol; it addresses the
interaction between user agents and servers directly accessed by the user
agent but doesn't address intermediaries, right ? If this is the case, we
shoud not extrapolate P3P and not tie WSRP with P3P.
<mc> P3P is pretty loose about what constitutes a user agent; it gives as an
example that user agents can be built into proxy servers, which could be
considered a type of intermediary scenario.  I'm not advocating at this
point that P3P should be factored into the WSRP protocol, I'm just pointing
out that WSRP producers and consumers appear to have a reasonable
correlation to P3P servers and user agents.  


In legal terms, I think in any case the portal/consumer a user registers
with is responsable/liable for whatever happens with that user's personal
data. As a result I think the owner of a portal using a producer and
passing data would need a legally binding contract with the producer
regulating what the producer may do with any transmitted user information.
I think just technically exchanging P3P information a producer may or may
not adhere to is not sufficient.
<mc> No disagreement about the value/importance of having a legal contract
between producer and consumer.  I also agree that the consumer is ultimately
responsible for what happens with the user's personal data.  Supposing
though that a producer did have P3P policies for its content/services.
Without having those policies exposed to the end user, there would be no way
for an end user to make choices about which personal data they want to share
based on the the service.  Essentially, they would have a set of preferences
they establish with the consumer regarding their personal data that is
static and applied uniformly across all services.  I'm not saying that's
necessarily a bad thing, just an artifact of not exposing P3P policies.
  

For data gathered by the producer's UI, it should be the producer's
responsibility to display its privacy policies (i.e. the producer renders
the markup for the producer policy). This might e.g. be done inline or by
using pop-up windows, transparently for the consumer. The consumer would
indirectly display markup for the policy of the producer, but would not
need to be aware of the semantics.
<mc> understood and agreed. 

Whether or not the consumer supports P3P is irrelevant to the WSRP
protocol; that is only one particular way how the consumer may subset the
amount of user profile info being passed to producers.
<mc> I agree with the latter statement.  Going back to my comment above, I
would disagree with the former *if* there is a requirement to give the end
user flexibility to decide which personal data to share based on what the
service is.  From a pragmatic point of view though, I don't think such
flexibility is important enough to introduce added requirements/complexity
to the protocol.

Best regards,

Thomas



"Cassidy, Mark" <mcassidy@Netegrity.com> on 07/23/2002 08:46:16 PM

To:    "'wsrp-security@lists.oasis-open.org'"
       <wsrp-security@lists.oasis-open.org>
cc:
Subject:    [wsrp-security] [wsrp][security] minutes from last call and
       agenda for 7/24 telec  on



Attached are the minutes from the 7/10 telecon.  As noted in the minutes, I
took an action to review existing standards for user profile data and see
what we can re-use.  Attached is a document that gives a rough comparison
of
the userdata attributes defined in various standards:  passport, vcard &
x.520, rfc2256(LDAPv.3).  I reviewed the Liberty docs and it turns out that
those specs do not define any standard userdata attributes; that's left for
a later rev of the spec.  Turns out that P3P has a pretty good userdata
schema defined and my recommendation is to adopt this for WSRP's user
profile data object.

Agenda for tomorrow's call then will be:

1.  review/discussion of user profile data comparison document
2.  P3P impacts on WSRP protocol(see followup comments in minutes from last
telecon)

If time permits, we can pick up the discussion on role scoping  and
how/whether roles and profile are related.


Call logistics:
Time:  8:00 a.m. PST(11:00 a.m. EST, 5:00 p.m. CET)
Reservationless-Plus Toll Free Dial-In Number: 877.450.3529
Reservationless-Plus International Dial-In Number: +1.706.679.6653
Conference Code: 4254674195

 <<wsrp security minutes 710 .htm>>  <<profiledata.htm>>










----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC