[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [wsrp-security] [wsrp][security] minutes from last call and agenda for 7/24 telecon
<mc> comments below -----Original Message----- From: Thomas Schaeck [mailto:SCHAECK@de.ibm.com] Sent: Tuesday, July 23, 2002 12:53 PM To: Cassidy, Mark Cc: 'wsrp-security@lists.oasis-open.org' Subject: Re: [wsrp-security] [wsrp][security] minutes from last call and agenda for 7/24 telecon I think P3P should not impact the WSRP protocol; it addresses the interaction between user agents and servers directly accessed by the user agent but doesn't address intermediaries, right ? If this is the case, we shoud not extrapolate P3P and not tie WSRP with P3P. <mc> P3P is pretty loose about what constitutes a user agent; it gives as an example that user agents can be built into proxy servers, which could be considered a type of intermediary scenario. I'm not advocating at this point that P3P should be factored into the WSRP protocol, I'm just pointing out that WSRP producers and consumers appear to have a reasonable correlation to P3P servers and user agents. In legal terms, I think in any case the portal/consumer a user registers with is responsable/liable for whatever happens with that user's personal data. As a result I think the owner of a portal using a producer and passing data would need a legally binding contract with the producer regulating what the producer may do with any transmitted user information. I think just technically exchanging P3P information a producer may or may not adhere to is not sufficient. <mc> No disagreement about the value/importance of having a legal contract between producer and consumer. I also agree that the consumer is ultimately responsible for what happens with the user's personal data. Supposing though that a producer did have P3P policies for its content/services. Without having those policies exposed to the end user, there would be no way for an end user to make choices about which personal data they want to share based on the the service. Essentially, they would have a set of preferences they establish with the consumer regarding their personal data that is static and applied uniformly across all services. I'm not saying that's necessarily a bad thing, just an artifact of not exposing P3P policies. For data gathered by the producer's UI, it should be the producer's responsibility to display its privacy policies (i.e. the producer renders the markup for the producer policy). This might e.g. be done inline or by using pop-up windows, transparently for the consumer. The consumer would indirectly display markup for the policy of the producer, but would not need to be aware of the semantics. <mc> understood and agreed. Whether or not the consumer supports P3P is irrelevant to the WSRP protocol; that is only one particular way how the consumer may subset the amount of user profile info being passed to producers. <mc> I agree with the latter statement. Going back to my comment above, I would disagree with the former *if* there is a requirement to give the end user flexibility to decide which personal data to share based on what the service is. From a pragmatic point of view though, I don't think such flexibility is important enough to introduce added requirements/complexity to the protocol. Best regards, Thomas "Cassidy, Mark" <mcassidy@Netegrity.com> on 07/23/2002 08:46:16 PM To: "'wsrp-security@lists.oasis-open.org'" <wsrp-security@lists.oasis-open.org> cc: Subject: [wsrp-security] [wsrp][security] minutes from last call and agenda for 7/24 telec on Attached are the minutes from the 7/10 telecon. As noted in the minutes, I took an action to review existing standards for user profile data and see what we can re-use. Attached is a document that gives a rough comparison of the userdata attributes defined in various standards: passport, vcard & x.520, rfc2256(LDAPv.3). I reviewed the Liberty docs and it turns out that those specs do not define any standard userdata attributes; that's left for a later rev of the spec. Turns out that P3P has a pretty good userdata schema defined and my recommendation is to adopt this for WSRP's user profile data object. Agenda for tomorrow's call then will be: 1. review/discussion of user profile data comparison document 2. P3P impacts on WSRP protocol(see followup comments in minutes from last telecon) If time permits, we can pick up the discussion on role scoping and how/whether roles and profile are related. Call logistics: Time: 8:00 a.m. PST(11:00 a.m. EST, 5:00 p.m. CET) Reservationless-Plus Toll Free Dial-In Number: 877.450.3529 Reservationless-Plus International Dial-In Number: +1.706.679.6653 Conference Code: 4254674195 <<wsrp security minutes 710 .htm>> <<profiledata.htm>> ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC