W3CTechnology and Society

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Future of P3P Workshop

November 12, 2002

Identity Management and Negotiation

Ari Schwartz

- Should we be doing outreach with the other groups to make sure that we're not recreating the wheel. While we've been very Web focused, maybe the future is far more expansive than that.

Connor Cahill

- From AOL but representing the Liberty Alliance. Liberty released their first spec in July. Phase one is very limited and deals only with whether the same user has come back. The model we're working with is to assure that the containers have the ability to contain user requests. But they thought that any one type of rights expressive language would be limited. So, these containers can hold a few languages.

There may be a public release first quarter 2003.

Christine Varney

- Liberty has three expert working groups Marketing, Public Policy Expert Group. The public policy group is where they raise these issues. We've spent a lot of time trying to find out whether there's a language that we could just plug in. E.G. HIPAA has its own rules, EU has rules, GLB may have rules. They developed containers that you could insert whatever language was appropriate. P3P is most mature of the rules sets. Liberty is interested in how we can work to get to the next level of commercial deployment. The overview document for version 2.0 will have specific guidelines.

Lorrie Connor

stated that it would be ideal that those guidelines be co-authored by Liberty and W3C.

Danny Weitzner

- How can we sit down and work together?

Christine Varney

-There may be no "Liberty" brand and Sun has released a document that is public. We want to have an interop event before final release.

This organization is a year old. As the organization is maturing they are trying to figure out how to incorporate feedback. To bring in affiliate you can sign up but we're working toward getting affiliate participation more robust.

Danny Weitzner

- the W3C has no ability to sign NDA's so cannot help until the spec is public.

Lorrie Crannor

- Negotiation protocol would be defined by liberty but otherwise would be left up to whatever you placed in that container.

Matthias Schunter

- IBM has a commitment to open standards approaches and will you move it into that process?

Christine Varney

- Said that is a subject of much discussion and we may know after the release of 2.0.

Lorrie Cranor

- Some people believe that it's a standards body and there are costs involved in all standards bodies -- but some people feel that the breadth of membership is not what some would like.

Bill Duserick

- Fidelity is a member of the Liberty Alliance and supports authentication. It is an important issue.

Wolfgang Woerndl

- What about using APPEL to create access control? We're trying to address problems of managing different identities. Hopefully, my position paper will influence the Liberty Alliance project. One thing that we could think about is some way to allow access at some level of anonymity.

Giles Hogben

- European Commission Joint Research Center -- Negotiation is a non-starter in the EU because privacy is not a matter of negotiation.

You must combine privacy policies of P3P with something like Xforms. Xforms allows you to say "I need your email address."

Lorrie Cranor

- On redrafting APPEL sepcifcation. It never became a W3C spec -- it's still in draft mode.


- CCPP versus XFORMS. When you have a forms field XFORMS may be better but in the mobile environment maybe not.

Lorrie Cranor

- The concept of a consent mechanism is stripped. What about a lite mechanism that simply says "The user agrees."

Connor Cahill

- The Liberty specs are developed to work well within Enterprise. Some may go forward without the rights part in place. In an Enterprise situation, it often is internal. But it would work best if the rights part is in place.

Christine Varney

- The first inter-enterprise implementation will be done by companies with agreements that are governed by contracts. The first test cases will be contract governing the data transfer.

- The really difficult issue are two orthree versions away.

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Last update $Date: 2002/11/29 17:36:03 $ by $Author: rigo $