W3C

Use of the P3P generic attribute in WSDL 2.0

Draft $Date: 2003/12/18 18:24:05 $

This version:
http://www.w3.org/2003/12/p3p-wsdl
Previous version:
Notes about P3P and Web services
Editor:
Hugo Haas, W3C

This document is also available in these non-normative formats: XHTML version and XML version.

Copyright ©  W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

Abstract

This document explains how to use the P3P generic attribute with a WSDL 2.0 description in order to express a Web service's privacy policy.

Status of this Document

This document is a first draft and has no formal status.

Review from WSDL 2.0 and P3P people is welcome. Please send comments to hugo@w3.org.

Table of Contents

1 Introduction
2 Granularity of privacy policies in a service description
    2.1 WSDL 2.0 component model
    2.2 Privacy policies and components
3 Use of the P3P generic attribute in WSDL 2.0
    3.1 Semantics of the P3P generic attribute on WSDL 2.0 components
        3.1.1 Message definition
        3.1.2 WSDL 2.0's input, output, infault, outfault element information items
        3.1.3 WSDL 2.0's operation element information item
        3.1.4 WSDL 2.0's interface element information item
        3.1.5 WSDL 2.0's binding element information item
        3.1.6 WSDL 2.0's endpoint element information item
        3.1.7 WSDL 2.0's service element information item
    3.2 Resolution of policy conflicts
4 Example
5 References

1 Introduction

The same way Web sites have privacy policy, Web services are impacted by privacy concerns, as shown in [P3PBH]. Users of Web services may want to know the use that the service provider is going to make of the data sent to the service before using this service.

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification [P3P1.0] defines a language to express and interpret policies in a machine-processable way.

The Web Services Description Language (WSDL) 2.0 [WSDL2.0] is an XML language for describing Web services. When used in combination with P3P, one can express the privacy policy of a Web service.

This document shows how to use the generic P3P attribute [P3P-att] to extend a WSDL 2.0 description to specify services' privacy policies.

2 Granularity of privacy policies in a service description

2.1 WSDL 2.0 component model

In the context of Web services, a privacy policy applies to the data which is being exchanged between the Web service requester and the Web service provider.

This data, i.e. its format and the specifics of the information exchange between the requester and the provider, are described by WSDL 2.0 using the following component model:

  • the format of the messages exchanged are described using a schema language;

  • messages are associated into interface operations forming message exchange patterns;

  • interfaces describe sets of messages that a service sends and/or receives, and are expressed as a set of interface operations;

  • bindings represent the binding of an interface, which is abstract, to a concrete message format and transmission protocol (e.g. SOAP 1.2 over HTTP/1.1);

  • endpoints are network locations (URL) at which a binding of an interface is available;

  • finally, the set of endpoints described is logically grouped into a service.

In such a model, different components may have different privacy policies applying to them.

2.2 Privacy policies and components

A privacy policy may be applied to different WSDL 2.0 components.

First, a message may contain information for which different policies apply, e.g. a DNS domain name versus a physical address versus a credit card number.

Second, the implementation of a service might be done with different privacy policies. An endpoint might be collecting private information, while another, implementing the same interface with the exact same binding, might be logging access for audit purposes; a third one, still providing the same service, may not be keeping any kind of record of the transactions processed.

Also, one might want to specify a privacy policy of a particular binding to certain values, e.g. because of some characteristics of the implementation used by all the endpoints.

Therefore, for each component, one might want to associate a privacy policy for the data exchange described by this component.

3 Use of the P3P generic attribute in WSDL 2.0

Using WSDL 2.0's attribute-base extensibility mechanism, privacy policies can be indicated in a WSDL 2.0 document using the P3P generic attribute as defined in [P3P-att].

Editorial note 
Here I am making some assumptions about what a P3P generic attribute would look like; these will have to be revisited once it exists

The P3P generic attribute identifies the privacy policy associated with the data enclosed or represented by an element. In the case of a WSDL 2.0 service description, it indicates the privacy policy associated with the data exchange which is being represented by the element information item it is attached to, as explained in section 3.1 Semantics of the P3P generic attribute on WSDL 2.0 components.

3.1 Semantics of the P3P generic attribute on WSDL 2.0 components

The P3P generic attribute can be used on any XML element:

<!-- Extracted from an email from MSM -->
<!-- Sample attribute definition -->
<xsd:schema
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 targetNamespace="http://www.w3.org/2004/01/P3Pv11"
 >
 <xsd:annotation>
  <xsd:documentation>
   <div xmlns="http://www.w3.org/1999/xhtml">
    <p>Sample schema document for Rigo Wenning, to demonstrate
     how to declare a global attribute.</p>                   
    <p>Here, we let the attribute be called 'p3p-gen'.</p>
   </div>
  </xsd:documentation>
 </xsd:annotation>

 <xsd:attribute name="p3p-gen" type="xsd:anyURI">
  <xsd:annotation>
   <xsd:documentation>
    <div xmlns="http://www.w3.org/1999/xhtml">
     <p>The P3P-generic attribute takes a URI as its value.</p>
     <p>The meaning is that a P3P document describing the privacy
      policy relevant to this element may be found at the URI
      given.</p>
     <p>Examples: ...</p>
     <p>Other notes: ...</p>
    </div>
   </xsd:documentation>
  </xsd:annotation>
 </xsd:attribute>
</xsd:schema>

This section therefore describes the meaning of the use of the P3P generic attribute can be used on components of a WSDL 2.0 description.

Editorial note 
What about the use of the attribute on features?

3.1.1 Message definition

In WSDL 2.0, message format is defined by an XML element declaration.

The P3P generic attribute may be used in the declaration of an XML element. If it is the case, it associates a privacy policy with the content of the element (either simple or complex) it applies to.

3.1.2 WSDL 2.0's input, output, infault, outfault element information items

The P3P generic attribute associates a privacy policy to all data which is being sent or received in the message referenced by the message attribute.

3.1.3 WSDL 2.0's operation element information item

On this element information item, the P3P generic attribute associates a privacy policy to all data which is being received and/or sent through by the interface operation, i.e. included in any of the set of (ordinary and fault) messages being exchanged as part of the operation and represented by its input, output, infault, outfault children elements.

3.1.4 WSDL 2.0's interface element information item

On this element information item, the P3P generic attribute associates a privacy policy to all data which is being received and/or sent through the interface, i.e. through all the interface operations represented by its operation childrens.

3.1.5 WSDL 2.0's binding element information item

On this element information item, the P3P generic attribute associates a privacy policy to all data which is contained by the (ordinary or fault) messages received and/or sent using this binding.

The binding element information item can specify a binding of an interface, an operation, a message reference or a fault reference.

3.1.6 WSDL 2.0's endpoint element information item

On this element information item, the P3P generic attribute associates a privacy policy to all data which is being received and/or sent through the binding represented by its binding attribute.

3.1.7 WSDL 2.0's service element information item

On this element information item, the P3P generic attribute associates a privacy policy to all data which is being received and/or sent by the service, i.e. through all the endpoints represented by its endpoint children elements.

3.2 Resolution of policy conflicts

Editorial note 
That should probably be handled by the P3P generic attribute spec

As shown in 2 Granularity of privacy policies in a service description, privacy policy can be expressed on a number of components, and each component reference other components that might themselves have a privacy policy associated with them.

Editorial note 
1. Complex solution: merging

When several P3P policy files are being encountered for a service (e.g. on an operation and on the interface referencing this operation), all claims made by all P3P policies applying to a particular piece of data must be taken into account by the service requester.

In case the policy files contain conflicting information, all privacy claims must be ignored.

Editorial note 
2. Simpler solution: 2 policies, fail

If, after following the rules in section 3.1 Semantics of the P3P generic attribute on WSDL 2.0 components, more than one policy applies to a piece of data, the service requester must ignore all privacy claims made about this data.

4 Example

Editorial note 
Example for the complex case

Here is an example of use of the P3P generic attribute on a WSDL 2.0 file.

Example: Example of a WSDL 2.0 file with P3P policies
<?xml version="1.0"?>
<!-- Hopefully valid WSDL 2.0 -->
<definitions xmlns="http://www.w3.org/2003/11/wsdl"
	     xmlns:myns="http://example.org/myservice"
	     xmlns:mytypes="http://example.org/myservice-types"
	     xmlns:p3patt="http://www.w3.org/2004/01/P3Pv11"
	     xmlns:soap="http://www.w3.org/2003/06/wsdl/soap12"
	     targetNamespace="http://example.org/myservice" >
  <documentation>
    Sample service definition showing the use of the P3P generic attribute
  </documentation>

  <types>
    <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	    targetNamespace="http://example.org/myservice-types">
      <xsd:complexType name="commentStruct">
	<xsd:sequence>
	  <xsd:element name="phonenumber" type="xsd:string"
		       p3patt:p3p-gen="http://example.com/p3p-pol1.xml" />
	  <xsd:element name="status" type="xsd:anyURI"
	  <xsd:attribute name="date" type="xsd:date"
		       p3patt:p3p-gen="http://example.com/p3p-pol2.xml" />
	</xsd:sequence>
      </xsd:complexType>
      <xsd:element name="commentReq" type="mytypes:commentStruct"/>
      <xsd:element name="commentResp" type="xsd:string"/>
    </xsd:schema>
  </types>

  <interface
   name="Interface">

    <operation
     name="Operation" 
     pattern="http://www.w3.org/2003/11/wsdl/in-out">
      <input message="mytypes:commentReq"/>
      <output message="myntypes:commentResp"/>
    </operation>

  </interface>
  
  <binding name="Binding" interface="myns:Interface">
    <soap:binding protocol="http://www.w3.org/2003/05/soap/bindings/HTTP/"/>
  </binding>

  <service
        name="Service" 
        interface="myns:Interface" >
    <endpoint
          name="Endpoint1" 
          binding="myns:binding"
	  p3patt:p3p-gen="http://example.com/p3p-pol3.xml">
    <soap:address location="http://ws.example.org/myservice" /> 
    </endpoint>
  </service>

</definitions>

If http://example.com/p3p-pol1.xml is:

Example: Privacy policy #1
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
 <POLICY name="nice" 
     discuri="http://example.com/pol1.html"
     xml:lang="en">
  <ENTITY>
   <DATA-GROUP>
    <DATA ref="#business.name">CatalogExample</DATA>
    <DATA ref="#business.contact-info.postal.street">4000 Lincoln Ave.</DATA>
    <DATA ref="#business.contact-info.postal.city">Birmingham</DATA>
    <DATA ref="#business.contact-info.postal.stateprov">MI</DATA>
    <DATA ref="#business.contact-info.postal.postalcode">48009</DATA>
    <DATA ref="#business.contact-info.postal.country">USA</DATA>
    <DATA ref="#business.contact-info.online.email">catalog@example.com</DATA>
    <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA>
    <DATA ref="#business.contact-info.telecom.telephone.loccode">248</DATA>
    <DATA ref="#business.contact-info.telecom.telephone.number">3926753</DATA>
   </DATA-GROUP>
  </ENTITY>
  <ACCESS><nonident/></ACCESS>
  <DISPUTES-GROUP>
   <DISPUTES resolution-type="independent"
     service="http://www.PrivacySeal.example.org"
     short-description="PrivacySeal.example.org">
    <IMG src="http://www.PrivacySeal.example.org/Logo.gif" alt="PrivacySeal's logo"/>
    <REMEDIES><money/></REMEDIES>
   </DISPUTES>
  </DISPUTES-GROUP>
  <STATEMENT>
   <PURPOSE><admin/><develop/></PURPOSE>
   <RECIPIENT><ours/></RECIPIENT>
   <RETENTION><stated-purpose/></RETENTION>
   <DATA-GROUP>
    <DATA ref="#dynamic.http"/>
   </DATA-GROUP>
  </STATEMENT>
 </POLICY>
</POLICIES>

And if http://example.com/p3p-pol3.xml is:

Example: Privacy policy #3
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
 <POLICY name="lessnice" 
     discuri="http://example.com/pol3.html"
     xml:lang="en">
  <ENTITY>
   <DATA-GROUP>
    <DATA ref="#business.name">Invisible Corp.</DATA>
    <DATA ref="#business.contact-info.postal.street">Cloud 9</DATA>
    <DATA ref="#business.contact-info.postal.city">The sky</DATA>
    <DATA ref="#business.contact-info.online.email">invisible@example.com</DATA>
   </DATA-GROUP>
  </ENTITY>
  <ACCESS><all/></ACCESS>
  <DISPUTES-GROUP>
   <DISPUTES resolution-type="independent"
     service="http://www.PrivacySeal.example.org"
     short-description="PrivacySeal.example.org">
    <REMEDIES><correct/></REMEDIES>
   </DISPUTES>
  </DISPUTES-GROUP>
  <STATEMENT>
   <PURPOSE><contact/><telemarketing/></PURPOSE>
   <RECIPIENT><public/></RECIPIENT>
   <RETENTION><indefinitely/></RETENTION>
   <DATA-GROUP>
    <DATA ref="#user.home-info.telephonenum"/>
   </DATA-GROUP>
  </STATEMENT>
 </POLICY>
</POLICIES>

Although privacy policy #1 claims that no personal data is going to be used for purposes other than the administration of the Web service, privacy policy #3 claims that telephone numbers may be used for telemarketing.

Therefore, the phone number provided in the the phonenumber element of the input message in Endpoint1, having both policy #1 and #3 applying to it, will likely be used by telemarketers.

5 References

P3P1.0
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshall, J. Reagle, W3C Recommendation, 16 April 2002 (See http://www.w3.org/TR/2002/REC-P3P-20020416/.)
P3P-att
P3P generic attribute, not written yet
P3PBH
P3P: Beyond HTTP, J. Reagle, P. Hung, Task Force Report, 18 April 2003 (See http://www.w3.org/P3P/2003/p3p-beyond-http/Overview.html.)
WSDL2.0
Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language, R. Chinnici, M. Gudgin, J-J. Moreau, S. Weerawarana, W3C Working Draft, 10 November 2003 (See http://www.w3.org/TR/2003/WD-wsdl20-20031110/.)