This document is also available in these non-normative formats: XHTML version and XML version.
Copyright © W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.
This document explains how to use the P3P generic attribute with a WSDL 2.0 description in order to express a Web service's privacy policy.
This document is a first draft and has no formal status.
Review from WSDL 2.0 and P3P people is welcome. Please send comments to hugo@w3.org.
1 Introduction
2 Granularity of privacy policies in a service description
2.1 WSDL 2.0 component model
2.2 Privacy policies and components
3 Use of the P3P generic attribute in WSDL 2.0
3.1 Semantics of the P3P generic attribute on WSDL 2.0
components
3.1.1 Message definition
3.1.2 WSDL 2.0's input, output,
infault, outfault element
information items
3.1.3 WSDL 2.0's operation element information
item
3.1.4 WSDL 2.0's interface element information
item
3.1.5 WSDL 2.0's binding element information
item
3.1.6 WSDL 2.0's endpoint element information
item
3.1.7 WSDL 2.0's service element information
item
3.2 Resolution of policy conflicts
4 Example
5 References
The same way Web sites have privacy policy, Web services are impacted by privacy concerns, as shown in [P3PBH]. Users of Web services may want to know the use that the service provider is going to make of the data sent to the service before using this service.
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification [P3P1.0] defines a language to express and interpret policies in a machine-processable way.
The Web Services Description Language (WSDL) 2.0 [WSDL2.0] is an XML language for describing Web services. When used in combination with P3P, one can express the privacy policy of a Web service.
This document shows how to use the generic P3P attribute [P3P-att] to extend a WSDL 2.0 description to specify services' privacy policies.
In the context of Web services, a privacy policy applies to the data which is being exchanged between the Web service requester and the Web service provider.
This data, i.e. its format and the specifics of the information exchange between the requester and the provider, are described by WSDL 2.0 using the following component model:
the format of the messages exchanged are described using a schema language;
messages are associated into interface operations forming message exchange patterns;
interfaces describe sets of messages that a service sends and/or receives, and are expressed as a set of interface operations;
bindings represent the binding of an interface, which is abstract, to a concrete message format and transmission protocol (e.g. SOAP 1.2 over HTTP/1.1);
endpoints are network locations (URL) at which a binding of an interface is available;
finally, the set of endpoints described is logically grouped into a service.
In such a model, different components may have different privacy policies applying to them.
A privacy policy may be applied to different WSDL 2.0 components.
First, a message may contain information for which different policies apply, e.g. a DNS domain name versus a physical address versus a credit card number.
Second, the implementation of a service might be done with different privacy policies. An endpoint might be collecting private information, while another, implementing the same interface with the exact same binding, might be logging access for audit purposes; a third one, still providing the same service, may not be keeping any kind of record of the transactions processed.
Also, one might want to specify a privacy policy of a particular binding to certain values, e.g. because of some characteristics of the implementation used by all the endpoints.
Therefore, for each component, one might want to associate a privacy policy for the data exchange described by this component.
Using WSDL 2.0's attribute-base extensibility mechanism, privacy policies can be indicated in a WSDL 2.0 document using the P3P generic attribute as defined in [P3P-att].
Editorial note | |
Here I am making some assumptions about what a P3P generic attribute would look like; these will have to be revisited once it exists |
The P3P generic attribute identifies the privacy policy associated with the data enclosed or represented by an element. In the case of a WSDL 2.0 service description, it indicates the privacy policy associated with the data exchange which is being represented by the element information item it is attached to, as explained in section 3.1 Semantics of the P3P generic attribute on WSDL 2.0 components.
The P3P generic attribute can be used on any XML element:
<!-- Extracted from an email from MSM --> <!-- Sample attribute definition --> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.w3.org/2004/01/P3Pv11" > <xsd:annotation> <xsd:documentation> <div xmlns="http://www.w3.org/1999/xhtml"> <p>Sample schema document for Rigo Wenning, to demonstrate how to declare a global attribute.</p> <p>Here, we let the attribute be called 'p3p-gen'.</p> </div> </xsd:documentation> </xsd:annotation> <xsd:attribute name="p3p-gen" type="xsd:anyURI"> <xsd:annotation> <xsd:documentation> <div xmlns="http://www.w3.org/1999/xhtml"> <p>The P3P-generic attribute takes a URI as its value.</p> <p>The meaning is that a P3P document describing the privacy policy relevant to this element may be found at the URI given.</p> <p>Examples: ...</p> <p>Other notes: ...</p> </div> </xsd:documentation> </xsd:annotation> </xsd:attribute> </xsd:schema>
This section therefore describes the meaning of the use of the P3P generic attribute can be used on components of a WSDL 2.0 description.
Editorial note | |
What about the use of the attribute on features? |
In WSDL 2.0, message format is defined by an XML element declaration.
The P3P generic attribute may be used in the declaration of an XML element. If it is the case, it associates a privacy policy with the content of the element (either simple or complex) it applies to.
input
, output
,
infault
, outfault
element
information itemsThe P3P generic attribute associates a privacy policy
to all data which is being sent or received in the message referenced
by the message
attribute.
operation
element information
itemOn this element information item, the P3P generic
attribute associates a privacy policy to all data which is
being received and/or sent through by the interface
operation, i.e. included in any of the set of (ordinary and
fault) messages being exchanged as part of the operation and
represented by its input
, output
,
infault
, outfault
children elements.
interface
element information
itemOn this element information item, the P3P generic
attribute associates a privacy policy to all data which is
being received and/or sent through the interface, i.e. through all the
interface operations represented by its operation
childrens.
binding
element information
itemOn this element information item, the P3P generic attribute associates a privacy policy to all data which is contained by the (ordinary or fault) messages received and/or sent using this binding.
The binding
element information item can
specify a binding of an interface, an operation, a message reference or a fault
reference.
Editorial note | |
That should probably be handled by the P3P generic attribute spec |
As shown in 2 Granularity of privacy policies in a service description, privacy policy can be expressed on a number of components, and each component reference other components that might themselves have a privacy policy associated with them.
Editorial note | |
1. Complex solution: merging |
When several P3P policy files are being encountered for a service (e.g. on an operation and on the interface referencing this operation), all claims made by all P3P policies applying to a particular piece of data must be taken into account by the service requester.
In case the policy files contain conflicting information, all privacy claims must be ignored.
Editorial note | |
2. Simpler solution: 2 policies, fail |
If, after following the rules in section 3.1 Semantics of the P3P generic attribute on WSDL 2.0 components, more than one policy applies to a piece of data, the service requester must ignore all privacy claims made about this data.
Editorial note | |
Example for the complex case |
Here is an example of use of the P3P generic attribute on a WSDL 2.0 file.
<?xml version="1.0"?> <!-- Hopefully valid WSDL 2.0 --> <definitions xmlns="http://www.w3.org/2003/11/wsdl" xmlns:myns="http://example.org/myservice" xmlns:mytypes="http://example.org/myservice-types" xmlns:p3patt="http://www.w3.org/2004/01/P3Pv11" xmlns:soap="http://www.w3.org/2003/06/wsdl/soap12" targetNamespace="http://example.org/myservice" > <documentation> Sample service definition showing the use of the P3P generic attribute </documentation> <types> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://example.org/myservice-types"> <xsd:complexType name="commentStruct"> <xsd:sequence> <xsd:element name="phonenumber" type="xsd:string" p3patt:p3p-gen="http://example.com/p3p-pol1.xml" /> <xsd:element name="status" type="xsd:anyURI" <xsd:attribute name="date" type="xsd:date" p3patt:p3p-gen="http://example.com/p3p-pol2.xml" /> </xsd:sequence> </xsd:complexType> <xsd:element name="commentReq" type="mytypes:commentStruct"/> <xsd:element name="commentResp" type="xsd:string"/> </xsd:schema> </types> <interface name="Interface"> <operation name="Operation" pattern="http://www.w3.org/2003/11/wsdl/in-out"> <input message="mytypes:commentReq"/> <output message="myntypes:commentResp"/> </operation> </interface> <binding name="Binding" interface="myns:Interface"> <soap:binding protocol="http://www.w3.org/2003/05/soap/bindings/HTTP/"/> </binding> <service name="Service" interface="myns:Interface" > <endpoint name="Endpoint1" binding="myns:binding" p3patt:p3p-gen="http://example.com/p3p-pol3.xml"> <soap:address location="http://ws.example.org/myservice" /> </endpoint> </service> </definitions>
If http://example.com/p3p-pol1.xml is:
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY name="nice" discuri="http://example.com/pol1.html" xml:lang="en"> <ENTITY> <DATA-GROUP> <DATA ref="#business.name">CatalogExample</DATA> <DATA ref="#business.contact-info.postal.street">4000 Lincoln Ave.</DATA> <DATA ref="#business.contact-info.postal.city">Birmingham</DATA> <DATA ref="#business.contact-info.postal.stateprov">MI</DATA> <DATA ref="#business.contact-info.postal.postalcode">48009</DATA> <DATA ref="#business.contact-info.postal.country">USA</DATA> <DATA ref="#business.contact-info.online.email">catalog@example.com</DATA> <DATA ref="#business.contact-info.telecom.telephone.intcode">1</DATA> <DATA ref="#business.contact-info.telecom.telephone.loccode">248</DATA> <DATA ref="#business.contact-info.telecom.telephone.number">3926753</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.example.org"> <IMG src="http://www.PrivacySeal.example.org/Logo.gif" alt="PrivacySeal's logo"/> <REMEDIES><money/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><admin/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><stated-purpose/></RETENTION> <DATA-GROUP> <DATA ref="#dynamic.http"/> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES>
And if http://example.com/p3p-pol3.xml is:
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY name="lessnice" discuri="http://example.com/pol3.html" xml:lang="en"> <ENTITY> <DATA-GROUP> <DATA ref="#business.name">Invisible Corp.</DATA> <DATA ref="#business.contact-info.postal.street">Cloud 9</DATA> <DATA ref="#business.contact-info.postal.city">The sky</DATA> <DATA ref="#business.contact-info.online.email">invisible@example.com</DATA> </DATA-GROUP> </ENTITY> <ACCESS><all/></ACCESS> <DISPUTES-GROUP> <DISPUTES resolution-type="independent" service="http://www.PrivacySeal.example.org" short-description="PrivacySeal.example.org"> <REMEDIES><correct/></REMEDIES> </DISPUTES> </DISPUTES-GROUP> <STATEMENT> <PURPOSE><contact/><telemarketing/></PURPOSE> <RECIPIENT><public/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#user.home-info.telephonenum"/> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES>
Although privacy policy #1 claims that no personal data is going to be used for purposes other than the administration of the Web service, privacy policy #3 claims that telephone numbers may be used for telemarketing.
Therefore, the phone number provided in the the
phonenumber
element of the input message in
Endpoint1, having both policy #1 and #3 applying to it, will
likely be used by telemarketers.