Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Web Services and Quality
 [Chiusano Joseph] > I'm also thinking in terms of how a Web service can judge the "quality" > of another Web service. > > ... To put this question in context, please consider the following scenario: > > ... - Since there is no pre-negotiated agreement in this scenario, the > travel agent needs a way of determining whether a given Web service is > "legitimate" or not. This goes beyond the security/trust realm that can > be covered by security tokens, to encompass whether or not the business > behind the Web service is legitimate, and not a front for a phony > operation. This could be done through the use of a third-party Web > Service "certification" authority that is "trusted" by the travel agent. > Once the travel agent's Web service agent sees this certification on a > Web service, it moves farther with that Web service in its discovery > efforts. > This is definitely a real and worthy issue, and one that is very complicated. Not only does one want to know that the web service is legit, one wants to know that the __agent__ that purports to represent the service has the authority to do so. Next, because that agent may end up doing something with consequences, like charge a credit card or order goods and services, the first agent needs to be able to pass on its authority for doing so to the second agent. This would need to continue through a potentially long chain, and it might be a bush instead of a chain, just to make things even more involved. In fact, each agent would also have to be trusted not to reveal the confidential authorization information except in the right circumstances, but each agent may well be set to follow different rules about such matters. Now add in the notion that "intelligent" agents may exhibit emergent - and therefore somewhat unpredictable - behavior, and you have a really murky swamp. Does this remind you of the game where person #1 whispers a sentence into the ear of person #2, and so on around the room? It ought to. It will take more than a simple and centralized certification authority to deal with all these issues - and remember, they play together, so individual certifications may not be enough. > - Additionally, the Web services (those that the travel agent's Web > service attempts to discover) could have some sort of "quality rating" > that reflects various factors such as reliability (i.e. whether or not > the Web service offers a reliable messaging feature), up time, etc. > (others?). > As other have posted by now, there are a vast number of potential ratings. Perhaps a certain small number could be agreed on in a certain industry. Think of bond ratings - there are a few bond rating companies, and one usually checks them all. Yet we know that sometimes rating companies play games, and sometimes they have get gamed. Without a human in the process, how can we deal with this? Because of considerations like this, I think that a lot of really creative thinking needs to happen about this whole bit of automated, complex business transactions. This is not just a programming and standards problem, not by a long shot. It is also legal and social, just for starters. > - Assuming that the travel agent's Web service has initiatlly "selected" > a Web service based on its legitimacy and quality rating: the travel > agent's Web service may have a list of criteria specific to its request > (hotel reservation) that are required of the discovered Web service, and > at various levels (weights). These may reflect the travel agency's > business policies. For instance, the travel agency may (for whatever > reason) require a 3-day (more lenient) cancellation policy (instead of > 1-day notice). This is a pipe dream, I am sorry to say. Consider what would be required for this kind of thing to work - each service would have to be able to collect and assess metrics and statistics on any arbitrary combination of metrics that a would-be customer might come up with. That would be impossible - I should be politic and say "impractical", but I will leave it as written. On the other hand, I could see grouping metrics into a few specific groups that a particular industry agreed would serve. Your agent, then might ask for the web services's "class 3 metric" for the last 2 years, and for the certification of that metric. Certification by who? Good question. An industry association? Hmm... Goverment (shudder)? ... As always, one good question is "What recourse will I have if things work out badly?" - that is, if I get cheated, or the goods and services are poor quality or not as advertised, or my private information gets compromised, or my bank account turns up empty. If we have a handle on that, then what would have to be in place to make it happen? And so on until we get to our current starting point. I know that this post sounds rather negative. I do not really mean it to be negative, but I think a different way of approaching the whole area is called for. After all, the existing protections that apply in commerce have been developed over hundreds of years, through thousands of court decisions and legislative attempts and trade practices. And they do not protext everyone all the time as it is. For widespread automated commerce, where partners are not picked out ahead of time or traded with for years, we will need no less and probably more, since the potential for harm is so much greater with automation. It is not just an engineering problem! Cheers, Tom P 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
