Lists Home |
Date Index |
> I'm also thinking in terms of how a Web service can judge the "quality"
> of another Web service.
> ... To put this question in context, please consider the following
> ... - Since there is no pre-negotiated agreement in this scenario, the
> travel agent needs a way of determining whether a given Web service is
> "legitimate" or not. This goes beyond the security/trust realm that can
> be covered by security tokens, to encompass whether or not the business
> behind the Web service is legitimate, and not a front for a phony
> operation. This could be done through the use of a third-party Web
> Service "certification" authority that is "trusted" by the travel agent.
> Once the travel agent's Web service agent sees this certification on a
> Web service, it moves farther with that Web service in its discovery
This is definitely a real and worthy issue, and one that is very
complicated. Not only does one want to know that the web service is legit,
one wants to know that the __agent__ that purports to represent the service
has the authority to do so. Next, because that agent may end up doing
something with consequences, like charge a credit card or order goods and
services, the first agent needs to be able to pass on its authority for
doing so to the second agent. This would need to continue through a
potentially long chain, and it might be a bush instead of a chain, just to
make things even more involved.
In fact, each agent would also have to be trusted not to reveal the
confidential authorization information except in the right circumstances,
but each agent may well be set to follow different rules about such matters.
Now add in the notion that "intelligent" agents may exhibit emergent - and
therefore somewhat unpredictable - behavior, and you have a really murky
swamp. Does this remind you of the game where person #1 whispers a sentence
into the ear of person #2, and so on around the room? It ought to.
It will take more than a simple and centralized certification authority to
deal with all these issues - and remember, they play together, so individual
certifications may not be enough.
> - Additionally, the Web services (those that the travel agent's Web
> service attempts to discover) could have some sort of "quality rating"
> that reflects various factors such as reliability (i.e. whether or not
> the Web service offers a reliable messaging feature), up time, etc.
As other have posted by now, there are a vast number of potential ratings.
Perhaps a certain small number could be agreed on in a certain industry.
Think of bond ratings - there are a few bond rating companies, and one
usually checks them all. Yet we know that sometimes rating companies play
games, and sometimes they have get gamed. Without a human in the process,
how can we deal with this?
Because of considerations like this, I think that a lot of really creative
thinking needs to happen about this whole bit of automated, complex business
transactions. This is not just a programming and standards problem, not by
a long shot. It is also legal and social, just for starters.
> - Assuming that the travel agent's Web service has initiatlly "selected"
> a Web service based on its legitimacy and quality rating: the travel
> agent's Web service may have a list of criteria specific to its request
> (hotel reservation) that are required of the discovered Web service, and
> at various levels (weights). These may reflect the travel agency's
> business policies. For instance, the travel agency may (for whatever
> reason) require a 3-day (more lenient) cancellation policy (instead of
> 1-day notice).
This is a pipe dream, I am sorry to say. Consider what would be required
for this kind of thing to work - each service would have to be able to
collect and assess metrics and statistics on any arbitrary combination of
metrics that a would-be customer might come up with. That would be
impossible - I should be politic and say "impractical", but I will leave it
On the other hand, I could see grouping metrics into a few specific groups
that a particular industry agreed would serve. Your agent, then might ask
for the web services's "class 3 metric" for the last 2 years, and for the
certification of that metric. Certification by who? Good question. An
industry association? Hmm... Goverment (shudder)? ...
As always, one good question is "What recourse will I have if things work
out badly?" - that is, if I get cheated, or the goods and services are poor
quality or not as advertised, or my private information gets compromised, or
my bank account turns up empty. If we have a handle on that, then what
would have to be in place to make it happen? And so on until we get to our
current starting point.
I know that this post sounds rather negative. I do not really mean it to be
negative, but I think a different way of approaching the whole area is
called for. After all, the existing protections that apply in commerce have
been developed over hundreds of years, through thousands of court decisions
and legislative attempts and trade practices. And they do not protext
everyone all the time as it is. For widespread automated commerce, where
partners are not picked out ahead of time or traded with for years, we will
need no less and probably more, since the potential for harm is so much
greater with automation.
It is not just an engineering problem!