The web services must satisfy some technical requirements
Messages MUST be correlated, so each response is bound to request in an auditable way
Message ID correlation
Business Process Model and Instance IDs (or context or instance) to allow overarching correlation of several request-response pairs (e.g. to avoid actors who would have conflicts of interest overall that might not be identified when only working at level of individual request-response pairs)
PDP can receive this easy enough as an environment parameter and this is needed to support dynamic separation of duties
Gap: business process modelling does not express this?
Consider URL format hierarchical ID
Better typed, like LDAP DN format, or query string
Requester and Responder MUST be identified (Req 10.4)
Synchronous web service calls MUST be supported
Asynchronous calls SHOULD be supported where needed. Business Process Engines will handle asynchrony.
Subscribe - Notify mechanism SHOULD be supported where needed
subscription for events will be vital to pick up errors and notify of events like break the glass
subscribe and publish ws-eventing
Event bus as a subscribe and publish mechanism
Maximum availability and use digital signature and encryption technologies, i.e. technical solutions to security and trust problems.