RE: can't really be LAST CALL,"HTTP State Management Mechanism (Rev1) " to Propo from Jaye, Dan on 1997-07-25 (ietf-http-wg@w3.org from July to September 1997)

From: Jaye, Dan <DJaye@engagetech.com>
Date: Fri, 25 Jul 1997 10:56:51 -0400
To: "'http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <c=US%a=_%p=CMG%l=ANDEXC01-970725145651Z-13502@wilexc01.cmgi.com>

-----Original Message-----
From:	Foteos Macrides [SMTP:MACRIDES@SCI.WFBR.EDU]
Sent:	Wednesday, July 23, 1997 6:43 PM
To:	dwm@xpasc.com
Cc:	http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Subject:	Re: can't really be LAST CALL,"HTTP State Management 
Mechanism (Rev1) " to Propo

"David W. Morris" <dwm@xpasc.com> wrote:
>On Wed, 23 Jul 1997, Larry Masinter wrote:
>>> Too much icing on the cookie, just say no.
>
>[...]
>
>The difference between the Comment attribute and the CommentURL is 
the
>difference between the Windows application which provides a message
>box with a message like:
>             "Unable to write bookmark file"
>and one which presents the message:
>             "Unable to write bookmark file:
>              C:\home\user\internet\bkmrks.fil
>              because the file already exists and is owned
>              by another user"
>In the first case, only a user familiar with the application 
internals
>could guess where to start looking.  In the second case, the average
>reasonably knowledgable user of the operating system usage would have 
>a good chance at successful problem resolution.

	Note that even in that example, you are restricting yourself
to ASCII characters. :)

>If user privacy is important to our protocol effort, we must make it
>>possible for the user to receive sufficient information for 
informed
>>consent. If we don't, the user community will throw their hands up
>>and take the course of least resistance and all of our concern 
about
>>cookie sharing will be moot.
>>
>>In other words, I don't consider CommentURL as icing on the cookie,
>>it is central to any possibility of achieving user control over
>>privacy.

	I doubt it will be considered icing by users whose language
is not adequately accomodated by the device of try to stuff a body
into the value of a Set-Cookie2 header's comment attribute. :)

The work of the IPWG group and the P3 project so far indicates that 
the semantics of privacy and the scenarios are complex.  To enable 
"Free, informed consent", servers need to be able to display in an 
accessible manner their privacy practices and implications.   A 
comment alone doesn't do this.

In addition, I think the CommentURL (with or without additional cookie 
support) potentially introduces a mechanism to engage the user in a 
privacy dialogue leading to a more robust privacy solution: e.g., OPS 
and/or the results of the W3C P3 project...   Of course this could 
also possibly be dealt with through PEP.  For example a web page could 
have a link to an P3 (or whatever)-compliant browser or plug-in, which 
would give the user control over what could be done with information, 
cookies etc.

Received on Friday, 25 July 1997 08:04:29 UTC