W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: Comment-URL question

From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
Date: Mon, 28 Jul 1997 16:54:15 -0700
Message-Id: <9707281654.ZM20319@thornhill.arc.nasa.gov>
To: Dave Kristol <dmk@bell-labs.com>, hardie@nic.nasa.gov, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: "David W. Morris" <dwm@xpasc.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Jul 28,  6:15pm, Dave Kristol wrote:

> The CommentURL mechanism assists the user in making a decision.  With
> that in mind, the answer to your questions is, I think, the UA tells the
> user what happened.  If we're talking about an inspection mechanism at
> "the port of entry" (when a cookie accompanies a new page and before the
> user has viewed the page), the user probably has a choice of whether or
> not to accept the cookie.  Examining the comment URL is a way for the
> user to make an informed choice.  If the UA reports it can't fetch the
> CommentURL, the user still has that choice, just with less information
> than s/he hoped for.

I understand that the comment URL is not meant to be a true
verfication mechanism, but, like Larry, I worry that the percentage
gain in providing it may not match the cost.  To deal with a comment
URL we will already need advice/rules about providing cookies with the
resource referenced in the comment URL.  I was trying to point out
that we might also need advice/rules about how to treat the open
connection to the original resource during an inspection.  If
inspections are common, we could be asking servers to hold open a
large number of persistent connections while a relatively slow thing
(a user inspection) happens.  That has a cost.  If the connection is
maintained by the UA "pinging" the server with a HEAD, we've also got
bytes on the wire that impact everybody and aren't actually sending
information anywhere.

In contrast, if we don't provide that advice and connections normally
close while inspections occur, there are consequences either to how
cookies are created (so that the same client is highly likely to get
the same cookie back on a request made in a short time frame, rather
than highly unlikely as now) or how the UA manages the relationship
between the approved inspection and the cookies it receives.

Frankly, I'm not sure that all of the management cost and user
education cost is worth the marginal (and hopefully short-term) gain.
I fully support inclusion of comments which indicate certification or
even asserted well-known policies.  But doing this with
individually-inspectable URLs does not seem to be a clear win to me.
I worry in particular that allowing such URLs will encourage every
corporate lawyer to have a policy, rather than relying on well know
policies; that is, admittedly, probably paranoid, but I was raised by
lawyers and I know how they can think.  Given the ease of changing
resources on the web, I would also want to be able to do a HEAD
against the policy in a comment URL once every session I interacted
with the resource, just to be sure the policy hadn't changed.  (Note
that I do not say I would always use that ability, just that I would
want *at least* that ability).  If even a small percentage of the net
behaves as I would, we have a lot of additional overhead.

Of course, I may what Phill would call "a corner case", but I hope
you'll think about the cost vs. gain ratios one more time.

			best regards,
				Ted Hardie
				NASA NIC


NB: NASA was not raised by lawyers, and some of the ones which raised
me have since repented.
Received on Monday, 28 July 1997 16:57:28 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:49 EDT