- From: Larry Masinter <masinter@parc.xerox.com>
- Date: Mon, 18 Aug 1997 11:05:22 PDT
- To: "Jaye, Dan" <DJaye@engagetech.com>
- Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, "'http-state@lists.research.bell-labs.com'" <http-state@lists.research.bell-labs.com>
At the HTTP working group meeting, I took off my "virtual" chair's hat
and put on a "opinionated working group member" hat, and ranted about
commentURLs. I want to extend that rant:
I'm opposed to commentURLs in cookies.
I'm opposed to comment strings in cookies.
I'm opposed to trusted cookies, too.
I believe that we should recommend "browsers should not return
cookies to sites that are not trusted with private information"
and that trust can be established using a variety of means:
(a) the site sent you the cookie (b) you have some other way of
establishing a site's privacy policy.
Establishing the privacy policy might be accomplished by
using a PICS-Label or by obtaining it via some other link,
having the privacy rating INSIDE THE DOCUMENT that contains
the links ("we assert that this document only links to sites
with the following privacy policy") or any of a variety of
means outside the HTTP protocol.
But assertions of privacy policies do not belong *inside* the
state management mechanism.
Larry
Received on Monday, 18 August 1997 11:12:02 UTC