W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: FW: revised trusted cookie spec

From: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Date: Mon, 18 Aug 1997 15:37:34 -0500 (EST)
To: masinter@parc.xerox.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-state@lists.research.bell-labs.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4207
Larry Masinter <masinter@parc.xerox.com> wrote:
>At the HTTP working group meeting, I took off my "virtual" chair's hat
>and put on a "opinionated working group member" hat, and ranted about
>commentURLs. I want to extend that rant:
>I'm opposed to commentURLs in cookies.
>I'm opposed to comment strings in cookies.
>I'm opposed to trusted cookies, too.
>I believe that we should recommend "browsers should not return
>cookies to sites that are not trusted with private information"
>and that trust can be established using a variety of means:
>(a) the site sent you the cookie (b) you have some other way of 
>establishing a site's privacy policy.
>Establishing the privacy policy might be accomplished by
>using a PICS-Label or by obtaining it via some other link,
>having the privacy rating INSIDE THE DOCUMENT that contains
>the links ("we assert that this document only links to sites
>with the following privacy policy") or any of a variety of
>means outside the HTTP protocol.
>But assertions of privacy policies do not belong *inside* the
>state management mechanism.

	This self-avowed opinionated rant is invalid because it retains
the myopic view that the commentURL is simply for legalistic statements
about a site's privacy policy.  Please read the actual draft:

     Optional.  Because cookies can be used to derive or store private
     information about a user, the CommentURL attribute alows an origin
     server to document how it intends to use the cookie.  The user can
     inspect the information identified by the URL to decide whether to
     initiate or continue a session with this cookie.

Statements such as "This cookie maintains your display preferences.", or
"This cookie servers as a shopping cart.",  or "This cookie performs
trade secrets which cannot be revealed to you.", or "This cookie serves
solely to track you from here to eternity." would be more helpful, not
simply for decisions on whether to accept a cookie, but even more
importantly for decisions during "clean ups" or cookie replacements
due to limited resources -- and their inclusion is "Optional."

	Providers should not be prevented from making such information
available in a manner which allows charset/language negotiation and
via a simple, consistent UA mechanism, rather than requiring users to
hunt around in unspecified documents for it, with no assurance that
what's said in some such documents applies to a particular cookie.

	You are trying to block something which has been discussed at
length already, is wanted by some implementors, and need not be used
by those who don't want it.

	In your own immortal words, "Please stop!" :) :)


 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545
Received on Monday, 18 August 1997 12:44:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC