W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: FW: revised trusted cookie spec

From: Larry Masinter <masinter@parc.xerox.com>
Date: Mon, 18 Aug 1997 12:57:22 PDT
Message-Id: <33F8A922.8924B6@parc.xerox.com>
To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-state@lists.research.bell-labs.com
>         This self-avowed opinionated rant is invalid because it retains
> the myopic view that the commentURL is simply for legalistic statements
> about a site's privacy policy. 

Foteos,

I know what the Comment and the CommentURL are *for*. There are a lot of
things that they are useful *for*. But just because a salad-shooter and
an apple-corer are very useful kitchen appliances doesn't mean that we
should add them to HTTP.

I'm sure it is dandy that a CommentURL *could* tell you "This cookie
maintains your display preferences" and "This cookie performs
trade secrets which cannot be revealed to you." It could also tell me
"This cookie was designed by that great web site designer Joe Coolsite
who will build cookies for you too!" A CommentURL could include
advertisements for local bakeries! It could shine your shoes! It could
wash your dog!

No, the problem isn't that Comments and CommentURLs don't have
conceivable uses.

>        Providers should not be prevented from making such information
> available in a manner which allows charset/language negotiation and
> via a simple, consistent UA mechanism, rather than requiring users to
> hunt around in unspecified documents for it, with no assurance that
> what's said in some such documents applies to a particular cookie.

I agree 100%. I want the way a site tells me what it is doing with my
private information to be available via a simple, consistent UA
mechanism. I don't want one mechanism for cookies, another mechanism for
content negotiation, a third mechanism for deciding whether to supply my
email address as the password for anonymous FTP, another mechanism for
deciding whether I want to supply personal information in forms I fill
out using a web browser, another mechanism for deciding whether I want
to supply personal information when interacting with a Java applet. I
want just what you're calling for: a single, consistent UA mechanism,
adapted for local preferences for charset and language, but I want it to
be useful for all of those mechanisms. Putting in "Comment" and/or
"CommentURL" inside Set-Cookie does nothing to help out with any of the
other situations in which privacy is also an issue, and is quite
possibly inconsistent or incompatible with those other situations.

Regards,

Larry
-- 
http://www.parc.xerox.com/masinter
Received on Monday, 18 August 1997 13:02:50 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:51 EDT