W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: FW: revised trusted cookie spec

From: Koen Holtman <koen@win.tue.nl>
Date: Mon, 8 Sep 1997 19:39:52 +0200 (MET DST)
Message-Id: <199709081739.TAA23659@wsooti08.win.tue.nl>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: koen@win.tue.nl, DJaye@engagetech.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Larry Masinter:
>[Koen Holtman:]
>> Larry, would you be happy with a spec which defines
>> 
>> a) an extensible Pics-Label header for conveying information about
>>    privacy policies
>> b) the specific cookie-related instance of this extensible header?

[...]

>I'm just not at all certain that this kind of policy issue belongs
>in HTTP at all. What if, for example, there were an HTML HEAD element
>that could contain a site's policies or links to them, and that
>before actually storing any cookie to disk, the policy could
>be determined?
>
>Putting this kind of information in the protocol seems like it violates
>the boundary between protocol and application in a way that doesn't feel
>right to me.

Strange.  My feelings on what is right are just the other way around.
I think that a boundary would be violated if we were to use HTML to
take care of the HTTP cookie privacy issues.  We cannot rely on having
HTML whenever we have HTTP cookies.  What happens, for example, for a
site based on vrml or java content?

The cookie pricavy policy mechanisms should be able to use HTTP
headers for the same reason that PICS content labels are able to HTTP
headers.

>Larry

Koen.
Received on Monday, 8 September 1997 10:45:41 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:00 EDT