W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

comments on draft-ietf-http-trust-state-mgt-02.txt

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Wed, 25 Mar 1998 13:00:15 -0500 (EST)
Message-Id: <199803251800.NAA04257@aleatory.research.bell-labs.com>
To: djaye@engagetech.com
Cc: http-state@lists.research.bell-labs.com, http-wg@cuckoo.hpl.hp.com
Here are my comments on draft-ietf-http-trust-state-mgt-02.txt.  I
think the default settings for the use of trust labels and cookies need
to be discussed more.  See below, under 3.3.2.

Dave Kristol
==============

Substantive:

3.1  Syntax: General
    the optional label attributes "by" "gen" "for" "on" and "exp" 
        are required. 

    -> except that the syntax shows that "by" is still optional.

    privacypractice = "purpose" 1*purposerating 
	--> 1*purposerating is inconsistent with the later examples,
	which show things like "0:4" (several places).

    trust-label-data = labelattr-data privacy-practice [cookielist]
    ...
    "cookielist" refers to the list of cookie names in the cookieblock 
    extension.
	--> It would be better to create a "cookielist" non-terminal
	in the grammar (and use it for non-terminal "cookieinfo").

    purpose. Services that disclose that they use data for "other" purposes 
    should provide human readable explanations of those purposes. 
	--> The specification needs to say where/how to get them.

    "Contacting Visitors for Marketing of Services or Products" 
						     value = 4
	--> I'm unclear what this means.  Does it mean that the cookie
	accompanies (and is) the "contact", or does it imply there's
	some kind of subsequent or out-of-band contact?

	For example, a cookie from an (third-party) advertising site
	might be construed as purpose 4.

    "non-identifiable"                               value = 0
    "identifiable"                                   value = 1
	--> This begs for a definition of what comprises "information
	gathered ... in identifiable form", or, at the very least, an
	example.

3.3.1 Interpreting the trust-label
    A trust-label is ignored if the "exp-date" attribute of labelattr
    is less than or equal to the current date.
	--> Wouldn't it also make sense to do likewise if the exp-date
	attribute is <= the Date: header in the server's response?

    The labelattr-data, privacy-practice, and cookielist in the decrypted 
    trust-label-data from the sigblock must match the plaintext labelattr,
    privacy-practice, and cookielist for the signature to be valid.

	--> I don't think this is quite right.  If I understand how
	this stuff works,
	    1) The user agent calculates its own cleartext signature
	    for the trust-label-data; and
	    2) It compares the result against the decrypted sigblock
	    value.
	That is, the attributes themselves don't get decrypted.  Also,
	it's important to emphasize how the user agent should
	canonicalize the attributes when it does its calculation.

	Therefore, I think the wording should be something like this:

    The user agent validates the signature as follows.  It calculates
    its own signature for the trust-label from labelattr-data,
    privacy-practice, and cookielist, using the canonicalization rules
    of [DSIG].  (That is, it must mimic the trust authority's
    calculation.)  It then uses the public key of the trust authority
    to decrypt the sigblock value and compares the result against its
    own calculation.  The signature is valid if the two values agree.
    ------

    If the digital signature is invalid, then the trust-label should be 
    ignored and the cookie should not be set.
	--> I think the user agent should do whatever it would do when
	it receives a cookie that has no trust label, rather than
	always not set the cookie.  I think that's more consistent.

3.3.2	Accepting or rejecting Cookies
    User agents should have the following default preferences:
      Automatically accept:
	Cookies from verifiable transactions with trust-labels with 
	  purposerating 0 through 4 and dourating 0;
	Cookies from unverifiable transactions with trust-labels with 
	  purposerating 0 through 4 and idrating 0 and 
	  dourating 1.
      Automatically reject:
	Cookies from unverifiable transactions without trust-labels.

	--> IMO the default purposerating should be 0-3.  If you want to
	create an installation option that asks users ("opt in") whether
	4 is okay, fine.

	--> There's no mention above of *signed* trust labels.  IMO
	cookies for unverifiable transactions should require a signed
	label (by default).

	--> As the specification is now written, the "by" attribute is
	optional, as are signatures.  So a site need not even name a
	trust authority, can invent trust labels, and can bypass the
	"protections" the defaults should provide.  It also makes it
	even simpler to work around the admittedly weak "protections"
	in state-man-mec-08.  That's unsatisfactory.

	I think the spec. should require, at a minimum, either a "by"
	or a sigblock.  The "by" is a lame protection, but at least if
	a site fraudulently sends an unsigned label by a bogus trust
	authority there might be some recourse under consumer fraud
	rules.

Nits:

In a couple of places, the formatting is broken:  lines extend beyond
the margin:  Domainofuse; 3.4.3 Discovery ...; 5.2 False ...; 7.;
ACKNOWLEDGEMENTS.

There are a couple of references to RFC 2109.  Should they be changed
to state-man-mec-08?

There are a couple of instances of expired "exp" attributes in the
examples:  exp "1997.12.31T23:59-0000".

3. OUTLINE

    The server sends a Set-Cookie and/or a Set-Cookie2 header to the user 
    Agent along with a PICS-Label header containing the trust-label.  The 
    ^-- change: a

3.1  Syntax: General
    The specific cookies are listed in the cookieinfo extension to the 
    PICS label or to all compatible cookies if no cookies listed in the 
    cookieinfo extension.
	REWORD AS
    The PICS label applies to the cookies listed in the cookieinfo
    extension, or to all compatible cookies if no cookies are
    explicitly listed.

    an extension to include a list of the specific cookies to 
        to which the trust-label applies;
	== -> delete

    the optional label attributes "by" "gen" "for" "on" and "exp" 
        are required. 
	REWORD AS (and see note, earlier, about "by")
    the optional PICS label attributes "by", "gen", "for", "on", and
	"exp" are required by this specification.

    serviceID       = 
	  "http://www.w3.org/PICS/systems/P3P-http-trust-state-01.rat" |
	^-- insert: <">					 insert <"> --^
	    --> it's supposed to be quoted

    The Identifiable rating specifies whether the information gathered is in 
    identifiable form, is associated with identifiable information, or used 
    						       insert: "is" --^
    to derive personal identity.

3.3 	User Agent Role

    The user agent receives a cookie headers and trust-labels from
    			    = -> delete

3.3.3  User intervention
    The user agent may prompt the user to verify that it wishes to reject a
    cookie in conditions where the cookie is being rejected based on
    a default preference or no preference applies.
    			   ^-- insert: when

3.4.3 Discovery of privacy-practice ratings
    well-known rating service, http:\www.w3.org\PICS\1.0\P3P\v1.0,
 		   change to: http://www.w3.org/PICS/1.0/PRP/v1.0
    is referenced in this document.

4.1 Example 1

1.  User Agent preferences:

    In this example, the user agent has a preference for automatically
    accepting cookies from domains that have valid rating of 
    "domainofuse 0".
	-> REWORD AS
    In this example, the user agent has a preference for automatically
    accepting cookies from domains that have a valid rating of 
    "domainofuse 0", and the user agent does not require signed labels.

4.2 Example 2
    "domainofuse 0" or "domainofuse 1 by www.aaa.org.
    				     ^-- insert: "

(Under 5)
    www.aaa.org" is acceptable to the user agent.
    ^-- insert: "

5.2 False representation
    site's adherence to its stated privacy practice.  However, if the
    site digitally signs the label, then that may represents a legally
    						  delete --^
    binding contract on the site to follow the professed privacy
    ...

7. ACKNOWLEDGEMENTS

    This document represents input from Dave Kristol, Yaron Goland,
					==== -> "David M.", please.
    Joseph Reagle, and Jonathan Stark..
Received on Wednesday, 25 March 1998 11:27:12 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT