W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: Privacy and HTTP intermediaries

From: David Morris <dwm@xpasc.com>
Date: Mon, 2 May 2011 22:55:14 -0700 (PDT)
To: Julian Reschke <julian.reschke@gmx.de>
cc: Willy Tarreau <w@1wt.eu>, "Thomson, Martin" <Martin.Thomson@commscope.com>, Mark Nottingham <mnot@mnot.net>, httpbis mailing list <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.64.1105022253040.21808@egate.xpasc.com>


On Tue, 3 May 2011, Julian Reschke wrote:

> On 03.05.2011 07:18, Willy Tarreau wrote:
> > ...
> > Many intermediaries will still log regardless of whatever new directive
> > you add, and there are a lot of places where logging will be mandatory
> > regardless of the cache-control header (which should control caching and
> > not logging).
> > 
> > Also, concerning the privacy, I see no reason for not logging something
> > that is exchanged in clear text. This has always been the case for decades
> > with the query string in GET requests etc... ; if you want some privacy,
> > you know you need SSL.
> > ...
> 
> Logging is one thing, preserving logs is another thing. Reminder: in some
> countries, the IP address is considered relevant for privacy (and I agree),
> thus preserving HTTP logs containing IP information for too long is not
> allowed.

I think log management policies are out of scope for the HTTP protocol 
specification other than to note that traffic might be logged, requests
might be logged, etc. Logging may be required for system management and
problem resolution, or it might be required to conform to local laws.
Conversely, logging (and/or retention) may be limited by local laws.
Received on Tuesday, 3 May 2011 05:55:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:40 GMT