On Tue, May 06, 2003 at 12:52:03PM -0400, Joseph M. Reagle Jr. wrote: > 1. Would it lead to the presumption that a unsigned P3P policy is somehow > less committed to or binding? I don't think by adding non-repudiation to a P3P Policy one reduces the meaning or value of a non-signed policy. The signature does not add meaning to the policy. It is only a question of evidence. > 2. Who exactly is validating the signature? This isn't something users are > likely to comprehend or be able to easily do. (How is it that they are > getting the service's public key for the validation, this presumes a level > of infrastructure and knowledge which is not yet present.) That's actually a good question. I would _love_ to see native XML Signature support in browsers to be able to sign XHTML-pages (for courts and laws e.g.). But I agree, we are far from there. > > So I think a signed privacy is a nice exercise, but don't find it that > compelling in the b2c scenario and might weaken the interpretation of a > unsigned policy. It might create yet another incentive to implement XML Sig into an agent. I think the signature requirement is more or less a requirement to be able to link old-style paper procedures with digital ones without to much change. (see EU-Directive on Sig that create an _equivalent_ to handwritten signature) So for me, it's a nice enhancement, but not a must be. In fact, it might be nice to have a common way to do signatures on policies, if there are many ways to implement that. But Jo, you can tell better _if_ there are really many ways.. RigoReceived on Wednesday, 7 May 2003 03:03:14 EDT
This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:24 EST