W3C home > Mailing lists > Public > public-p3p-spec@w3.org > February 2004

[Minutes] of the 11 feb 2004 call

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 11 Feb 2004 18:01:16 +0100
To: public-p3p-spec <public-p3p-spec@w3.org>
Message-ID: <20040211170116.GN3969@accueil.w3.org>


Present:

Lorrie Cranor
Jack Humphrey
Rigo Wenning
Jeff Edelen
Brooks Dobbs


AGENDA

1. Agent and domain relationships
http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0012.html

talking about
http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0018.html

Potential Problem
if directory a has policy b on host a.example.com
and directory b has policy a on host a.example.com

the known hosts
now if host b.example references this PRF by http-header
and has policy a on directory a and policy b by policy b, the user
agent gets screwed.

Lorrie suggest to have a separate PRF for known hosts and that
known hosts should use that separate PRF if it gets complicated.


ACTION: Jack: bring up a new draft and send to Rigo for publication

Rigo asked about performance improvements
Lorrie said that this is already feasable with the actual mechanisms
no more improvements possible with the relationsships. We can only
express the nature of relationsships.

ACTION Rigo ask Brooks about how to use this for performance improvement

Lorrie stated that the current proposal is in good shape to go into the
specification.

Floor still open for performance

ACTION: Rigo Link new agent domain relationsships


2. Primary purpose specification

Action Rigo: Call up data commissioners and follow up with Dave


3. Clarify what we mean by data linked to a cookie
http://www.w3.org/Bugs/Public/show_bug.cgi?id=172

We discussed this on the call last week but did not have time to finish
it. Consensus that we need better text to describe direct linking.
Question remains about what we should say about indirect linking.

Brooks and Giles are not present:
We are in the process of where to draw the line for indirect linking. A direct link if there
is a database key in the cookie. If things are linked because two cookies in the same logfile
and there is no intention to harvest that, should we draw the line?

Jeff, it is tricky to define. You could match two keys from different databases
JH: if you have the the intent to link it. Any other linkages that you do later and
that you haven't declared initially are a violation of your policy.

From a different angle, if one makes risk-assesment on user side:
Lorrie, if site uses multiple cookies, one can assume they are linkable. That doesn't say
that they actually get linked.

Action: Lorrie to rewrite Giles draft on linking data to include linked and linkable
and circulate to the list.

We asked about what the relationsship between online cookie database and offline CRM system
we want clarity for that question. Lorrie said that we might ask the companies to use
different identifiers.
Also the question, about what to declare if only parts of the CRM database are used
for the online context.
JH: if not linking the data and no intention, should make reasonable effort to create obstacles
in your architecture.

Rigo: We already have done criteria in non-identifiable, so why not have criteria here
Brooks: People won't re-engineer their CRM-Systems.

Example:

Web-site with search engine and customers and customer-data: We want to know if I search
for aids, will that be linked into my customer-data.
BD: we always assumed that IP is linked to cookie as they are on the same line in the logfile
Lorrie: but what is linked to the cookie?
Rigo: issue is that the actual data transferred is not much, but it adds up in the record and
we don't have a good way to say that.

LC: Cookie is only linked to data if it causes a change update in the database
BD: logfile is arguably a database.
LC: If you wouldn't log the cookie in the logfile you would not change the database
... if cookie is used to retrieve info from database, then it is arguably also linked to
....a database.
BD: the lookup is changing the data structure? If there is no log of this transaction
LC: if log the transaction, than offline will associate with online, but if it is not logged, there
is no link



4. How to proceed on compact policies?

LC: want a decision
we can't get rid of them, as this would harm backwards compatibility
so only three options: keep them as is, could be deprecated or improved

What would deprecated mean?
We encourage use only to make P3P 1.0 user agents happy
What are tradeoffs and benefits?

Improvements: could they be substantial enough to remedy the known
problems?

Keep them as is? Nobody opted for this solution as the issues around
the compact format are too serious.


5. Set time/date of next call (Lorrie not available Feb 18 or Feb 25)
Next time 23 February 11am:

Action Lorrie: Arrange the bridge at W3C
Received on Wednesday, 11 February 2004 13:20:31 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:30 EST