RE: comments on latest domain relationship proposal?

Brooks,

Thanks for your comments. I'm going to paraphrase (and quote) them and try
to respond.

- We are over-reaching by attempting to represent both agent and same-entity
relationships.

What we are proposing is an optional way for sites to specify which other
hosts/domains are known to use their policy reference file. The P3P 1.0 line
was that sharing a policy reference file was the proper way to represent
cross-host policies. However, that approach is open to abuse, hence the
known-hosts mechanism. This mechanism allows user agents to validate that
both sites agree on the use of a policy.

You may remember that a previous proposal attempted to express only
same-entity relationships, and it was actually less simple than the current
proposal, in that it had to introduce the concept of "same-entity" -- as an
attribute on the KNOWN-HOST element.

The latest proposal makes no attempt to define new concepts around
same-entity and agent. It simply falls back on the definitions in P3P 1.0.
Agents were included in the "ours" definition, so it happens to apply to
agents as well as same entities.

- How should user agents handle the situation in which a site refers to the
PRF but is not in the known hosts listing?

This decision is entirely up to the user agent implementers. We have no
choice but to make known-hosts optional in 1.1 -- that can be reconsidered
for 2.0. A user agent might decide not to restrict the cookies of a host in
a different domain if it appears in the known-hosts list for the primary
domain. Any restrictions they would apply otherwise can remain in effect...
the problem of known-hosts not being there is an existing problem!

- "It may be extremely difficult for 3rd parties acting as agents to
contextually know where they are to appear and
dynamically generate headers accordingly."

As an implementer of such systems, I disagree. Any sort of dynamic server
system can look at a key in the incoming URL, or the HTTP referrer, and from
that look up or imply the PRF location that should be returned in the P3P
HTTP header. There are many ways to skin this cat, and if agent sites can't
or don't want to implement it and reap the potential benefits... well, it's
optional.

- "It may be extremely difficult to maintain an active known hosts (in an
agents context) listing."

That may be true for some sites (particularly with ad servers), but
certainly not all. I would argue that, generally speaking, if a site can't
keep track of its embedded hosts, then they probably aren't known hosts.

- User agent implementers are happy with the way they identify third-parties
now.

There is some evidence to the contrary, but you have a point: ultimately the
success of this mechanism will depend on adoption by the UA folks. I would
really like to get feedback from them, but until we do, we can hope that
this will offer an option. 

In particular, I'm anxious about the fact that there is no compact
policy-based way to represent known-hosts. Technically the possibilities
there are a can of worms, though, so I believe it would be better for UAs to
use the PRFs to identify known hosts.


Again, thanks for your comments, Brooks. As always, I am open to
counter-proposals or suggestions on how to improve the proposal. (Time grows
short, though.)

++Jack++

-----Original Message-----
From: Dobbs, Brooks [mailto:bdobbs@doubleclick.net]
Sent: Monday, March 08, 2004 5:31 PM
To: 'Humphrey, Jack'; 'public-p3p-spec'
Subject: RE: comments on latest domain relationship proposal?


I think there is really good thinking here but I think we are overloading
this to our potential detriment.  I think the problem we would REALLY like
the UA folks to resolve is that there should be a simple way for site.com,
site.net, site.uk, and site-inc.com to say they are truly the same entity
(a=b=c=d).  I think that this is clarification that UAs may actually adopt
(largely because it is within consumer expectation).

However, as nice as it may be to express agent relationships, it is a can of
worms.  Assume you succeed...  One question it will beg is - what if you are
NOT listed as an agent but you appear within the site!  If you appear on a
1st party site and aren't declaring an agent relationship or seen in the
known hosts of the parent site - what the heck are you doing there?  Does
the site not control its own content?  We may know that it is because this
is optional, but it is a lot or reliance to be entrusted to an optional
element, particularly when it may be extremely difficult for 3rd parties
acting as agents to contextually know where they are to appear and
dynamically generate headers accordingly.  It almost forces the use of
policy ref in the P3P header.  Equally, while sites like to talk about
controlling data collected through the site, it may be extremely difficult
to maintain an active known hosts (in an agents context) listing.

Even if you get past this, there is still the up hill battle of consumer
expectation.  IMHO large UA makers enjoy (probably based on consumer
feedback) differentiating parties the way they are presently doing.  They
went out of their way to treat 1st and 3rd party cookies differently even
though the spec makes no such distinction.

Just thoughts...

-Brooks


-----Original Message-----
From: public-p3p-spec-request@w3.org [mailto:public-p3p-spec-request@w3.org]
On Behalf Of Humphrey, Jack
Sent: Monday, March 08, 2004 5:30 PM
To: 'public-p3p-spec'
Subject: comments on latest domain relationship proposal?


Haven't seen any comments on the latest domain relationship proposal:
http://www.w3.org/P3P/2004/03-domain-relationships.html

Please see the copy I sent to the list previously if you want to see the
bolded sections that changed from the previous version of the draft.

Would love to get this wrapped up soon, please get your comments in before
Wednesday if possible.

Thanks.

++Jack++

-----Original Message-----
From: Humphrey, Jack [mailto:JHumphrey@coremetrics.com]
Sent: Monday, March 01, 2004 9:00 AM
To: 'public-p3p-spec'
Subject: RE: AGENDA: MONDAY 4 March P3P Spec Call


Here is the new draft of the domain relationships proposal. I have
incorporated all of the comments I've received and also tried to clarify
some of the relationship questions.

Changed sections are bolded so you can quickly scan what changed. Rigo, can
you incorporate this draft into the working draft now (removing my bolding,
of course)?

Thanks. Sorry for the delay.

++Jack++

-----Original Message-----
From: Lorrie Cranor [mailto:lorrie@cs.cmu.edu]
Sent: Sunday, February 29, 2004 11:00 PM
To: 'public-p3p-spec'
Subject: AGENDA: MONDAY 4 March P3P Spec Call



The next P3P specification group conference call will be on
Monday, March 1, 2004, 11 am - 12 pm US Eastern. Dial-in
information is available at
http://www.w3.org/P3P/Group/Specification/1.1/meetings.html

NOTE THIS IS MONDAY, NOT WEDNESAY!

AGENDA

1. Agent and domain relationships
http://www.w3.org/Bugs/Public/show_bug.cgi?id=522
(Jack please circulate new draft)

2. Primary purpose specification
(Dave please circulate a draft)

3. Clarify what we mean by data linked to a cookie
http://www.w3.org/Bugs/Public/show_bug.cgi?id=172

4. Proposal to deprecate compact policies
http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0026.html

5. P3P Generic attribute for XML applications
http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0019.html

6. Set date/time for next call

Received on Tuesday, 9 March 2004 17:19:34 UTC