- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Tue, 9 Mar 2004 20:58:16 -0500
- To: "Humphrey, Jack" <JHumphrey@coremetrics.com>
- Cc: 'public-p3p-spec' <public-p3p-spec@w3.org>, "'Dobbs, Brooks'" <bdobbs@doubleclick.net>
Yes, time grows short. We need to decide whether to take this proposal more or less as is, make some specific changes to it, or forget it. I did have a conversation with Jeremy about this last week. While he could not make any guarantees, he did not see any problems with implementing this proposal. He was not entirely sure how the user agent would make use of the known-host information, but said there was probably something useful they could do with it if they had it. The next version of the browser may not need to rely as heavily on CPs, so putting the info in the PRF is ok. I can discuss this more on the call. Lorrie On Mar 9, 2004, at 5:19 PM, Humphrey, Jack wrote: > > Brooks, > > Thanks for your comments. I'm going to paraphrase (and quote) them and > try > to respond. > > - We are over-reaching by attempting to represent both agent and > same-entity > relationships. > > What we are proposing is an optional way for sites to specify which > other > hosts/domains are known to use their policy reference file. The P3P > 1.0 line > was that sharing a policy reference file was the proper way to > represent > cross-host policies. However, that approach is open to abuse, hence the > known-hosts mechanism. This mechanism allows user agents to validate > that > both sites agree on the use of a policy. > > You may remember that a previous proposal attempted to express only > same-entity relationships, and it was actually less simple than the > current > proposal, in that it had to introduce the concept of "same-entity" -- > as an > attribute on the KNOWN-HOST element. > > The latest proposal makes no attempt to define new concepts around > same-entity and agent. It simply falls back on the definitions in P3P > 1.0. > Agents were included in the "ours" definition, so it happens to apply > to > agents as well as same entities. > > - How should user agents handle the situation in which a site refers > to the > PRF but is not in the known hosts listing? > > This decision is entirely up to the user agent implementers. We have no > choice but to make known-hosts optional in 1.1 -- that can be > reconsidered > for 2.0. A user agent might decide not to restrict the cookies of a > host in > a different domain if it appears in the known-hosts list for the > primary > domain. Any restrictions they would apply otherwise can remain in > effect... > the problem of known-hosts not being there is an existing problem! > > - "It may be extremely difficult for 3rd parties acting as agents to > contextually know where they are to appear and > dynamically generate headers accordingly." > > As an implementer of such systems, I disagree. Any sort of dynamic > server > system can look at a key in the incoming URL, or the HTTP referrer, > and from > that look up or imply the PRF location that should be returned in the > P3P > HTTP header. There are many ways to skin this cat, and if agent sites > can't > or don't want to implement it and reap the potential benefits... well, > it's > optional. > > - "It may be extremely difficult to maintain an active known hosts (in > an > agents context) listing." > > That may be true for some sites (particularly with ad servers), but > certainly not all. I would argue that, generally speaking, if a site > can't > keep track of its embedded hosts, then they probably aren't known > hosts. > > - User agent implementers are happy with the way they identify > third-parties > now. > > There is some evidence to the contrary, but you have a point: > ultimately the > success of this mechanism will depend on adoption by the UA folks. I > would > really like to get feedback from them, but until we do, we can hope > that > this will offer an option. > > In particular, I'm anxious about the fact that there is no compact > policy-based way to represent known-hosts. Technically the > possibilities > there are a can of worms, though, so I believe it would be better for > UAs to > use the PRFs to identify known hosts. > > > Again, thanks for your comments, Brooks. As always, I am open to > counter-proposals or suggestions on how to improve the proposal. (Time > grows > short, though.) > > ++Jack++ > > -----Original Message----- > From: Dobbs, Brooks [mailto:bdobbs@doubleclick.net] > Sent: Monday, March 08, 2004 5:31 PM > To: 'Humphrey, Jack'; 'public-p3p-spec' > Subject: RE: comments on latest domain relationship proposal? > > > I think there is really good thinking here but I think we are > overloading > this to our potential detriment. I think the problem we would REALLY > like > the UA folks to resolve is that there should be a simple way for > site.com, > site.net, site.uk, and site-inc.com to say they are truly the same > entity > (a=b=c=d). I think that this is clarification that UAs may actually > adopt > (largely because it is within consumer expectation). > > However, as nice as it may be to express agent relationships, it is a > can of > worms. Assume you succeed... One question it will beg is - what if > you are > NOT listed as an agent but you appear within the site! If you appear > on a > 1st party site and aren't declaring an agent relationship or seen in > the > known hosts of the parent site - what the heck are you doing there? > Does > the site not control its own content? We may know that it is because > this > is optional, but it is a lot or reliance to be entrusted to an optional > element, particularly when it may be extremely difficult for 3rd > parties > acting as agents to contextually know where they are to appear and > dynamically generate headers accordingly. It almost forces the use of > policy ref in the P3P header. Equally, while sites like to talk about > controlling data collected through the site, it may be extremely > difficult > to maintain an active known hosts (in an agents context) listing. > > Even if you get past this, there is still the up hill battle of > consumer > expectation. IMHO large UA makers enjoy (probably based on consumer > feedback) differentiating parties the way they are presently doing. > They > went out of their way to treat 1st and 3rd party cookies differently > even > though the spec makes no such distinction. > > Just thoughts... > > -Brooks > > > -----Original Message----- > From: public-p3p-spec-request@w3.org > [mailto:public-p3p-spec-request@w3.org] > On Behalf Of Humphrey, Jack > Sent: Monday, March 08, 2004 5:30 PM > To: 'public-p3p-spec' > Subject: comments on latest domain relationship proposal? > > > Haven't seen any comments on the latest domain relationship proposal: > http://www.w3.org/P3P/2004/03-domain-relationships.html > > Please see the copy I sent to the list previously if you want to see > the > bolded sections that changed from the previous version of the draft. > > Would love to get this wrapped up soon, please get your comments in > before > Wednesday if possible. > > Thanks. > > ++Jack++ > > -----Original Message----- > From: Humphrey, Jack [mailto:JHumphrey@coremetrics.com] > Sent: Monday, March 01, 2004 9:00 AM > To: 'public-p3p-spec' > Subject: RE: AGENDA: MONDAY 4 March P3P Spec Call > > > Here is the new draft of the domain relationships proposal. I have > incorporated all of the comments I've received and also tried to > clarify > some of the relationship questions. > > Changed sections are bolded so you can quickly scan what changed. > Rigo, can > you incorporate this draft into the working draft now (removing my > bolding, > of course)? > > Thanks. Sorry for the delay. > > ++Jack++ > > -----Original Message----- > From: Lorrie Cranor [mailto:lorrie@cs.cmu.edu] > Sent: Sunday, February 29, 2004 11:00 PM > To: 'public-p3p-spec' > Subject: AGENDA: MONDAY 4 March P3P Spec Call > > > > The next P3P specification group conference call will be on > Monday, March 1, 2004, 11 am - 12 pm US Eastern. Dial-in > information is available at > http://www.w3.org/P3P/Group/Specification/1.1/meetings.html > > NOTE THIS IS MONDAY, NOT WEDNESAY! > > AGENDA > > 1. Agent and domain relationships > http://www.w3.org/Bugs/Public/show_bug.cgi?id=522 > (Jack please circulate new draft) > > 2. Primary purpose specification > (Dave please circulate a draft) > > 3. Clarify what we mean by data linked to a cookie > http://www.w3.org/Bugs/Public/show_bug.cgi?id=172 > > 4. Proposal to deprecate compact policies > http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0026.html > > 5. P3P Generic attribute for XML applications > http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0019.html > > 6. Set date/time for next call >
Received on Tuesday, 9 March 2004 20:57:39 UTC