- From: Dobbs, Brooks <bdobbs@doubleclick.net>
- Date: Wed, 10 Mar 2004 13:45:28 -0500
- To: "'Lorrie Cranor'" <lorrie@cs.cmu.edu>, "Humphrey, Jack" <JHumphrey@coremetrics.com>
- Cc: "'public-p3p-spec'" <public-p3p-spec@w3.org>, "Dobbs, Brooks" <bdobbs@doubleclick.net>
Sorry I missed the call; Delta had me several hours late getting into NY. Let me just throw in a practical case in point. Let's looks at any example web site that is advertising driven. Here are some examples of issues: While the site may know that they have a "known-hosts" relationship with their direct Ad Service Provider and can *possibly* coordinate a known hosts arrangement - they have no possible way of knowing where every ad that comes to their site is served from (or potentially cookie). Why because advertisers will often host their own creative. Practically speaking, since large sites get their ads through agencies they are not full in control of what is played on their site - making it impossible for them to coordinate a known hosts file. Still this makes this no less an "agents of" relationsip. From the advertisers perspective you have the same problem. They go to an agency and say, "give me a million impressions on men's health sites" - they cannot know who to publish as reciprocal known-hosts where they may appear. Even for the ad server company, for whom, as Jack points out, *could* possibly be in a position to know - practically speaking it is impossible. DC ads, for example, appear on millions upon millions of hosts. For this to work we would need to not only do the lookup for the dynamic P3P: policyref= based upon a mapping of referrer (not possible in pops) or URL (not possible as there is no client hierarchy to the tag) but also publish millions of known hosts in our own PRF. The situation is very similar for all sites that accept any dynamic 3rd party content. I do see this working for 3rd parties that have a very defined and discreet relationship with a limited number of sites, but as a generic agent relationship, I think it will fail to be implementable in more cases than not. Again - just an opinion. -Brooks -----Original Message----- From: Lorrie Cranor [mailto:lorrie@cs.cmu.edu] Sent: Tuesday, March 09, 2004 8:58 PM To: Humphrey, Jack Cc: 'public-p3p-spec'; 'Dobbs, Brooks' Subject: Re: comments on latest domain relationship proposal? Yes, time grows short. We need to decide whether to take this proposal more or less as is, make some specific changes to it, or forget it. I did have a conversation with Jeremy about this last week. While he could not make any guarantees, he did not see any problems with implementing this proposal. He was not entirely sure how the user agent would make use of the known-host information, but said there was probably something useful they could do with it if they had it. The next version of the browser may not need to rely as heavily on CPs, so putting the info in the PRF is ok. I can discuss this more on the call. Lorrie On Mar 9, 2004, at 5:19 PM, Humphrey, Jack wrote: > > Brooks, > > Thanks for your comments. I'm going to paraphrase (and quote) them and > try > to respond. > > - We are over-reaching by attempting to represent both agent and > same-entity > relationships. > > What we are proposing is an optional way for sites to specify which > other > hosts/domains are known to use their policy reference file. The P3P > 1.0 line > was that sharing a policy reference file was the proper way to > represent > cross-host policies. However, that approach is open to abuse, hence the > known-hosts mechanism. This mechanism allows user agents to validate > that > both sites agree on the use of a policy. > > You may remember that a previous proposal attempted to express only > same-entity relationships, and it was actually less simple than the > current > proposal, in that it had to introduce the concept of "same-entity" -- > as an > attribute on the KNOWN-HOST element. > > The latest proposal makes no attempt to define new concepts around > same-entity and agent. It simply falls back on the definitions in P3P > 1.0. > Agents were included in the "ours" definition, so it happens to apply > to > agents as well as same entities. > > - How should user agents handle the situation in which a site refers > to the > PRF but is not in the known hosts listing? > > This decision is entirely up to the user agent implementers. We have no > choice but to make known-hosts optional in 1.1 -- that can be > reconsidered > for 2.0. A user agent might decide not to restrict the cookies of a > host in > a different domain if it appears in the known-hosts list for the > primary > domain. Any restrictions they would apply otherwise can remain in > effect... > the problem of known-hosts not being there is an existing problem! > > - "It may be extremely difficult for 3rd parties acting as agents to > contextually know where they are to appear and > dynamically generate headers accordingly." > > As an implementer of such systems, I disagree. Any sort of dynamic > server > system can look at a key in the incoming URL, or the HTTP referrer, > and from > that look up or imply the PRF location that should be returned in the > P3P > HTTP header. There are many ways to skin this cat, and if agent sites > can't > or don't want to implement it and reap the potential benefits... well, > it's > optional. > > - "It may be extremely difficult to maintain an active known hosts (in > an > agents context) listing." > > That may be true for some sites (particularly with ad servers), but > certainly not all. I would argue that, generally speaking, if a site > can't > keep track of its embedded hosts, then they probably aren't known > hosts. > > - User agent implementers are happy with the way they identify > third-parties > now. > > There is some evidence to the contrary, but you have a point: > ultimately the > success of this mechanism will depend on adoption by the UA folks. I > would > really like to get feedback from them, but until we do, we can hope > that > this will offer an option. > > In particular, I'm anxious about the fact that there is no compact > policy-based way to represent known-hosts. Technically the > possibilities > there are a can of worms, though, so I believe it would be better for > UAs to > use the PRFs to identify known hosts. > > > Again, thanks for your comments, Brooks. As always, I am open to > counter-proposals or suggestions on how to improve the proposal. (Time > grows > short, though.) > > ++Jack++ > > -----Original Message----- > From: Dobbs, Brooks [mailto:bdobbs@doubleclick.net] > Sent: Monday, March 08, 2004 5:31 PM > To: 'Humphrey, Jack'; 'public-p3p-spec' > Subject: RE: comments on latest domain relationship proposal? > > > I think there is really good thinking here but I think we are > overloading > this to our potential detriment. I think the problem we would REALLY > like > the UA folks to resolve is that there should be a simple way for > site.com, > site.net, site.uk, and site-inc.com to say they are truly the same > entity > (a=b=c=d). I think that this is clarification that UAs may actually > adopt > (largely because it is within consumer expectation). > > However, as nice as it may be to express agent relationships, it is a > can of > worms. Assume you succeed... One question it will beg is - what if > you are > NOT listed as an agent but you appear within the site! If you appear > on a > 1st party site and aren't declaring an agent relationship or seen in > the > known hosts of the parent site - what the heck are you doing there? > Does > the site not control its own content? We may know that it is because > this > is optional, but it is a lot or reliance to be entrusted to an optional > element, particularly when it may be extremely difficult for 3rd > parties > acting as agents to contextually know where they are to appear and > dynamically generate headers accordingly. It almost forces the use of > policy ref in the P3P header. Equally, while sites like to talk about > controlling data collected through the site, it may be extremely > difficult > to maintain an active known hosts (in an agents context) listing. > > Even if you get past this, there is still the up hill battle of > consumer > expectation. IMHO large UA makers enjoy (probably based on consumer > feedback) differentiating parties the way they are presently doing. > They > went out of their way to treat 1st and 3rd party cookies differently > even > though the spec makes no such distinction. > > Just thoughts... > > -Brooks > > > -----Original Message----- > From: public-p3p-spec-request@w3.org > [mailto:public-p3p-spec-request@w3.org] > On Behalf Of Humphrey, Jack > Sent: Monday, March 08, 2004 5:30 PM > To: 'public-p3p-spec' > Subject: comments on latest domain relationship proposal? > > > Haven't seen any comments on the latest domain relationship proposal: > http://www.w3.org/P3P/2004/03-domain-relationships.html > > Please see the copy I sent to the list previously if you want to see > the > bolded sections that changed from the previous version of the draft. > > Would love to get this wrapped up soon, please get your comments in > before > Wednesday if possible. > > Thanks. > > ++Jack++ > > -----Original Message----- > From: Humphrey, Jack [mailto:JHumphrey@coremetrics.com] > Sent: Monday, March 01, 2004 9:00 AM > To: 'public-p3p-spec' > Subject: RE: AGENDA: MONDAY 4 March P3P Spec Call > > > Here is the new draft of the domain relationships proposal. I have > incorporated all of the comments I've received and also tried to > clarify > some of the relationship questions. > > Changed sections are bolded so you can quickly scan what changed. > Rigo, can > you incorporate this draft into the working draft now (removing my > bolding, > of course)? > > Thanks. Sorry for the delay. > > ++Jack++ > > -----Original Message----- > From: Lorrie Cranor [mailto:lorrie@cs.cmu.edu] > Sent: Sunday, February 29, 2004 11:00 PM > To: 'public-p3p-spec' > Subject: AGENDA: MONDAY 4 March P3P Spec Call > > > > The next P3P specification group conference call will be on > Monday, March 1, 2004, 11 am - 12 pm US Eastern. Dial-in > information is available at > http://www.w3.org/P3P/Group/Specification/1.1/meetings.html > > NOTE THIS IS MONDAY, NOT WEDNESAY! > > AGENDA > > 1. Agent and domain relationships > http://www.w3.org/Bugs/Public/show_bug.cgi?id=522 > (Jack please circulate new draft) > > 2. Primary purpose specification > (Dave please circulate a draft) > > 3. Clarify what we mean by data linked to a cookie > http://www.w3.org/Bugs/Public/show_bug.cgi?id=172 > > 4. Proposal to deprecate compact policies > http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0026.html > > 5. P3P Generic attribute for XML applications > http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0019.html > > 6. Set date/time for next call >
Received on Wednesday, 10 March 2004 13:45:34 UTC