W3C home > Mailing lists > Public > public-p3p-spec@w3.org > March 2004

Re: proposal to add grouping mechanism to CP

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Tue, 30 Mar 2004 12:21:08 -0500
Message-Id: <A24ADF42-826E-11D8-8624-000A95DA3F5A@cs.cmu.edu>
Cc: public-p3p-spec@w3.org
To: Rigo Wenning <rigo@w3.org>


On Mar 30, 2004, at 11:11 AM, Rigo Wenning wrote:

> Nice draft!
>
> Am Wednesday 24 March 2004 21:23 verlautbarte Lorrie Cranor :
>> I propose changing it to say:
>>
>
>> policy. However, a site MUST make compact policy statements in good
>> faith. User agents that are unable to obtain enough information from
>
> This sentence is ambiguous as it can read:
> 1/ a site MUST make compact policy statements
> 2/ if a site makes compact statements, it has to do so
> in good faith.
>

OK, how about:

However, if a site makes compact policy statements, it MUST make these 
statements in good faith.

>>
>> User agents that use compact policies as part of their decision making
>> MUST include a mechanism that allows users to determine that a
>> particular decision was made based on a compact policy and to view
>> that compact policy. However, user agents that provide general
>> information about a site's P3P policies to users MUST use the full P3P
>> policy and MUST NOT use the compact policy for this purpose.
>
> The first requirement sounds really strange. It is raw access to
> the tokens as arrived at the user agent. This is normally done
> by experts using telnet or perl tools. But I think this was the 
> consensus
> we had. We should be clear that it is really only raw access.

I don't so much care about whether a user agent gives me an ascii 
string or whether it formats it in a pretty way, as long as all the 
information is there. I think the current wording captures that. In 
what way do you think it might be misinterpreted?

>
>>
>> I propose adding a section 4.2.10 Compact STATEMENT
>>
>
>>
>> Section 4.5, fourth paragraph, change MUST to MAY (as in "All of the
>> purposes, recipients, and categories that appear in multiple
>> statements in a full policy MAY be aggregated in a compact policy...."
>
> Why transform? The whole paragraph does not make too much sense
> anymore.

For backwards compatibility, the aggregation is still legal. We could 
change this paragraph to say:

The P3P 1.0 specification required that all purposes, recipients, and 
categories that appear in multiple statements in a full policy be 
aggregated in a compact policy, as described in section 3.3.1. With the 
addition of the compact STATEMENT element in P3P 1.1, this is no longer 
necessary, although it is still permitted. When performing the 
aggregation, a Web site MUST disclose all relevant tokens (for 
instance, observe Example 4.1, where multiple retention policies are 
specified.)

>
> Another thing is, does P3P 1.1 use mandatory extensions? In this case,
> the third paragraph is an issue too:
> Full policies that include mandatory extensions MUST NOT be represented
> as compact policies.

I believe we only include optional extensions in P3P 1.1. If we used 
mandatory extensions it would introduce backwards compatibility 
problems.

>
>>
>> Section 4.6 Transforming a Compact Policy to a P3P Policy should be
>> dropped.
>>
>>
> In the same direction, 4.7 could be integrated somewhere instead of 
> having
> an own point. I also wonder why we said SHOULD NOT while the above
> indicates that by inference it is supposed to read MUST NOT.

4.7 is entirely repeated as the first paragraph of section 6.4, so I 
think we could drop 4.7.

(Rigo, here is one typo in 6.4 - a ] that should be removed.)

At the time we wrote this we agreed to SHOULD NOT. However, I think 
MUST NOT may be appropriate given our other changes. So I would propose 
that the first paragraph of 6.4 say:

P3P user agents MUST NOT rely on P3P compact policies that do not 
comply with the P3P 1.0 or P3P 1.1 specifications or are obviously 
erroneous. Such compact policies SHOULD be deemed invalid and the 
corresponding cookies should be treated as if they had no compact 
policies. The following guidelines are designed to reduce the chance 
that a P3P user agent will accept an invalid compact policy.
Received on Tuesday, 30 March 2004 12:23:05 EST

This archive was generated by hypermail pre-2.1.9 : Tuesday, 30 March 2004 12:23:07 EST