W3C home > Mailing lists > Public > public-p3p-ws@w3.org > December 2002

Future work proposal P3P - area 10 (Appel)

From: Giles Hogben <giles.hogben@jrc.it>
Date: Fri, 13 Dec 2002 14:34:56 +0100
To: <public-p3p-ws@w3.org>
Message-ID: <GAEKIJGJBJOBBJEFAHMLCEOCCEAA.giles.hogben@jrc.it>

Improvements to APPEL language (Item 10)
----------------------------------------
----------------------------------------

Purpose:
--------
-To enable default settings of P3P privacy preferences to be distributed
among user agents in order to satisfy legal requirements, particularly
within the EU
-To provide the possibility for more uniformity between user agents and
hence more business investment in P3P due to consistent user agent behavior.
-To produce a preference exchange language which would be acceptable and
easy to use for developers and which at the same time allows sufficient
expressiveness.
-To produce a language, which is not logically ambiguous - i.e. each
rule/preference will have the same behavior with all semantically equivalent
policies (this is not currently the case with APPEL).
-To produce a user interface/conceptual model for APPEL, which is
comfortable for non expert users.

Scope:
------
The work involved in this item is as follows.
1. Develop a specification for an XPATH enabled version of the current
APPEL. This would enable developers to write arbitrary queries, which would
more easily express the kind of logic required for expressing sub-tree
matching rules. This essentially provides for rules which can match
arbitrary policy fragments. This satisfies legal requirements because legal
bodies will wish essentially to have arbitrary scope in creating APPEL
preference sets for distribution.
2. Consult with browser implementers who may eventually integrate the
preference exchange language, to make sure that the specification provides
what they require to be willing to commit to it.
3.  With this in place, it will be possible to distribute preferences sets
such as "EU default preferences", "US safe harbour default preferences" etc…
4. Provide a higher level ontology for the arbitrary matching capability
such that it is accessible to uninitiated users.

There are two possible routes for point 4:
1. Leave it to "market forces" to sort out standard sets of preferences. One
could imagine that some structured discussion among interested parties could
lead to a list of standard sets of preferences so that for example, High,
Low, Medium could be simply APPEL rulesets with a well defined interoperable
meaning.
2. Develop a higher level ontology which restricts user agent interfaces to
a more limited set of higher level concepts with a well defined mapping to
the concepts of P3P. This would then have the effect of standardizing the
way that preferences are presented and reducing confusion in end users.
Clearly the second alternative is preferable in the long run because in
conjunction with a proven conceptual mapping process such as that set out by
Hameed (University of Aberdeen), it offers a vocabulary which is adapted to
the end-user needs.

The two alternatives however are not incompatible and in fact the two routes
may be followed in sequence according to resources available. As the JRC
intends to lead an ontology project, the best possible route is probably in
the short term to develop satisfactory default rulesets for import. These
rulesets could then be simply tagged by name in IE/NS (for example instead
of high, low, medium it would show EU (high), EU(medium), US (high), trust-e
etc… This would require no modification to the P3P specification but would
require the agreement of Browser developers, particularly Microsoft.
In the longer term, a higher level ontology could be incorporated into the
P3P specification, so that more detailed terms are grouped under higher
level headings, which then form the basis of a standardized end-user
preference scheme. This would need to be discussed with

Resources:
----------

The European Commission's JRC Cybersecurity team has already carried out
much of the work necessary to develop a new version of APPEL and resources
are available to complete this within the JRC. Resources are also available
within the JRC for the development of a higher level ontology which is part
of the proposals for the RAPID initiative.
Further resources required are commitments to discussion on standardization
of user agent interfaces by Microsoft, Netscape, Opera and other user agent
implementers.
Time Frame
The development of an improved version of APPEL should be possible within 9
months to a year including the consensus process. As Internet Explorer is
the most important user agent, account should be taken of the time frames
for development of new versions of IE.
The development, agreement and integration of a higher level ontology is
possible within 2 years and is therefore a process which should be assigned
to the P3P 2.0 specification.


_____________________________________________
Giles Hogben
TP267
CyberSecurity Unit
Institute for the Protection and Security of the Citizen (IPSC)
European Commission - Euratom Centro Comune di Ricerca
Via Enrico Fermi 1
21020 Ispra,   Italy
Received on Friday, 13 December 2002 08:33:59 EST

This archive was generated by hypermail pre-2.1.9 : Monday, 22 September 2003 06:04:21 EDT