W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

RE: ISSUE-92: P3P and Internet filters

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Fri, 6 Jul 2007 06:38:21 -0400
To: "'Serge Egelman'" <egelman@cs.cmu.edu>, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "'Web Security Context WG'" <public-wsc-wg@w3.org>, "'Dan Schutzer'" <dan.schutzer@fstc.org>
Message-ID: <007c01c7bfb9$c72627d0$6500a8c0@dschutzer>

I agree that if a site has a P3P statement that isn't really security information, and Internet filtering is all about being able to set the web so that certain websites can be filtered out from appearing (e.g. pornographic sites). The ANEC report calls for a standardization of the means for identifying and filtering content.

In early implementations of P3P, if one set ones privacy preferences tightly and a website either didn't state their privacy statement in P3P or stated a privacy statement that was in conflict with the users privacy preferences, the site would not be able to be accessed.

The connection as I understand it might lie in concepts such as Safe Web Browsing. There are a number of circumstances where the user might want to set up their web browser so that certain sites are blocked. They might want to block sites with offensive content, sites that do not practice a privacy policy consistent with what they want, and now sites that are not identifiable as well-known, often visited, trusted sites. There might be some desirability of handling these blocking/filtering in an analogous manner. If you agree with this interpretation and would like me to, I can add some words in the Safe Browsing write-up or anywhere else you might think appropriate in the document.

Dan

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Serge Egelman
Sent: Thursday, July 05, 2007 1:08 PM
To: Mary Ellen Zurko
Cc: Web Security Context WG
Subject: Re: ISSUE-92: P3P and Internet filters


I'm not entirely sure either; it would seem that this is out of scope.
If a site has P3P, that really isn't security context information.  A
phishing site can just as easily post a P3P policy (hey, if they're
already breaking laws, why worry about FTC sanctions?).  P3P is for
disclosing practices regarding personal information, it was never meant
for security.

serge

Mary Ellen Zurko wrote:
> 
> I don't understand thsi topic. Can you give some examples? Or does
> someone else understand this and what the issues are?
> 
> 
> 
> *Web Security Context Issue Tracker <dean+cgi@w3.org>*
> Sent by: public-wsc-wg-request@w3.org
> 
> 07/02/2007 07:53 AM
> Please respond to
> Web Security Context WG <public-wsc-wg@w3.org>
> 
> 
> 	
> To
> 	public-wsc-wg@w3.org
> cc
> 	
> Subject
> 	ISSUE-92: P3P and Internet filters
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> 
> ISSUE-92: P3P and Internet filters
> 
> http://www.w3.org/2006/WSC/Group/track/issues/92
> 
> Raised by: Bruno von Niman
> On product: Note: use cases etc.
> 
> The activity should strive for compatibility and consistency with the
> W3C P3P
> specifications and compatibility with currently used Internet filters,
> in order
> to satisfy basic consumer requirements on reliability, accessibility,
> usability
> and security.
> As a piece of useful input, we recommend ANEC’s study of Internet
> filters (ANEC-
> R&T-2006-ICT-002), downloadable from www.anec.org.
> 
> 
> 
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Friday, 6 July 2007 10:38:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:48 GMT