W3C home > Mailing lists > Public > www-p3p-dev@w3.org > September 2001

[www-p3p-dev] <none>

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 28 Sep 2001 11:31:50 +0200
Message-Id: <E15mtzq-0000Up-00@localhost>
To: www-p3p-dev@w3.org
>From rigo  Fri Sep 28 10:47:12 2001
Return-path: <rigo@tux.w3.org>
Envelope-to: rigo@localhost
Delivery-date: Fri, 28 Sep 2001 10:47:12 +0200
Received: from localhost ([127.0.0.1])
	by localhost with esmtp (Exim 3.32 #1 (Debian))
	id 15mtIe-0000R6-02
	for <rigo@localhost>; Fri, 28 Sep 2001 10:47:12 +0200
Received: from www49.inria.fr [138.96.10.12]
	by localhost with POP3 (fetchmail-5.8.3)
	for rigo@localhost (single-drop); Fri, 28 Sep 2001 10:47:12 +0200 (CEST)
Received: from sophia.inria.fr by www49.inria.fr (8.11.1/8.10.0) with ESMTP id f8SCZK114856 for <rwenning@www49.inria.fr>; Fri, 28 Sep 2001 14:35:20 +0200 (MET DST)
Received: from tux.w3.org by sophia.inria.fr (8.11.1/8.10.0) with ESMTP id f8SCa4H17455 for <Rigo.Wenning@sophia.inria.fr>; Fri, 28 Sep 2001 14:36:04 +0200 (MET DST)
Received: (from rigo@localhost)
	by tux.w3.org (8.9.3/8.9.3) id IAA15458
	for Rigo.Wenning@sophia.inria.fr; Fri, 28 Sep 2001 08:36:03 -0400
Received: from www19.w3.org (www19.w3.org [18.29.0.19])
	by tux.w3.org (8.9.3/8.9.3) with ESMTP id IAA15452
	for <rigo@w3.org>; Fri, 28 Sep 2001 08:36:02 -0400
Received: by www19.w3.org (8.9.0/8.9.0) id IAA26870
	for rigo@w3.org; Fri, 28 Sep 2001 08:36:02 -0400 (EDT)
Date: Fri, 28 Sep 2001 08:36:02 -0400 (EDT)
X-Envelope-From: www-p3p-dev-request@tux.w3.org  Fri Sep 28 08:35:53 2001
Received: from tux.w3.org (tux.w3.org [18.29.0.27])
	by www19.w3.org (8.9.0/8.9.0) with ESMTP id IAA26850
	for <www-p3p-dev@www19.w3.org>; Fri, 28 Sep 2001 08:35:52 -0400 (EDT)
Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65])
	by tux.w3.org (8.9.3/8.9.3) with ESMTP id IAA15416
	for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 08:35:51 -0400
Received: from mrelay.jrc.it (localhost [127.0.0.1])
	by mrelay.jrc.it (LMC5614B) with ESMTP id f8SCZmW16127
	for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:48 +0200 (MEST)
Received: from isis-ms.sti.jrc.it (isis-gs.sti.jrc.it [139.191.8.244])
	by mrelay.jrc.it (LMC5614A) with ESMTP id f8SCZmJ16123
	for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:48 +0200 (MEST)
Received: from pcdsa22 ([139.191.42.22]) by isis-ms.sti.jrc.it
          (Netscape Messaging Server 4.15) with SMTP id GKDHNL00.Q20 for
          <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:45 +0200 
Message-ID: <030601c1481a$33e1f340$162abf8b@pcdsa22>
From: "Giles Hogben" <giles@ontv.com>
To: <www-p3p-dev@w3.org>
Old-Date: Fri, 28 Sep 2001 14:36:31 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0303_01C1482A.F759FA60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Diagnostic: Not on the accept list
Subject: [Moderator Action] Hints mechanism
X-Diagnostic: Mail coming from a daemon, ignored
X-Envelope-To: www-p3p-dev
Resent-From: rigo@localhost
Resent-Date: Fri, 28 Sep 2001 11:31:49 +0200
Resent-To: www-p3p-dev@w3.org

This is a multi-part message in MIME format.

------=_NextPart_000_0303_01C1482A.F759FA60
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,

Having just read over the paragraph in the latest (sep) p3p spec about =
the
 new hints mechanism, I have 2 questions
1. The following is confusing me:

  "Before using a hinted policy reference, the user agent MUST check the
  well-known location and give precedence to any policy references =
directly
  declared by the host, with the well-known location taking the highest
  precedence."

  What exactly does "directly declared" mean - it is not clear to me =
whether
  this includes the p3p http header mechanism and link tag mechanisms or
not.
  If it does, then I can't see what use the hints mechanism can be.
  If however, it allows user agents to make use of policy reference =
files
  even if there turns out to be no pref in the well-known location, then
does
  this allow unknown 3rd parties to state the location of a policy =
reference
  file. If so, doesn't this allow for the possibility of malicious
behavior -
  3rd party sites referring to bogus policy reference files?

  2. Am I right in saying that policy reference files (and policies) do =
not
  have to be located on the domain they are applied to? If this is the =
case,
  doesn't this, combined with the hints mechanism, allow poeple to put =
up
  completely bogus policies and prf files?


  Thanks

  Giles Hogben



------=_NextPart_000_0303_01C1482A.F759FA60
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DVerdana size=3D2><FONT face=3D"Times New Roman"=20
size=3D3>Hi,<BR><BR>Having just read over the paragraph in the latest =
(sep) p3p=20
spec about the<BR>&nbsp;new hints mechanism, I have 2 questions<BR>1. =
The=20
following is confusing me:<BR><BR>&nbsp; "Before using a hinted policy=20
reference, the user agent MUST check the<BR>&nbsp; well-known location =
and give=20
precedence to any policy references directly<BR>&nbsp; declared by the =
host,=20
with the well-known location taking the highest<BR>&nbsp;=20
precedence."<BR><BR>&nbsp; What exactly does "directly declared" mean - =
it is=20
not clear to me whether<BR>&nbsp; this includes the p3p http header =
mechanism=20
and link tag mechanisms or<BR>not.<BR>&nbsp; If it does, then I can't =
see what=20
use the hints mechanism can be.<BR>&nbsp; If however, it allows user =
agents to=20
make use of policy reference files<BR>&nbsp; even if there turns out to =
be no=20
pref in the well-known location, then<BR>does<BR>&nbsp; this allow =
unknown 3rd=20
parties to state the location of a policy reference<BR>&nbsp; file. If =
so,=20
doesn't this allow for the possibility of malicious<BR>behavior =
-<BR>&nbsp; 3rd=20
party sites referring to bogus policy reference files?<BR><BR>&nbsp; 2. =
Am I=20
right in saying that policy reference files (and policies) do =
not<BR>&nbsp; have=20
to be located on the domain they are applied to? If this is the =
case,<BR>&nbsp;=20
doesn't this, combined with the hints mechanism, allow poeple to put=20
up<BR>&nbsp; completely bogus policies and prf files?<BR><BR><BR>&nbsp;=20
Thanks<BR><BR>&nbsp; Giles =
Hogben</FONT><BR><BR></FONT></DIV></BODY></HTML>

------=_NextPart_000_0303_01C1482A.F759FA60--
Received on Friday, 28 September 2001 11:05:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 00:12:47 GMT