W3C home > Mailing lists > Public > www-p3p-policy@w3.org > October 2000

Re: embedded include

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 3 Oct 2000 16:37:34 -0400
Message-ID: <01c601c02d79$ea79afb0$9816cf87@barbaloot>
To: "Fiona Walsh" <Fiona.Walsh@avenuea.com>
Cc: <www-p3p-policy@w3.org>
Assuming that Akamai can be considered an agent according to
the definition in section 3.3.4 of the spec, then your privacy policy
would be the most appropriate one to use (although it is
permissable to use the Akamai privacy policy as well if Akamai is
willing to do that). You could use the embedded include to
indicate that the content served from Akamai is covered under
your privacy policy. In addition, you should ask Akamai to create
a policy reference file that points to your
privacy policy.

Lorrie

----- Original Message -----
From: "Fiona Walsh" <Fiona.Walsh@avenuea.com>
To: "'Lorrie Cranor'" <lorrie@research.att.com>
Cc: <www-p3p-policy@w3.org>
Sent: Tuesday, October 03, 2000 3:11 PM
Subject: RE: embedded include


> Lorrie-
> Thanks for your response.
>
> One more question on redirects:
> Akamai acts as an agent for AVEA by serving content on our behalf.
>
> When AVEA serves content directly into a publisher's site, the user agent
> checks the AVEA privacy policy for that piece of content.
> Then the AVEA server sends a 304 redirect (to the Akamai server) to the
user
> agent, then Akamai serves the content to the user agent.
> What privacy policies apply to the content hosted by Akamai? AVEAs,
Akamais,
> none as the user agent has already checked the AVEA policy that applies to
> the content, and Akamai is covered by this as they are AVEA's agent.
>
> Thanks again
> Fiona
>
> -----Original Message-----
> From: Lorrie Cranor [mailto:lorrie@research.att.com]
> Sent: Monday, October 02, 2000 7:54 PM
> To: Fiona Walsh
> Cc: www-p3p-policy@w3.org
> Subject: Re: embedded include
>
>
> Correct. A P3P user agent should check for a policy
> every time it gets  a redirect.
>
> Lorrie
>
> ----- Original Message -----
> From: Fiona Walsh <Fiona.Walsh@avenuea.com>
> To: 'Lorrie Cranor' <lorrie@research.att.com>
> Cc: <www-p3p-policy@w3.org>
> Sent: Monday, October 02, 2000 9:28 PM
> Subject: RE: embedded include
>
>
> > Lorrie,
> > When we work with an ad network like DoubleClick, their server gets an
ad
> > request from a publisher, they redirect the request to our server and
then
> > we serve the advertiser's ad.
> > I imagined that the user agent would check the privacy policy for each
> > server that the request gets redirected to.
> > Is this correct?
> > Fiona
> >
> > -----Original Message-----
> > From: Lorrie Cranor [mailto:lorrie@research.att.com]
> > Sent: Monday, October 02, 2000 5:02 PM
> > To: Fiona Walsh; w3c-p3p-specification@w3.org
> > Cc: www-p3p-policy@w3.org
> > Subject: Re: embedded include
> >
> >
> > Note, I'm CCing this to www-p3p-policy, as the questions raised
> > here are the sorts of things we would like to have discussed on this
> > list.
> >
> > I don't know exactly how AvenueA works. If you have contracts
> > directly with content publishers to put embedded images
> > in their content to point to ads on your servers, then it would
> > be appropriate for you to ask those content publishers to post
> > a P3P policy reference file that uses embedded includes and
> > points to a privacy policy on the AvenueA web site. You
> > could also have your own policy reference file in addition to this
> > (which might be useful if not all your content publishers are
> > ready to use P3P just yet).
> >
> > If you are supplying ads to DoubleClick and they are the ones
> > who actually serve the ads and have the contracts with the
> > content publishers, then it would be up to DoubleClick to
> > take care of posting a policy reference file and/or asking content
> > publishers to use embedded includes. Depending on what your
> > arrangement is with DoubleClick, whose privacy policy would
> > be in effect here might vary. I could imagine scenarios where
> > the appropriate privacy policy is one belonging to AvenueA,
> > DoubleClick, or the content publisher.
> >
> > Lorrie
> >
> > ----- Original Message -----
> > From: Fiona Walsh <Fiona.Walsh@avenuea.com>
> > To: <w3c-p3p-specification@w3.org>
> > Sent: Monday, October 02, 2000 6:07 PM
> > Subject: Re: embedded include
> >
> >
> > > Thanks for your responses.
> > >
> > > I've aggregated all your input and here's the conclusion.
> > > Use embedded includes if;
> > > 1 you have a complex url layout, so it would be impractical to have
one
> > > valid PRF on the server itself,
> > > 2 the PRF file at a well know location is going to be too large or
have
> a
> > > high rate of change or
> > > 3 you want performance optimization by eliminating the round trip.
> > >
> > > A 3rd party ad server like AvenueA serves ads a) direct into a
> publishers
> > > site or b) into an ad network like DoubleClick.
> > > Question: should a 3rd party ad server like AvenueA use "embedded
> > includes"?
> > > Mark Nottingham, Akamai stated that "embedded includes" are not
intended
> > to
> > > address situations where there were multiple levels of embedding, like
> ad
> > > services.
> > > However in the P3P spec., scenario 7 in section 2.5 states that the
> > > publisher (Bigsearch) can use a embedded include to point to the ad
> > servers
> > > P3P policy.
> > > Thoughts?
> > >
> > > Cheers
> > >
> > >
> >
>
>
Received on Tuesday, 3 October 2000 16:42:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:07 UTC