W3C home > Mailing lists > Public > www-p3p-policy@w3.org > November 2006

Re: User side policy & handling of credentials

From: Lorrie Cranor <lorrie+@cs.cmu.edu>
Date: Tue, 31 Oct 2006 20:21:10 -0500
Message-Id: <58F7EE50-E9A3-4988-9D48-8B3B91BDD7F9@cs.cmu.edu>
Cc: www-p3p-policy@w3.org
To: almhe@ida.liu.se

Web sites can advertise their certifications using a disputes  
element. You can create an APPEL file that looks for sites with  
particular certifications.

Payment info is not party of the P3P base data schema. The idea all  
along was that anyone could create a data schema to meet their needs.  
We were hoping the credit card industry would create one with the  
fields that make sense for credit card info, but that never happened.  
In the mean time, most sites are expressing their policies in terms  
of categories of information rather than explicit data fields.

Lorrie

--
Lorrie Faith Cranor <http://lorrie.cranor.org/>
* Associate Research Professor, Computer Science and Engineering &  
Public Policy
   Carnegie Mellon University
* P3P Specification Working Group Chair <http://www.w3.org/p3p/>
* Book: Web Privacy with P3P <http://p3pbook.com/>


On Oct 31, 2006, at 11:39 AM, Almut Herzog wrote:

>
> Hi,
>
> I wonder if it is possible/sensible to express the following  
> policies in
> P3P/APPEL:
>
> User Alice will only submit her credit card information to sites that
> have the XYZ credential.
>
> User Alice only does business with web sites that are ABC-certified (=
> have the ABC credential).
>
> If someone could create these rules, e.g. using the JRC editor, I  
> would
> be most grateful. If it is not sensible to have such rules, please  
> give
> me a comment.
>
> And a general question: Why is payment information such as credit card
> number, expiry date, bearer name etc. not part of the P3P user data
> structures?
>
> Cheers,
> /Almut
>
>
>
Received on Wednesday, 1 November 2006 01:21:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:11 GMT