W3C home > Mailing lists > Public > www-p3p-policy@w3.org > November 2006

Re: User side policy & handling of credentials

From: Lorrie Cranor <lorrie+@cs.cmu.edu>
Date: Thu, 2 Nov 2006 07:04:23 -0500
Message-Id: <2C9C90DF-B73B-4D69-B778-F9323D6F7A57@cs.cmu.edu>
Cc: www-p3p-policy@w3.org
To: almhe@ida.liu.se

Right, I think that would work.

Lorrie


On Nov 2, 2006, at 4:11 AM, Almut Herzog wrote:

>
> Lorrie Cranor wrote:
>
>>> Web sites can advertise their certifications using a disputes   
>>> element.
>>> You can create an APPEL file that looks for sites with  particular
>>> certifications.
>
>
> So the web site states that they are BBB-certified in their policy:
>
>>>>> From the P3P book, p.89:
> ...
> <DISPUTES resolution-type="independent"
>   service="http://www.bbbonline.org" short-description="BBBOnline">
>   ...
> </DISPUTES>
> ...
>
> And user Alice would have the following rule in her privacy policy,
> allowing her to request content from web sites that are BBB-certified:
>
> <appel:RULE behavior="request" description="Site is BBB-certified.">
>   <p3p:POLICY>
>     <p3p:STATEMENT>
>       <p3p:DISPUTES appel:connective="and">
>         <p3p:resolution-type="independent">
>         <p3p:service="http://www.bbbonline.org">
>       </p3p:DISPUTES>
>     </p3p:STATEMENT>
>   </p3p:POLICY>
> </appel:RULE>
>
> Is that correct?
>
>
>>> Payment info is not party of the P3P base data schema. The idea all
>>> along was that anyone could create a data schema to meet their  
>>> needs.
>>> We were hoping the credit card industry would create one with the
>>> fields that make sense for credit card info, but that never  
>>> happened.
>>> In the mean time, most sites are expressing their policies in  
>>> terms  of
>>> categories of information rather than explicit data fields.
>
>
> Thanks for the explanation.
>
> /Almut
>
>
>
Received on Thursday, 2 November 2006 12:05:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:11 GMT