RFC2109 addition...

The Comment attribute shows incredible forward thinking.  Kudos to
whoever came up with that.  I would like to propose, however, an
addition.

I would like to have a CommentURL which contains the path to comments
regarding the privacy policies of the site that deal with the cookie.
I would like this URL to be relative to the URL that issued the cookie,
unless otherwise specified (as being server relative or fully qualified).

My reason for this addition is pretty straight forward.  
I expect the comment fields could get rather large.  I can tell you
from experience that the typical comment is going to look more like
a paragraph than just a few words, and many CGI's (and servers) are not 
intelligent enough to only issue cookie requests once (even if they
receive a cookie in the request, they often issue a new one that expires
3 seconds later on some date in 2012).  Each time the cookie gets
reissued, the comment would be sent over the network.  A URL is much shorter.  
The use of traditional caching methods on the document saves having to send
the comment every time.  Additionally, I think companies will be more likely
to fully explain their privacy policies if they have a page to explain
them on, rather than just a comment field.  This will encourage a method
of informed consent.  Third parties could be the target of these URL's,
providing additional value in verifying or auditing privacy statements 
made by the issuer of the cookie.

I DO NOT, however, think it would be wise to replace the comment field
all together with just a URL.  I think both methods will have value, and 
that it's likely that the comment attribute will be implemented sooner 
than the URL method, which would likely show up in a dialog saying something
like "Click to review the usage policices for this cookie".

It should also be clear that requests for the CommentURL should not result
in a cookie being issued.  If a cookie is issued at the comment URL, it
should be denied to avoid any potential loops.

Here's a first crack at the text as I feel it should be included in the
RFC:

--
CommentURL=commenturl
Optional.  The CommentURL allows an origin server to specify a document
that explains the usage of this cookie, and could optionally also explain
the policies governing the use of information collected through this cookie.
A user-agent can offer the user the option of inspecting this page before
accepting a cookie.  Any cookies issued while attempting to retrieve the
document at commenturl should be refused.

--
I'd appreciate any comments or improvements.

Thanks,

Jonathan Stark
eTRUST Technical Director

Received on Monday, 24 March 1997 16:24:32 UTC