Re: FW: Proposed amendment to RFC2109 from Jonathan Stark on 1997-04-04 (ietf-http-wg@w3.org from April to June 1997)

From: Jonathan Stark <stark@commerce.net>
Date: Fri, 4 Apr 1997 12:59:41 -0800 (PST)
To: Ted Hardie <hardie@thornhill.arc.nasa.gov>
Cc: DJaye@engagetech.com, http-wg@cuckoo.hpl.hp.com, ahyde@focalink.com, rodger@worldnet.atg.net
Message-Id: <199704042059.MAA13907@boa.commerce.net>
Quoting Ted Hardie:

> My concern is that this proposal seems to address
> a question not basic to the concerns about the restrictions
> on domain.  In short, it seems to heighten the ability of a server
> sending a cookie to verify its identity, without doing a
> whole lot to explicate the relationship between the cookie
> issuer and content provider.  I can see ways in which this

I believe the idea is not only to authenticate the server, but also
to certify a particular level of trust, and category of business
practice in a way that, browser folks willing, will allows the user to 
set preferences that use guidelines from CA's to determine if cookies should be
accepted or not.  Authenticating the server is really just one small
part that guarantees that the credentials (the level of trust and catagory of
data handling practice) are not stolen, or misused.

As I understand it, the real problem with allowing cookies
from EVERYWHERE is that it allows the collection of data about individuals
without their knowledge or consent, and once collected, the user
has no idea what it's going to be used for, or by whom it will be used.
The proposal provides a mechanism of informing users of business and
data relationships other than just the ones dictated by a particular domain,
and a mechanism that allows them to weigh the benefits and hazards of 
accepting cookies from entities.

> Your base design seems to assume that Certifying
> Authorities will emerge which will certify not just
> an organization's identity but its adherence to an
> established set of guidelines on the use of the data
> which it receives.  This seems to combine the x509

Indeed they are.  eTRUST is such a company (www.etrust.org), and there
will undoubtedly be others.  eTRUST will be using a combination of 
auditing by professional auditors like KPMG, and signed legal affidavits
to track and qualify companies policies for handling data collected
through their site, both through cookies and other means.
 
> If, for example, we imagine that cookie issuers make the
> content-provider the cookie-issuer's certifying authority
> for a particular cookie, then allowing cookies when the

This is an interesting approach,  but it doesn't really scale very
well.  If you have everyone acting as a CA, there is no trust
in the CA process.  Ideally you want to have a few CA's that can
be established as credible agents, otherwise there's no meaning
in "bob's CA and gas station" guaranteeing you that "evildoer.com"
is issuing cookies that will only be used to track clickthrough's.

> To rephrase this, I don't think users have a problem
> believing that "tripleclick" is who it says it is when
> they receive a cookie from "tripleclick.net".
> I think what they need to see is how tripleclick relates
> to the current and other content providers.   Using

You're absolutely right.  But if tripleclick has signed a legal
document and gone through an auditing process by a third party
attesting that the only thing they are doing with their cookies
is making sure that each visitor only sees the same add 3 times,
and the third party CA says ok, you're in a "class 1" catagory,
which means that you don't collect any personally identifiable
information, you only deal with aggregate information, and 
therefore people's privacy is pretty well protected if they
accept tripleclick's cookies, then there should be no reason  not to
allow cookies from tripleclick if the user chooses to accept
"class 1" certified cookies.

Conversely, tripleclick may actually collect names and phone numbers
and sell that information as targeted mailing lists based upon
user's preferences on the adds they sent, or they may work with
"Company B" to compare logs with Copmany B and link the preferences 
that tripleclick collected with user names that Company B collects.  In
that case, the third party CA may issue them a "class 3" certificate
that says that tripleclick actively trades personally identifiable
information with other groups.  Under certain circumstances, the
user may want to accept class 3 certificates for the added value
of getting more information about things they are interested in.  In 
most cases, however, they are likely to not want to accept these cookies.
The point is that the user should have the choice of accepting the 
cookies and the information policies that they want.  Informed consent
prior to divulging information is much better than arbitrarily limiting
the use of cookies by domains.  The use of cookies and the whole 
issue of trust and privacy change from company to company, situation 
to situation, and the user should be able to make informed decisions
about what they want to do in any particular set of situations.

Jonathan

===============================================================
Jonathan Stark                             (415) 858 1930 x217
eTRUST Technical Director                  stark@eTRUST.org
Received on Friday, 4 April 1997 14:15:28 UTC