Re: A linguistic note on unverifiable transactions from David W. Morris on 1997-04-24 (ietf-http-wg@w3.org from April to June 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Thu, 24 Apr 1997 13:53:50 -0700 (PDT)
To: Koen Holtman <koen@win.tue.nl>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SOL.3.95.970424133740.17777H-100000@shell1.aimnet.com>

On Thu, 24 Apr 1997, Koen Holtman wrote:

> 
> This reminds me: if you are a browser vendor implementing (some parts
> of) 2109, please do *not* use language like
> 
>   [X] disable cookies in unverifiable transactions 
> 
> in your preference setting panels.  It is not only ugly, it is
> imprecise as well, because 2109 talks about the option
> 
>   [X] disable cookies in unverifiable transactions on domains which
>       do not domain-match the domain of the origin transaction.
> 
> `unverifiable transaction' is fine terminology for specs (disclaimer:
> I believe I invented it), but in end-user applications you should say
> something like
> 
>   [X] disable third-party cookies

I would really hope that any browser vendor would do a much better job
of providing a user interface than any of the above variants. There is
NO WAY Joan Average-User has any way of understanding:
     "unverifiable transaction"
     "domain"
     "domain match"
     "origin transaction"
Etc.  Therefore, informed consent would be impossible.

Actually 'unverifiable transaction' is bad spec termnology as it implies
there might be a verifiable transaction.  There was a recent suggestion
that the transaction be refered to as an 'indirect transaction'.

For informed consent to exist, users need:

a.  An explanation of the issues written in terms they can understand
b.  An explanation they can *easily* view as to how an individual cookie 
    provider will use the cookies.

Browser vendors can nicely differentiate themselves by how well they
integrate the decision process for the user. The protocol doesn't make
(b) possible and it should (e.g., the commenturl).  Secondly, some form 
of the general Cookie Certificate Approach proposed to the WG should be
integrated as an alternative which enables immediate acceptance of
authenticated level-1 cookies preconfigured in browsers. It really
shouldn't be difficult to get the CCA infrastructure established by the
time UAs are available with the CCA support.

Dave Morris

Received on Thursday, 24 April 1997 13:55:48 UTC