RE: Unverifiable Transactions / Cookie draft from David W. Morris on 1997-03-19 (ietf-http-wg@w3.org from January to March 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Tue, 18 Mar 1997 22:50:01 -0800 (PST)
To: Yaron Goland <yarong@microsoft.com>
Cc: http working group <http-wg@cuckoo.hpl.hp.com>
Message-Id: <Pine.SOL.3.95.970318222525.6619D-100000@shell1.aimnet.com>

On Tue, 18 Mar 1997, Yaron Goland wrote:

> The average user doesn't know about cookies and frankly they don't want
> to know about cookies. However browser implementers are now forced to
> put UI in front of them to tell them more than they ever cared to know
> about cookies. Since the user doesn't know what a cookie is, they are
> going to call up to find out what the heck this cookie stuff is about.
> Who pays for that call? The browser implementer. So a wire protocol is
> taking away browser implementers right to control the experience users
> have with the very program the browser implementer is selling.

First all, I reject your wire protocol conclusion.  HTTP is a protocol
which allows delivery of an application between a server and a user. There
has always been much more to HTTP (and its cousin HTML) than what flows
over the wire. For HTTP to be useful, both the server and the user must
have their expectations met. And in the case under consideration, the
expectation deals with the user's privacy concerns.

Secondly, the standards bodies are one way users can forcefully indicate
their preferences to UA vendors. The economics of UA implementation
haven't left much room for real differentiation. When one is free bundled
with the operating system and the other is free for a major segment of the
population, to deliver an alternative is difficult. The UA publishers have
been left with a great deal of freedom as to how they present the required
information to the user. Good UI design should eliminate many of the 
questions your average user might have ... good on screen text, help
files, etc. For the remainder, just apply the standard for fee tech
support and consider it a revenue opportunity. I suspect that many users
will ask what the heck this cookie stuff is and just click the don't
bother me box.  So the real issue in UI design is how to fairly present
the story so that users might understand that it isn't in their best
interest to accept all cookies.

You are beating a dead horse in my opinion when you argue that the HTTP
specification shouldn't consider specifing the UI functional requirements
in this area. You make a number of suggestions for clarification which
might be reasonable for clarification of the new cookie2 specification.
You are more likely to get your other comments noticed by the group if
you separate them from the not appropriate for a wire protocol argument.

Dave Morris

Received on Tuesday, 18 March 1997 22:54:09 UTC