Re: can't really be LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo from David W. Morris on 1997-07-23 (ietf-http-wg@w3.org from July to September 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Wed, 23 Jul 1997 14:12:24 -0700 (PDT)
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.970723135224.7017C-100000@shell1.aimnet.com>

On Wed, 23 Jul 1997, Larry Masinter wrote:

> We can't quite LAST CALL a document which has a technical
> issue unresolved. The technical issue that's unresolved
> is the limitation on accepting cookies while interacting
> with the resource identified by the CommentURL annotating
> a cookie.

Well the technical issue has only received intense discussion for a day
and there would seem to be convergence.

> 
> I will state my personal opinion, again, just in case there
> is some additional support for it:
> 
> I think that the complexity inherent in "CommentURL" makes
> it suspect, and that the simplest thing to do is to remove
> it. If there is no CommentURL, then you don't need a policy
> for accepting cookies while interacting with it.
> 
> Too much icing on the cookie, just say no.

The simple problem is that as a protocol design we are demanding that
UI/UA designers provide a meaningful dialog with end-users for control
of cookie usage in the interest of protecting user privacy. Without
including the CommentURL we are not providing any way for the enduser
and origin server to have a mutual understanding of how the cookie 
will be used. There is no way to require the server to provide the
CommentURL or to provide a meaningful message but one might expect that
users who bother to police their cookie transactions would be less
inclined to accept cookies which don't have the CommentURL. As far as
the accuracy of the CommentURL description is usage is concerned, I 
would speculate from a limited legal background that publishing a false
statement could be the basis of legal action for false advertising,
misrepresentation, etc.

The difference between the Comment attribute and the CommentURL is the
difference between the Windows application which provides a message 
box with a message like:
             "Unable to write bookmark file"
and one which presents the message:
             "Unable to write bookmark file: 
              C:\home\user\internet\bkmrks.fil
              because the file already exists and is owned
              by another user"
In the first case, only a user familiar with the application internals
could guess where to start looking.  In the second case, the average
reasonably knowledgable user of the operating system usage would have 
a good chance at successful problem resolution.

If user privacy is important to our protocol effort, we must make it
possible for the user to receive sufficient information for informed
consent. If we don't, the user community will throw their hands up
and take the course of least resistance and all of our concern about
cookie sharing will be moot.

In other words, I don't consider CommentURL as icing on the cookie,
it is central to any possibility of achieving user control over
privacy.

Dave Morris

Received on Wednesday, 23 July 1997 14:22:06 UTC