- From: Ted Hardie <hardie@thornhill.arc.nasa.gov>
- Date: Mon, 28 Jul 1997 16:54:15 -0700
- To: Dave Kristol <dmk@bell-labs.com>, hardie@nic.nasa.gov, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: "David W. Morris" <dwm@xpasc.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Jul 28, 6:15pm, Dave Kristol wrote: > The CommentURL mechanism assists the user in making a decision. With > that in mind, the answer to your questions is, I think, the UA tells the > user what happened. If we're talking about an inspection mechanism at > "the port of entry" (when a cookie accompanies a new page and before the > user has viewed the page), the user probably has a choice of whether or > not to accept the cookie. Examining the comment URL is a way for the > user to make an informed choice. If the UA reports it can't fetch the > CommentURL, the user still has that choice, just with less information > than s/he hoped for. I understand that the comment URL is not meant to be a true verfication mechanism, but, like Larry, I worry that the percentage gain in providing it may not match the cost. To deal with a comment URL we will already need advice/rules about providing cookies with the resource referenced in the comment URL. I was trying to point out that we might also need advice/rules about how to treat the open connection to the original resource during an inspection. If inspections are common, we could be asking servers to hold open a large number of persistent connections while a relatively slow thing (a user inspection) happens. That has a cost. If the connection is maintained by the UA "pinging" the server with a HEAD, we've also got bytes on the wire that impact everybody and aren't actually sending information anywhere. In contrast, if we don't provide that advice and connections normally close while inspections occur, there are consequences either to how cookies are created (so that the same client is highly likely to get the same cookie back on a request made in a short time frame, rather than highly unlikely as now) or how the UA manages the relationship between the approved inspection and the cookies it receives. Frankly, I'm not sure that all of the management cost and user education cost is worth the marginal (and hopefully short-term) gain. I fully support inclusion of comments which indicate certification or even asserted well-known policies. But doing this with individually-inspectable URLs does not seem to be a clear win to me. I worry in particular that allowing such URLs will encourage every corporate lawyer to have a policy, rather than relying on well know policies; that is, admittedly, probably paranoid, but I was raised by lawyers and I know how they can think. Given the ease of changing resources on the web, I would also want to be able to do a HEAD against the policy in a comment URL once every session I interacted with the resource, just to be sure the policy hadn't changed. (Note that I do not say I would always use that ability, just that I would want *at least* that ability). If even a small percentage of the net behaves as I would, we have a lot of additional overhead. Of course, I may what Phill would call "a corner case", but I hope you'll think about the cost vs. gain ratios one more time. best regards, Ted Hardie NASA NIC NB: NASA was not raised by lawyers, and some of the ones which raised me have since repented.
Received on Monday, 28 July 1997 16:57:28 UTC