- From: Jaye, Dan <DJaye@engagetech.com>
- Date: Tue, 26 Aug 1997 21:09:18 -0400
- To: 'Larry Masinter' <masinter@parc.xerox.com>
- Cc: "'http-wg@cuckoo.hpl.hp.com'" <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, "'http-state@lists.research.bell-labs.com'" <http-state@lists.research.bell-labs.com>
-----Original Message-----
From: Larry Masinter [SMTP:masinter@parc.xerox.com]
Sent: Monday, August 18, 1997 2:05 PM
To: Jaye, Dan
Cc: 'http-wg@cuckoo.hpl.hp.com';
'http-state@lists.research.bell-labs.com'
Subject: Re: FW: revised trusted cookie spec
At the HTTP working group meeting, I took off my "virtual" chair's
hat
and put on a "opinionated working group member" hat, and ranted about
commentURLs. I want to extend that rant:
I'm opposed to commentURLs in cookies.
I'm opposed to comment strings in cookies.
I'm opposed to trusted cookies, too.
I believe that we should recommend "browsers should not return
cookies to sites that are not trusted with private information"
and that trust can be established using a variety of means:
(a) the site sent you the cookie (b) you have some other way of
establishing a site's privacy policy.
Establishing the privacy policy might be accomplished by
using a PICS-Label or by obtaining it via some other link,
having the privacy rating INSIDE THE DOCUMENT that contains
the links ("we assert that this document only links to sites
with the following privacy policy") or any of a variety of
means outside the HTTP protocol.
But assertions of privacy policies do not belong *inside* the
state management mechanism.
My proposal does not put the privacy policy inside the state mgt
mechanism. A separate PICS-Label header is used. It merely
establishes how you relate cookie handling to privacy policies. Do
you think it is unnecessary to establish that link (from within the
http protocol)?
Larry
Received on Tuesday, 26 August 1997 18:12:44 UTC