Re: FW: revised trusted cookie spec

> Larry, would you be happy with a spec which defines
> a) an extensible Pics-Label header for conveying information about
>    privacy policies
> b) the specific cookie-related instance of this extensible header?
> Or are you saying that this is to weak, and that we need a complete,
> comprehensive scheme which handles cookies, passwords, business cards,
> and so on, under a single unified unterface?
> I would be with you on calling for an extensible header, but a call
> for the development of a comprehensive scheme goes too far for me.  In
> my opinion, a call for completeness will guarantee that there will
> never be any convergence (because too many people with advertising
> business models will be opposed to it), and I want to see convergence
> on something which improves on the current cookie situation, even if it
> does nothing more than that.

I'm just not at all certain that this kind of policy issue belongs
in HTTP at all. What if, for example, there were an HTML HEAD element
that could contain a site's policies or links to them, and that
before actually storing any cookie to disk, the policy could
be determined?

Putting this kind of information in the protocol seems like it violates
the boundary between protocol and application in a way that doesn't feel
right to me.

I could imagine a kind of option where a client could ask a server
for the LINK to its policies for a given realm, which might be an
OPTION request or some other such thing, but I'm not sure that it is
a protocol extension to HTTP.


Received on Wednesday, 3 September 1997 09:35:51 UTC