- From: Thomson, Martin <Martin.Thomson@commscope.com>
- Date: Tue, 3 May 2011 15:02:26 +0800
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- CC: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, "httpbis mailing list" <ietf-http-wg@w3.org>
On 2011-05-03 at 16:41:04, Poul-Henning Kamp wrote: > This is the crux of the matter: How can you as a privacy-desiring > user know if they want to be compliant ? > > Squezing non-effective "please-protect-my-privacy" requests into HTTP > is not going to have any practical effect at all, so we should not do > it. It's a fun argument. Much like the one that goes: "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." That's not the point. Privacy sometimes requires something more than a technical solution. See aforementioned paper. I know a lot of people are quite negative towards this approach to the problem, but the alternatives (capitulation, TLS) aren't superb either. And maybe you really do trust your intermediary. In a lot of cases you have chosen to use it, after all. Maybe logging for all those other transactions is quite handy. Or maybe you aren't given any choice in the matter and this gives you a way to salvage the important stuff. And you don't want to suppress all logging, because that's incentive for the policy makers to ignore this sort of guidance. --Martin
Received on Tuesday, 3 May 2011 07:02:59 UTC