Re: P3P - Feedback on Access Control from Ian Hickson on 2008-01-24 (public-appformats@w3.org from January 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 24 Jan 2008 01:11:17 +0000 (UTC)
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0801240103120.20219@hixie.dreamhostps.com>

On Thu, 24 Jan 2008, Mark Nottingham wrote:
>
> The heart of the issue is how policy is discovered; the current ED uses 
> a per-resource OPTIONS, while almost every other solution in this space 
> uses a well-known-location.

robots.txt is a per-domain policy (to prevent a host from being 
overwhelmed); there are per-resource ways of controlling spiders as well.

favicon.ico is a per-domain policy that is only available due to a legacy 
proprietary extension; it causes untold problems (e.g. it doubles the load 
on some of my sites due to bugs in how browsers cache 404 responses for 
this resource), and it has per-resource ways of being specified instead 
(including using HTTP headers).

p3p.xml is a per-domain policy intended to be fetched before the resource 
in question is fetched, for reasons that don't apply here. There are also 
ways of providing per-resource information for this policy. Furthermore, 
P3P has had such a poor uptake that I don't think it's a good thing to 
look at.

Sitemaps are site-specific (domain-specific) and are intended to act as a 
manifest for other resources, and thus wouldn't make sense at a 
per-resource level.

None of these seem appropriate precedents for Access Control, which is 
specifically a per-resource concern.

> The decision to Recommend a new mechanism for discovering policy 
> shouldn't be taken lightly.

I hardly think that HTTP headers and "OPTIONS" can be called a "new 
mechanism". After all, every per-resource policy mechanism uses them 
already! HTTP authentication, caching policies, redirect policies, 
cookies, WebDAV, you name it. They are the most appropriate mechanism for 
declaring per-resource policies.

> I've pointed out several problems with the current proposal, and haven't 
> received satisfactory responses to many of them.

As far as I can tell, all feedback has been responded to -- can you be 
more specific as to what technical feedback hasn't been answered?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 24 January 2008 01:11:30 UTC