Re: Grouping Statements Proposal from Rigo Wenning on 2003-08-13 (public-p3p-spec@w3.org from August 2003)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 13 Aug 2003 16:40:54 +0200
To: public-p3p-spec@w3.org
Message-ID: <20030813144054.GE547@rigo.w3.org>

Playing the devil's advocate here and trying to understand the aim 
of this proposal:
On Tue, Jul 29, 2003 at 07:00:35PM -0700, Jeremy Epling wrote:
> Scenarios
> 
> *	User browses to ebay and views the P3P policy. They are able to
> skip to the buyer section of the P3P policy since that is what applies
> to them.

This is role based: A user identifies himself as a buyer and takes only
notice of this part of the policy. 

BUT, P3P ties a certain policy to a certain URI. It means, as long as
the user is browsing in the buyer realm, a certain policy applies. 

So the main reason that we would need a grouping is, that there was an
overstatement in the first place that we try to overcome by the user
identifying himself in a certain role and cognitively selecting a part
of the policy. 

In the given scenario, example.com has a PRF that says:
<POLICY-REF about="/w3c/policy.xml">
	<INCLUDE>/*</INCLUDE>
</POLICY-REF>

The policy would then include several roles/services that the whole
Web-Site contains. 

Finally, instead of the site (that should know) the user has to figure
out, what is actually happening. I don't think, this is an improvement.

> *	User browses to amazon and views the P3P policy. The can see
> that since they are not logged in less information is collected about
> them.

If the login-pages are separated from the normal pages, P3P would find
out automatically. This re-enters to much human brain-work in the
automation we tried to achieve.

So instead of grouping (not consent-grouping, which is different), we
should perhaps explain how to design a site in a clever way using P3P. I
fear simply that this takes too much pressure away from Web-sites to
actually be precise in their policies (and use multiple policies instead
of the one-fits-all)

I see the benefit of explaining which service does what, to better
understand things. But this is a question of labelling policies
(long-description/consequence etc) and not of grouping statements. 

This all under the reserve that I understood the proposal correctly. 

Best, 

Rigo

Received on Wednesday, 13 August 2003 10:41:01 UTC