- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 7 May 2003 09:03:07 +0200
- To: Public-P3p-Spec <public-p3p-spec@w3.org>
On Tue, May 06, 2003 at 12:52:03PM -0400, Joseph M. Reagle Jr. wrote: > 1. Would it lead to the presumption that a unsigned P3P policy is somehow > less committed to or binding? I don't think by adding non-repudiation to a P3P Policy one reduces the meaning or value of a non-signed policy. The signature does not add meaning to the policy. It is only a question of evidence. > 2. Who exactly is validating the signature? This isn't something users are > likely to comprehend or be able to easily do. (How is it that they are > getting the service's public key for the validation, this presumes a level > of infrastructure and knowledge which is not yet present.) That's actually a good question. I would _love_ to see native XML Signature support in browsers to be able to sign XHTML-pages (for courts and laws e.g.). But I agree, we are far from there. > > So I think a signed privacy is a nice exercise, but don't find it that > compelling in the b2c scenario and might weaken the interpretation of a > unsigned policy. It might create yet another incentive to implement XML Sig into an agent. I think the signature requirement is more or less a requirement to be able to link old-style paper procedures with digital ones without to much change. (see EU-Directive on Sig that create an _equivalent_ to handwritten signature) So for me, it's a nice enhancement, but not a must be. In fact, it might be nice to have a common way to do signatures on policies, if there are many ways to implement that. But Jo, you can tell better _if_ there are really many ways.. Rigo
Received on Wednesday, 7 May 2003 03:03:14 UTC