Minutes of the 22 Oct 2003 call from Rigo Wenning on 2003-10-22 (public-p3p-spec@w3.org from October 2003)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 22 Oct 2003 18:13:49 +0200
To: public-p3p-spec <public-p3p-spec@w3.org>
Message-ID: <20031022161348.GB8541@rigo.w3.org>
Minutes of the P3P Spec WG call of October 22, 2003

Present:
Brooks Dobbs
Jeff Edelen
Rigo Wenning
Jack Humphrey


1/ Discussion of P3P 1.0 element definitions and translations: the
remaining items
see comments in green at http://www.w3.org/P3P/2003/p3p-translation.htm

No discussion in absence of Dave Stampley.

2/ domain relationship proposal
Please review the Draft and comment on the list:
http://lists.w3.org/Archives/Public/public-p3p-spec/2003Oct/0020.html

Jack Humphrey presents his proposal. Basically he suggests to
have two declarations from two hosts that have to match each
other, which would need control on both hosts thus taking away
the argument of hacking that prevented us from using full URI in
policy references-files.

Brooks: Sees known-hosts as covering a whole domain that one
could even not do in the first party content. 

..Discussion

JH: makes no claims about policy, just about known hosts

Brooks: Every time on replay cookie, user-agent would have to
check whether this host is on the known-hosts list.

Brooks explains further.

JH: Cookie by image-request in the context of page on a different
domain, but same corporation (group). Cookie would be rejected if
no third parties allowed by user. Even though they are not same
domain, the cookie is replayed. 

Brooks: Notion of identity in spam-fighting and start discussion
what identity means. So forinstance and example are not the same
entity. You get into the multinational legal challenges.

JH: Problems are more in implementation and how to improve. 

Jeff: Same entity is owned by same company. this is not the most
common example. 

ACTION: Brooks write down concerns to mailing-list
Action: Rigo check relationship between cookie expiry and 
        PRF expiry. 

A big discussion about the usefulness of approach to declare
entity relations and agent relations started. In fact it is 
_not_ the goal of the same-entity declaration to say that the
declaring site is not a third party anymore. The concept of third
party touches on the concept of identity, which is difficult in
itself. In fact, the issue of the third-party stuff is, that the
cookie set on one host and replayed to another host touches on
the question of policy control on cookie-replay. This is actually
not done for performance reasons. But with an entity or agent
relationsship, the user agent would know the policy already and
could do a very quick check without further roundtrip. This would
remove the need for compact policies.

Conclusion: We need further discussion on the mailing-list.
Brooks will start it with his mails on his concerns.


3/ compact policies
Do we invite new people into a TF or do we work on that task in the
whole WG?

We haven't discussed this issue as point 2 took all the time.

4/ Next meeting

Next meeting will be 5 November 2003

-- 
Rigo Wenning            W3C/ERCIM
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis
Received on Wednesday, 22 October 2003 12:35:16 UTC