P3P 1.1 Domain Relationships

Working Group members, 
 
Please read and comment on this latest draft:
http://www.w3.org/P3P/2004/02-domain-relationships.html
<http://www.w3.org/P3P/2004/02-domain-relationships.html> 
(Apologies, I thought this URL went out with the minutes. Rigo, I don't
think it's linked anywhere -- I just guessed the URL.)
 
Here are the open questions/issues I would like to discuss with the group:
 
1. For now, we have dropped the HTTP header mechanism seen in previous
drafts. There are two reasons: first of all, changing the P3P HTTP header
would require approval of a revised P3P header specification by IETF.
Secondly, there is a feeling that the PRF-based mechanism should be a
feasible way for user agents to discover this new information, even for
those user agents that only use compact policies to manage cookie privacy.
 
2. The last section in the draft ("Cookie Playback") states:

User agents should be aware that if they allow a cookie to be set based on a
relationship established by known host declarations, they should verify that
such a relationship exists at cookie playback time, and not send the cookie
if it does not. Such verification implies re-fetching the policy reference
file and evaluating its known host declarations only if the policy reference
file has expired.

There is a concern that this language would have an impact on section
2.3.2.7 of the P3P spec, which says that a user agent "MAY request a policy
reference file from a host before replaying a cookie to that host".
Thoughts?

3. The section in the draft entitled "HTTP Header Requirement" states:

The KNOWN-HOST extension relies on the use of the "P3P: policyref" HTTP
header for one site to refer to a policy reference file on another site.
Since policy reference files cannot include full URIs in the POLICY-REF
INCLUDE elements, sites that rely on placing their policy reference file in
the  <http://www.w3.org/TR/P3P/#Well_Known_Location> well-known location
have no way of referencing policies hosted on other sites.

Is it acceptable to require the use the policyref HTTP header for this case?
An alternative might be another PRF extension that would allow one PRF to
reference another PRF.

Looking forward to your feedback.

++Jack++

Received on Monday, 9 February 2004 00:53:30 UTC