generic attribute from Lorrie Cranor on 2004-02-10 (public-p3p-spec@w3.org from February 2004)

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Tue, 10 Feb 2004 17:51:00 -0500
To: 'public-p3p-spec' <public-p3p-spec@w3.org>
Message-Id: <98ACD198-5C1B-11D8-8001-000A95DA3F5A@cs.cmu.edu>

I still have concerns about 2.5 The P3P Generic Attribute for XML 
Applications
http://www.w3.org/P3P/2004/WD-P3P11-20040203.html#generic_attribute
The language is better than the previous draft, but I am still 
concerned about "the policy MUST describe all data collection performed 
as a result of  processing the element carrying the P3P Generic 
Attribute. The policy also MUST describe all data collection performed 
as a result of processing of all  subelements ."

The notion of binding was hairy enough when dealing with HTTP, but at 
least HTTP methods are somewhat well defined and we usually know what 
it  means for a user agent to dereference a URI (although I could 
imagine this coming back to haunt us later, but so far so good). But I 
don't think we know what it means to "process" an arbitrary XML 
element. Indeed, I think we can expect that different tools may process 
the same XML element in different ways.

Here is a hypothetical example of the problem:

Suppose I have an XML directory (name, address, phone number, fax, URI, 
etc.). Let's say I put a generic P3P tag in an element that contains a 
single directory entry. What does it mean to process this element? A 
user agent might process it by
a) displaying the entry itself in a browser.
b) dereferencing the URI in the entry and displaying it in a browser
c) dialing a phone
d) generating a form letter, putting the name and address into the form 
letter, sending the form letter to a device that prints it and puts it 
in the postal mail
e) generating a fax and sending it to the fax number

There might be no data collection associated with a. b might result in 
the collection of clickstream data. c might result in the collection of 
caller ID. d might result in collection of whatever information is put 
in the letter. e might result in whatever info is put in the fax, plus 
caller ID.

I think to solve this problem we need to add some meta data that 
explains what it means to process the XML. Perhaps we could add a 
companion attribute that would be a URI that would be used to describe 
what the P3P binding means for a particular application.

Lorrie

Received on Tuesday, 10 February 2004 18:19:28 UTC