- From: Rigo Wenning <rigo@w3.org>
- Date: Wed, 11 Feb 2004 18:01:16 +0100
- To: public-p3p-spec <public-p3p-spec@w3.org>
Present: Lorrie Cranor Jack Humphrey Rigo Wenning Jeff Edelen Brooks Dobbs AGENDA 1. Agent and domain relationships http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0012.html talking about http://lists.w3.org/Archives/Public/public-p3p-spec/2004Feb/0018.html Potential Problem if directory a has policy b on host a.example.com and directory b has policy a on host a.example.com the known hosts now if host b.example references this PRF by http-header and has policy a on directory a and policy b by policy b, the user agent gets screwed. Lorrie suggest to have a separate PRF for known hosts and that known hosts should use that separate PRF if it gets complicated. ACTION: Jack: bring up a new draft and send to Rigo for publication Rigo asked about performance improvements Lorrie said that this is already feasable with the actual mechanisms no more improvements possible with the relationsships. We can only express the nature of relationsships. ACTION Rigo ask Brooks about how to use this for performance improvement Lorrie stated that the current proposal is in good shape to go into the specification. Floor still open for performance ACTION: Rigo Link new agent domain relationsships 2. Primary purpose specification Action Rigo: Call up data commissioners and follow up with Dave 3. Clarify what we mean by data linked to a cookie http://www.w3.org/Bugs/Public/show_bug.cgi?id=172 We discussed this on the call last week but did not have time to finish it. Consensus that we need better text to describe direct linking. Question remains about what we should say about indirect linking. Brooks and Giles are not present: We are in the process of where to draw the line for indirect linking. A direct link if there is a database key in the cookie. If things are linked because two cookies in the same logfile and there is no intention to harvest that, should we draw the line? Jeff, it is tricky to define. You could match two keys from different databases JH: if you have the the intent to link it. Any other linkages that you do later and that you haven't declared initially are a violation of your policy. From a different angle, if one makes risk-assesment on user side: Lorrie, if site uses multiple cookies, one can assume they are linkable. That doesn't say that they actually get linked. Action: Lorrie to rewrite Giles draft on linking data to include linked and linkable and circulate to the list. We asked about what the relationsship between online cookie database and offline CRM system we want clarity for that question. Lorrie said that we might ask the companies to use different identifiers. Also the question, about what to declare if only parts of the CRM database are used for the online context. JH: if not linking the data and no intention, should make reasonable effort to create obstacles in your architecture. Rigo: We already have done criteria in non-identifiable, so why not have criteria here Brooks: People won't re-engineer their CRM-Systems. Example: Web-site with search engine and customers and customer-data: We want to know if I search for aids, will that be linked into my customer-data. BD: we always assumed that IP is linked to cookie as they are on the same line in the logfile Lorrie: but what is linked to the cookie? Rigo: issue is that the actual data transferred is not much, but it adds up in the record and we don't have a good way to say that. LC: Cookie is only linked to data if it causes a change update in the database BD: logfile is arguably a database. LC: If you wouldn't log the cookie in the logfile you would not change the database ... if cookie is used to retrieve info from database, then it is arguably also linked to ....a database. BD: the lookup is changing the data structure? If there is no log of this transaction LC: if log the transaction, than offline will associate with online, but if it is not logged, there is no link 4. How to proceed on compact policies? LC: want a decision we can't get rid of them, as this would harm backwards compatibility so only three options: keep them as is, could be deprecated or improved What would deprecated mean? We encourage use only to make P3P 1.0 user agents happy What are tradeoffs and benefits? Improvements: could they be substantial enough to remedy the known problems? Keep them as is? Nobody opted for this solution as the issues around the compact format are too serious. 5. Set time/date of next call (Lorrie not available Feb 18 or Feb 25) Next time 23 February 11am: Action Lorrie: Arrange the bridge at W3C
Received on Wednesday, 11 February 2004 13:20:31 UTC