The p3p generic attribute from Rigo Wenning on 2004-03-03 (public-p3p-spec@w3.org from March 2004)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 3 Mar 2004 14:44:13 +0100
To: Lorrie Cranor <lorrie@cs.cmu.edu>
Cc: public-p3p-spec <public-p3p-spec@w3.org>
Message-ID: <20040303134413.GE968@accueil.w3.org>

Dear all, 

I had some talks with Massimo and Mark Nottingham here at the TP in
Cannes. I have interesting conclusions but I don't have a clue yet how
to formulate that in the specification.

1/ Discussion with Mark Nottingham

I discussed the attribute with Mark and the most important remark he
made was, that there is a very fundamental distinction between applying
the p3p-attribute on data contained in the element being send over the 
wire and an interface description (like WSDL[1]). Mark suggests that we 
only treat interfaces for the moment and defer the data-sending to later 
(epal?) work.

2/ Discussion with Massimo

Before and after having talked to Mark, I've talked a lot with Massimo.
I found out that Massimo's but also Lorrie's approach correspond to what 
Mark calls the data approach. In fact, they assume that data is
contained in the element <foo xsd:p3patt="p3p.xml"><bar>Rigo</bar></foo>
Now they claim that not anybody will treat that chunk of XML the way 
as defined in p3p.xml when <foo... is send over the wire. 

But this makes the protocol assumption underlying to cc/pp and is the
flip-side of P3P. In fact it makes the protocol assumption that the
policy is sent with the data and constrains the recipient of that data.
This, in terms of P3P, is not possible, as it would mean one is sending 
privacy preferences over the wire. We don't do that and it has complete 
different semantics. So the only thing we know to do today is, that 
if I receive -say- a WSDL interface description with a p3p-attribute 
on it, I know that when submitting data to that interface, my data will
be treated in the way described in the P3P policy.

If sending data over the wire, it is like sending preferences (like
cc/pp does). Once we agreed on this, Massimo had no concerns anymore. 

The issue is now to find a language to constrain our attribute so that 
it could only apply to interfaces and not to data send over the wire. We
will probably also need some words to avoid the misunderstanding
described above (sending data over the wire) as it is most common or
even the preferred interpretation of most people.

I hope this might help Lorrie in drafting her proposal.


  1. http://www.w3.org/TeamSubmission/2004/SUBM-p3p-wsdl-20040213/
-- 
Rigo Wenning            W3C/ERCIM
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

Received on Wednesday, 3 March 2004 08:44:33 UTC