RE: alternate domain relationships proposal from Dobbs, Brooks on 2004-03-17 (public-p3p-spec@w3.org from March 2004)

From: Dobbs, Brooks <bdobbs@doubleclick.net>
Date: Wed, 17 Mar 2004 20:08:07 +0100
To: "'public-p3p-spec'" <public-p3p-spec@w3.org>
Message-Id: <200403172008.13021.bdobbs@doubleclick.net>
Assuming Lorrie's reading of "it" overcomes Giles' point, I see this
answering a number of problems, but leaving a number of folks with
pre-existing arcitechtures out in the cold.  I am speaking specifically
 of ad servers like ourselves and content delivery networks.

If a CDN has hierarchically structured their tag from left to right and
 can dynamically generate P3P: policyref  headers than all things are
 perfect, but practically speaking a CDN may host images as follows:

http://highavailability.net/1000001.gif should be covered by clientA
http://highavailability.net/1000002.gif should be covered by clientX
http://highavailability.net/1000003.gif should be covered by clientY
http://highavailability.net/1000004.gif should be covered by clientA

This presents a world more difficulty than had the set up been:

http://highavailability.net/a/1000001.gif should be covered by clientA
http://highavailability.net/x/1000002.gif should be covered by clientX
http://highavailability.net/y/1000003.gif should be covered by clientY
http://highavailability.net/a/1000004.gif should be covered by clientA

But in practice the former is quite common.  Adding to this the list is
 HUGE and highly dynamic.

In the ad serving world there is also the complication that a single
 URL and cookie replay would need to refer to multiple our hosts. 
 Because the data collected by discreet tag may in fact belong to the
 advertiser and the publisher.

Another difficulty here is the CP OHO mechanism.  If CPs are only
 issued on cookie set, the vast majority of replays will likely be to
 hosts specifying other policies thru the dynamic P3P: policyref
 mechanism, with other policies - which essentially defeats the use of
 CPs???  Am I missing something here?

-Brooks



-----Original Message-----
From: public-p3p-spec-request@w3.org
 [mailto:public-p3p-spec-request@w3.org] On Behalf Of Lorrie Cranor
Sent: Wednesday, March 17, 2004 10:41 AM
To: Giles Hogben
Cc: 'Humphrey Jack'; 'public-p3p-spec'
Subject: Re: alternate domain relationships proposal

I think the problem is the ambiguity of the word "it" in the sentence:
> A policy referenced in a policy reference file can be applied only to
> URIs
> on the DNS (Domain Name System) host that references it.

We have been interpreting this sentence to mean:

A policy referenced in a policy reference file can be applied only to
URIs
on the DNS (Domain Name System) host that references the policy
reference file.

Thus in Jack's example, if forinstance.com returns a P3P header, the
policy reference file it references gets applied to forinstance.com. I
am pretty sure that is how it has been implemented in IE6, Netscape7,
and PrivacyBird.

Lorrie

On Mar 17, 2004, at 3:58 AM, Giles Hogben wrote:
> There seems to be something wrong with the initial argument:
>
> The existing P3P spec says:
>
> "A policy referenced in a policy reference file can be applied only
> to URIs
> on the DNS (Domain Name System) host that references it. Thus, for
> example,
> a policy reference file at the well-known location of host
> www.example.com
> can apply policies only to resources on www.example.com."
>
> So when you say
>
> "forinstance.com is configured to return the HTTP header
>
>     P3P: policyref="http://www.example.com/w3c/p3p.xml"
>
> This policyref can only apply to files on www.example.com
>
> Have I missed something in this discussion?
>
>> **-----Original Message-----
>> **From: public-p3p-spec-request@w3.org
>> **[mailto:public-p3p-spec-request@w3.org] On Behalf Of Humphrey,
>> Jack **Sent: 17 March 2004 07:48
>> **To: 'public-p3p-spec'
>> **Subject: alternate domain relationships proposal
>> **
>> **
>> **Based on our discussion last week, here is a draft of an
>> **alternate proposal for a new "our-host" extension element
>> **(renamed to distinguish from the previous proposal's
>> **"known-host") with a different semantic meaning. Also
>> **included is an extension to the compact policy P3P header to
>> **support the same mechanism for compact policies.
>> **
>> **Please review this new proposal and compare to the previous
>> **proposal. Is it more straightforward? Might it be less
>> **confusing for implementers and user agent developers?
>> **
>> **Thanks. I will probably be late to the call and may have
>> **some trouble participating verbally, as I will be coming
>> **from a dental appointment.
>> **
>> **++Jack++
>> **
>> **
Received on Wednesday, 17 March 2004 14:08:51 UTC