Re: Updated Server Response Section of TPE

Roy, 

The one who loses out in Seattle will have to write the minority opinion for 
the Director. 

One thing is clear to me. If your solution goes through, 

1/ There will be no consent mechanism as there is just a policy called 
status sitting somewhere and there is the DNT signal. There is no relation 
between preference and status and no object that matching status (feedback) 
and preference read on. I wonder how exceptions are handled. They need an 
object to read on. There is no object in your system as there is no URI or 
resource taken into account. 

2/ The system will not even be able to answer any pre-flight conditions, 
because the URI I hit may either track or not track. A user agent can not 
know that, not even after interaction, because the feedback is just 
independent of the URI. This also implies that you can't express that DNT is 
not accepted for parts of a site.

3/ There is no ack anymore as there is no feedback. A site may just cross 
its fingers behind the back and say: Sorry, for this resource we meant that 
tracking applies. You sent DNT;1 but we can't apply it. And track you 
anyway. 

4/ There will be no reliable conditional access as the URI is not taken into 
account. The condition has no semantic object it could read on.

So you're breaking central use cases only because you refuse headers and 
transform a thing that was created as a feedback mechanism into a kind of 
P3P 0.0001 Policy that has option "track" or "not track" and perhaps some 
"we have out of band consent" that I even don't know what it applies to. 
You're definitely still in Prague.

Rigo



On Friday 01 June 2012 14:35:39 Roy T. Fielding wrote:
> On Jun 1, 2012, at 1:44 PM, Rigo Wenning wrote:
> > On Tuesday 29 May 2012 18:23:19 Roy T. Fielding wrote:
> >> No, in all respects.  I know how the W3C site works.  There are only
> >> two policies---public and ACL---and they can be wrapped into one
> >> tracking policy if we define authentication as overriding DNT.
> > 
> > Ok, we have 2 options, but how do you tell to which of the 55000 URIs
> > the
> > tracking status applies to?
> 
> I don't have to -- the one tracking status applies to all of them.
> 
> > How do you deal with dynamic content?
> 
> It applies to all of them -- there is no dynamic/static distinction
> in HTTP.
> 
> > Don't tell
> > me that you just declare: ACL is this and non ACL is that and let the
> > user in the dark on what state he is "currently" in? (This site is a
> > mine field, there are places where you are secure and others where you
> > aren't. But we won't tell you which is which)
> 
> The browser knows what parts it is sending a credential to and what
> parts it is not, and it is hardly relevant what the user's opinion
> is on tracking for an authenticated resource that is always tracking
> by its very nature.
> 
> > In this case, we just need a simple
> > declaration for the entire web: Either you are tracked our you aren't.
> > Done.
> If W3C owned the entire web, yes.
> 
> > For the entire web. Nice! Could be hardwired in the browser. No need for
> > a well-known location anymore because you could always know in advance
> > that you're either tracked; or not. What does that buy us compared to
> > the status quo?
> 
> Rigo, you are not in a debating class, nor in a courtroom,
> nor talking to someone who isn't familiar with the technology.
> So, I would appreciate it a little less drama.
> 
> ....Roy

Received on Saturday, 2 June 2012 05:08:44 UTC