Re: Initial feedback on the well-known URI Proposal from Rigo Wenning on 2012-03-07 (public-tracking@w3.org from March 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 07 Mar 2012 09:50:13 +0100
To: public-tracking@w3.org
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Matthias Schunter <mts@zurich.ibm.com>
Message-ID: <2527372.6Oglm4Z05b@hegel.sophia.w3.org>

On Tuesday 06 March 2012 14:34:43 Roy T. Fielding wrote:
> > As a consequence, a site where each URL may have a different response
> > should live easier with headers; for retrieving the same info from a
> > well-known URI, the whole site needs to be 'mirrored' under the
> > well-known URI and the number of requests would double (Roy: Correct
> > me if I am wrong!).
> 
> Actually, you are wrong, though for reasons that very few people would
> anticipate.  First, the 'mirror' is not of the site but of the resource
> namespace, and it ends at the first ancestor that has the same tracking
> policy as all of its descendants.  Descendants would redirect up.
> Second, there are no sites where every URL has its own tracking policy.
> Finally, in the worst case, the site can simply pick the union of all
> tracking behavior for the site and present that at the single
> /.well-known/dnt --- we do not penalize sites for saying they track more
> than they actually do for a given URI.

Roy, 

you're contradicting the entire P3P WG here:
http://www.w3.org/TR/P3P11/#ref_file

I've set up the ref_files myself and failed for a site as complex as W3C's. 

While I can imagine that a simple site sets the response headers in a file to 
be downloaded, complex sites will have to define the scope if the response 
header and with the above you're only scratching the opening door to a complex 
can of worms. Defining is easy, implementing is very hard in this field: 

Definition: some regex will do:
  DNT reference files make statements about what DNT feedback value applies to 
a given URI. DNT reference files support a simple wildcard character to allow 
making statements about regions of URI-space. The character asterisk ('*') is 
used to represent a sequence of 0 or more of any character. No other special 
characters (such as those found in regular expressions) are supported.

Implementation: 

In W3C datespace, files with different levels of access are sitting in the 
same folder. And different levels of access (logged-in) mean different 
tracking status. As a consequence, the file at the well-known location has to 
contain a list of all files under DNT policy. For W3C those are some 100k 
files or more. How heavy is that file at the well-known location now? How hard 
to generate?

BTW and with a reference to Aleecia's discussion with Shane about complex 
sites and headers: P3P contained the link-tag in the html page for that use 
case. We now would have RDFa to do that. 

Best, 

Rigo

Received on Wednesday, 7 March 2012 08:50:42 UTC