Roy,
I agree that any attempt to manipulate out-of-band via an in-band
mechanism is a problem. Regarding in-band UGE, however, cookies seem like
a poor way to store those exceptions, since cookies get cleared so often.
--ronan
On Wed, Jun 26, 2013 at 4:39 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Jun 26, 2013, at 1:22 AM, Nicholas Doty wrote:
>
> > Providing non-normative text suggesting a convention for cookies used
> for out-of-band consent sounds similar to Roy's proposal that we drop the
> JS APIs altogether in favor of such conventions. Roy, CCed, do you think
> providing such conventions (in a non-normative way) would be a useful way
> forward?
>
> No. OOBC is (by definition) not specified by the protocol.
>
> My suggestion was that our in-band UGE be replaced by an in-band
> opt-in consent mechanism based on a specially named cookie, not
> that we specify out of band mechanisms.
>
> A site might obtain user consent via any number of mechanisms,
> including old-school written contracts with definite term
> periods. We cannot specify how such consent is obtained,
> nor can we require that consent be revocable on demand.
>
> ....Roy
>
>
>