Re: example for OOBC with cookies (was Re: change proposal)

Roy,
   I agree that any attempt to manipulate out-of-band via an in-band
mechanism is a problem.  Regarding in-band UGE, however, cookies seem like
a poor way to store those exceptions, since cookies get cleared so often.

--ronan



On Wed, Jun 26, 2013 at 4:39 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jun 26, 2013, at 1:22 AM, Nicholas Doty wrote:
>
> > Providing non-normative text suggesting a convention for cookies used
> for out-of-band consent sounds similar to Roy's proposal that we drop the
> JS APIs altogether in favor of such conventions. Roy, CCed, do you think
> providing such conventions (in a non-normative way) would be a useful way
> forward?
>
> No.  OOBC is (by definition) not specified by the protocol.
>
> My suggestion was that our in-band UGE be replaced by an in-band
> opt-in consent mechanism based on a specially named cookie, not
> that we specify out of band mechanisms.
>
> A site might obtain user consent via any number of mechanisms,
> including old-school written contracts with definite term
> periods.  We cannot specify how such consent is obtained,
> nor can we require that consent be revocable on demand.
>
> ....Roy
>
>
>

Received on Wednesday, 26 June 2013 11:06:50 UTC