Re: example for OOBC with cookies (was Re: change proposal) from Ronan Heffernan on 2013-06-26 (public-tracking@w3.org from June 2013)

From: Ronan Heffernan <ronansan@gmail.com>
Date: Wed, 26 Jun 2013 07:06:01 -0400
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Nicholas Doty <npdoty@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, "public-tracking@w3.org public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CAHyiW9KOumkKdhTk7Cc82P0xuVkvDmMCN1stLp-+QdcBQ2ez2w@mail.gmail.com>

Roy,
   I agree that any attempt to manipulate out-of-band via an in-band
mechanism is a problem.  Regarding in-band UGE, however, cookies seem like
a poor way to store those exceptions, since cookies get cleared so often.

--ronan



On Wed, Jun 26, 2013 at 4:39 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jun 26, 2013, at 1:22 AM, Nicholas Doty wrote:
>
> > Providing non-normative text suggesting a convention for cookies used
> for out-of-band consent sounds similar to Roy's proposal that we drop the
> JS APIs altogether in favor of such conventions. Roy, CCed, do you think
> providing such conventions (in a non-normative way) would be a useful way
> forward?
>
> No.  OOBC is (by definition) not specified by the protocol.
>
> My suggestion was that our in-band UGE be replaced by an in-band
> opt-in consent mechanism based on a specially named cookie, not
> that we specify out of band mechanisms.
>
> A site might obtain user consent via any number of mechanisms,
> including old-school written contracts with definite term
> periods.  We cannot specify how such consent is obtained,
> nor can we require that consent be revocable on demand.
>
> ....Roy
>
>
>

Received on Wednesday, 26 June 2013 11:06:50 UTC