W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

Re: ACTION-357: Add service provider option text (with jmayer) as an issue in the draft with an option box

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 22 Mar 2013 12:22:26 +0100
To: public-tracking@w3.org
Cc: David Singer <singer@apple.com>
Message-ID: <4458387.XhjmEZl8Cf@hegel.sophia.w3.org>
David, 

the proposed solution only works if the browser implements TSR. Nobody 
does that so far. So this is the condition under which it could work. No 
TSR, no possibility to solve this issue unless you store something into 
the exception store which has an entire different set of problems. 

more in line

On Friday 15 March 2013 16:29:00 David Singer wrote:
> So, proposed changes, including two minor changes:
> 
> A] 5.2, definition of '1' tracking status value, says
> 
> 
> 1       First party: The designated resource is designed for use
> within a first-party context and conforms to the requirements on a
> first party. 
fine..

> If the designated resource is operated by an outsourced
> service provider, the service provider claims that it conforms to the
> requirements on a third party acting as a first party.
If the value of '1' is played back by a service outside the domain of 
the origin first identified as a first party, this resource claims to 
belong to the first party or to a service serving the party with no own 
rights to further processing data outside the permitted uses. 

> 
> perhaps it would be better if the last few words said "acting FOR a
> first party"?

"no own rights for processing outside the permitted uses" is the idea I 
wanted to capture above.. "acting for" is an imprecise equivalent that 
sounds nicer. 
> 
> 
> B] In 5.5.3 we find
> 
> An origin server may send a member named first-party that has an array
> value containing a list of URI references that indirectly identify
> the first party (or set of parties) that claims to be the responsible
> data controller for personal data collected via the designated
> resource. An origin server that does not send first-party is implying
> that its domain owner is the sole first party and that information
> about its policies ought to be found on this site's root page, or by
> way of a clearly indicated link from that page (i.e., no first-party
> member is equivalent to:"first-party":["/"]).
> 
> 
> 
> I suspect we need a (s) after data controller, here "that indirectly
> identify the first party (or set of parties) that claims to be the
> responsible data controller(s) for personal data"
> 
> 
> 
> C] And the change from above, changing the WKR first-party member to
> data-controller, or a similar term which allow its use for providing
> service to a 3rd party (who in turn may have consent).


Fine by me

 --Rigo
Received on Friday, 22 March 2013 11:22:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC