W3C home > Mailing lists > Public > www-p3p-dev@w3.org > April 2001

Re: locating policy reference files

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 24 Apr 2001 09:38:09 -0400
Message-ID: <02af01c0ccc3$cce71840$9816cf87@barbaloot>
To: "Sebastian Kamp" <kamp@ti.informatik.uni-kiel.de>, <www-p3p-dev@w3.org>
Cc: <www-p3p-policy@w3.org>
Even in the scenario you describe, the host company can include
a policy reference file that provides the policies for all the content
it hosts. The policy reference file may point to the policies for
each company that it hosts. The problem is that if a company
hosts content for a large number of clients -- say 1000 clients --
the policy reference file would have at least 1000 entries. This
is a non-trivial amount of extra data to be shipping around. Also,
we have been told by some of the content distribution networks
that their file system is not actually hierarchical, so it is not as
simple as identifying each client with a directory.


Lorrie Cranor
P3P Specification Working Group Chair

----- Original Message -----
From: "Sebastian Kamp" <kamp@ti.informatik.uni-kiel.de>
To: <www-p3p-dev@w3.org>
Cc: <www-p3p-policy@w3.org>
Sent: Tuesday, April 24, 2001 5:40 AM
Subject: locating policy reference files

> Hello,
> I have got a question regarding the different mechanisms to locate a
> reference file.
> I would very much like to find a solution that relies on wellknow-location
> like mechanisms only; the p3p user agent could fetch the policy reference
> file (that covers a certain URI) *before* it sends the actual request to
> webserver.
> This would avoid safe zone practices in the first place and
> - reduce software complexity of the user agent, and
> - make the implementation much faster,
> because the actual "p3p-logic" could be seperated from the entire
> technique. Otherwise p3p issues and http issues would get mixed, leading
> mixed responsibilities of the different "parts" of the software - at least
> from an object oriented point of view.
> The typical scenario that explains why the wellknow-location mechanism is
> enough is: one company hosts some content on its server that it is not
> responsible for, therefor excluding the subtree with the foreign content
> the own policy reference file.
> Responses to requests to a URI refering to some part of this subtree would
> then contain a reference (http header or html link-element) to the
> policy reference file - unfortunately the request has to be send first.
> Now my question: why not oblige the foreign company to put a policy
> file in the root of "their" subtree? The foreign company is in charge of
> subtree anyway.
> This would give us the possiblity to use a wellknow location like
> to fetch the apropriate policy reference file. The procedure for any
> would than always begin as follows:
> extract host information from the URI, get the policy reference file from
> wellknow location on this host, parse the file ... and maybe find out that
> the request's URI points to some subtree not covered by this policy
> file, get the policy reference file from the root of this subtree ....
> Do you think that a modification of the specification would make sense? I
> would appreciate any comments.
> Regards
> Sebastian Kamp
Received on Tuesday, 24 April 2001 09:42:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:42:49 UTC