Re: change to non-ambiguity section of P3P spec from Rigo Wenning on 2001-06-22 (www-p3p-dev@w3.org from June 2001)

From: Rigo Wenning <rigo@w3.org>
Date: Fri, 22 Jun 2001 20:37:44 +0200
To: www-p3p-dev@w3.org
Cc: cbf@profileup.com
Message-ID: <20010622203744.H930@w3.org>

Hi Christophe, 

We come from a user-perspective in this question. If you would
cite the whole sentence, it would be much clearer. This addresses
mostly the client-side implementation. And there it says:

If a user agent discovers more than one non-expired
P3P policy for a given URI..[1]. 

I don't see the user-agent now checking all the headers of a site
for any potential URI on that site. This can be infinite. So the
emphasis is on "discover". And this is under an "if". So there is
no rule, that obliges a P3P client to scan all the potential
headers of a web-site.

From a server-side perspective, it is no problem either, as you
have control over your configuration and you SHOULD avoid to
have more than one PRF covering the same URI.

How to configer servers can be found in the implementation
Guide[2]

Only to prevent a theoretical aproach, there can not be two
head-answers for one http-request.

So I think, that finally, the risk is on the server side. In the
case of declaration of multiple policies, the spec make's the
assumption, that the declaring party follows all the rules, it
declares. 

This means, that if there are two conflicting policies, you merge
them and can only collect/use data for purposes, which are
allowed under both policies.

I hope that helps

Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
+33 (0)6 73 84 87 31    F-06902 Sophia Antipolis
http://www.w3.org/

On 01-06-21 12:02, Christophe Brun-Franc wrote:
> Hi
> 
> 
> Doest this sentence :
> 
> "because P3P headers for two pages on the site reference
> different policy reference files that declare different
> policies for the same URI)
> "
> 
> means that we have to analyse all HTTP headers of the entire web site to be
> sure that we get all the different policies for an  uri ?
> - Of course, except if there is a reference file in a well-known location -
> 
> It's seems where difficult to do that ...
> 
  1. http://lists.w3.org/Archives/Public/www-p3p-dev/2001Apr/0001.html

  2. http://www.w3.org/TR/p3pdeployment

Received on Friday, 22 June 2001 14:37:51 UTC