Re: Hints mechanism from Lorrie Cranor on 2001-09-28 (www-p3p-dev@w3.org from September 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Fri, 28 Sep 2001 10:03:12 -0400
To: "Giles Hogben" <giles.hogben@jrc.it>, "p3pdev" <www-p3p-dev@w3.org>
Message-ID: <007001c14826$4fdd39e0$9816cf87@barbaloot>

> Having just read over the paragraph in the latest (sep) p3p spec about the
>  new hints mechanism, I have 2 questions
> 1. The following is confusing me:
>
>   "Before using a hinted policy reference, the user agent MUST check the
>   well-known location and give precedence to any policy references
directly
>   declared by the host, with the well-known location taking the highest
>   precedence."
>
>   What exactly does "directly declared" mean - it is not clear to me
whether
>   this includes the p3p http header mechanism and link tag mechanisms or
> not.

Yes, these are included

>   If it does, then I can't see what use the hints mechanism can be.

The site might not reference a prf at all, in which case the hint
may be used. Or, the site may not use the wkl, in which case the
hint can be used unless or until a link tag or header is encountered.
If a contradictory link or header is found later, that takes precedence.

>   If however, it allows user agents to make use of policy reference files
>   even if there turns out to be no pref in the well-known location, then
> does
>   this allow unknown 3rd parties to state the location of a policy
reference
>   file. If so, doesn't this allow for the possibility of malicious
> behavior -
>   3rd party sites referring to bogus policy reference files?

There is a limited risk, but because of the relative URL requirements,
it is difficult to exploit this.

>   2. Am I right in saying that policy reference files (and policies) do
not
>   have to be located on the domain they are applied to? If this is the
case,
>   doesn't this, combined with the hints mechanism, allow poeple to put up
>   completely bogus policies and prf files?

Policies can be located anywhere.

Policy reference files can only use relative URIs. Thus,
at the well-known-location they apply only to
URIs on the same host. When referenced via the link tag
or HTTP header method, they are interpreted relative to
the URI to which they are applied.

So.... because of the limitation to using relative URIs, it
eliminates most ways that people could assign  bogus
policies to someone else. About the only thing that could
happen is that I could point to a policy file at another site
(which I believe applies to my content), and unknown to me
that party might change that policy. But, I should only point
to policies at other sites if I have relationships with them.

We spent a lot of time on this to make sure this mechanism
couldn't be abused.

Lorrie

Received on Friday, 28 September 2001 10:06:56 UTC