- From: Rigo Wenning <rigo@w3.org>
- Date: Fri, 28 Sep 2001 11:31:50 +0200
- To: www-p3p-dev@w3.org
>From rigo Fri Sep 28 10:47:12 2001
Return-path: <rigo@tux.w3.org>
Envelope-to: rigo@localhost
Delivery-date: Fri, 28 Sep 2001 10:47:12 +0200
Received: from localhost ([127.0.0.1])
by localhost with esmtp (Exim 3.32 #1 (Debian))
id 15mtIe-0000R6-02
for <rigo@localhost>; Fri, 28 Sep 2001 10:47:12 +0200
Received: from www49.inria.fr [138.96.10.12]
by localhost with POP3 (fetchmail-5.8.3)
for rigo@localhost (single-drop); Fri, 28 Sep 2001 10:47:12 +0200 (CEST)
Received: from sophia.inria.fr by www49.inria.fr (8.11.1/8.10.0) with ESMTP id f8SCZK114856 for <rwenning@www49.inria.fr>; Fri, 28 Sep 2001 14:35:20 +0200 (MET DST)
Received: from tux.w3.org by sophia.inria.fr (8.11.1/8.10.0) with ESMTP id f8SCa4H17455 for <Rigo.Wenning@sophia.inria.fr>; Fri, 28 Sep 2001 14:36:04 +0200 (MET DST)
Received: (from rigo@localhost)
by tux.w3.org (8.9.3/8.9.3) id IAA15458
for Rigo.Wenning@sophia.inria.fr; Fri, 28 Sep 2001 08:36:03 -0400
Received: from www19.w3.org (www19.w3.org [18.29.0.19])
by tux.w3.org (8.9.3/8.9.3) with ESMTP id IAA15452
for <rigo@w3.org>; Fri, 28 Sep 2001 08:36:02 -0400
Received: by www19.w3.org (8.9.0/8.9.0) id IAA26870
for rigo@w3.org; Fri, 28 Sep 2001 08:36:02 -0400 (EDT)
Date: Fri, 28 Sep 2001 08:36:02 -0400 (EDT)
X-Envelope-From: www-p3p-dev-request@tux.w3.org Fri Sep 28 08:35:53 2001
Received: from tux.w3.org (tux.w3.org [18.29.0.27])
by www19.w3.org (8.9.0/8.9.0) with ESMTP id IAA26850
for <www-p3p-dev@www19.w3.org>; Fri, 28 Sep 2001 08:35:52 -0400 (EDT)
Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65])
by tux.w3.org (8.9.3/8.9.3) with ESMTP id IAA15416
for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 08:35:51 -0400
Received: from mrelay.jrc.it (localhost [127.0.0.1])
by mrelay.jrc.it (LMC5614B) with ESMTP id f8SCZmW16127
for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:48 +0200 (MEST)
Received: from isis-ms.sti.jrc.it (isis-gs.sti.jrc.it [139.191.8.244])
by mrelay.jrc.it (LMC5614A) with ESMTP id f8SCZmJ16123
for <www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:48 +0200 (MEST)
Received: from pcdsa22 ([139.191.42.22]) by isis-ms.sti.jrc.it
(Netscape Messaging Server 4.15) with SMTP id GKDHNL00.Q20 for
<www-p3p-dev@w3.org>; Fri, 28 Sep 2001 14:35:45 +0200
Message-ID: <030601c1481a$33e1f340$162abf8b@pcdsa22>
From: "Giles Hogben" <giles@ontv.com>
To: <www-p3p-dev@w3.org>
Old-Date: Fri, 28 Sep 2001 14:36:31 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0303_01C1482A.F759FA60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Diagnostic: Not on the accept list
Subject: [Moderator Action] Hints mechanism
X-Diagnostic: Mail coming from a daemon, ignored
X-Envelope-To: www-p3p-dev
Resent-From: rigo@localhost
Resent-Date: Fri, 28 Sep 2001 11:31:49 +0200
Resent-To: www-p3p-dev@w3.org
This is a multi-part message in MIME format.
------=_NextPart_000_0303_01C1482A.F759FA60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi,
Having just read over the paragraph in the latest (sep) p3p spec about =
the
new hints mechanism, I have 2 questions
1. The following is confusing me:
"Before using a hinted policy reference, the user agent MUST check the
well-known location and give precedence to any policy references =
directly
declared by the host, with the well-known location taking the highest
precedence."
What exactly does "directly declared" mean - it is not clear to me =
whether
this includes the p3p http header mechanism and link tag mechanisms or
not.
If it does, then I can't see what use the hints mechanism can be.
If however, it allows user agents to make use of policy reference =
files
even if there turns out to be no pref in the well-known location, then
does
this allow unknown 3rd parties to state the location of a policy =
reference
file. If so, doesn't this allow for the possibility of malicious
behavior -
3rd party sites referring to bogus policy reference files?
2. Am I right in saying that policy reference files (and policies) do =
not
have to be located on the domain they are applied to? If this is the =
case,
doesn't this, combined with the hints mechanism, allow poeple to put =
up
completely bogus policies and prf files?
Thanks
Giles Hogben
------=_NextPart_000_0303_01C1482A.F759FA60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DVerdana size=3D2><FONT face=3D"Times New Roman"=20
size=3D3>Hi,<BR><BR>Having just read over the paragraph in the latest =
(sep) p3p=20
spec about the<BR> new hints mechanism, I have 2 questions<BR>1. =
The=20
following is confusing me:<BR><BR> "Before using a hinted policy=20
reference, the user agent MUST check the<BR> well-known location =
and give=20
precedence to any policy references directly<BR> declared by the =
host,=20
with the well-known location taking the highest<BR> =20
precedence."<BR><BR> What exactly does "directly declared" mean - =
it is=20
not clear to me whether<BR> this includes the p3p http header =
mechanism=20
and link tag mechanisms or<BR>not.<BR> If it does, then I can't =
see what=20
use the hints mechanism can be.<BR> If however, it allows user =
agents to=20
make use of policy reference files<BR> even if there turns out to =
be no=20
pref in the well-known location, then<BR>does<BR> this allow =
unknown 3rd=20
parties to state the location of a policy reference<BR> file. If =
so,=20
doesn't this allow for the possibility of malicious<BR>behavior =
-<BR> 3rd=20
party sites referring to bogus policy reference files?<BR><BR> 2. =
Am I=20
right in saying that policy reference files (and policies) do =
not<BR> have=20
to be located on the domain they are applied to? If this is the =
case,<BR> =20
doesn't this, combined with the hints mechanism, allow poeple to put=20
up<BR> completely bogus policies and prf files?<BR><BR><BR> =20
Thanks<BR><BR> Giles =
Hogben</FONT><BR><BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0303_01C1482A.F759FA60--
Received on Friday, 28 September 2001 11:05:47 UTC