Re: locating policy reference files from Lorrie Cranor on 2001-04-27 (www-p3p-policy@w3.org from April 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Thu, 26 Apr 2001 22:54:14 -0400
To: "Sebastian Kamp" <kamp@ti.informatik.uni-kiel.de>, <www-p3p-dev@w3.org>
Cc: <www-p3p-policy@w3.org>
Message-ID: <004f01c0cec5$5846fba0$3a06cf87@research.att.com>

> > > My suggestion was, that the host company just excludes the subtree
from
> > > its policy reference file (avoiding the 1000 entries problem, see
below)
> > > and the foreign company puts its policy reference file in the root of
its
> > > subtree.
> >
> > We had considered this -- in fact, this is essentially what the PICS
> > spec allows. We decided not to go down this route because of
> > the added complexity (first you look in /w3c/, if no PRF is there you
> > look in /foo/w3c/, if no PRF is there you lookin /foo/bar/w3c/ etc....
> > how far do you go before you give up? Or maybe we say that
> > you can put the PRF in either the root /w3c/directory or in a sub
directory
> > where the content is, but nowhere else -- so for /foo/bar/content.html
> > you would look in /foo/bar/w3c/ if the PRF in /w3c doesn't apply),
> As for (p3p user agent's) software I am still sure that a well-know
location
> only solution (plus something like my suggestion or what you describe i
> parantheses here) would reduce complexity (+performance +no need for safe
> zone) by far.

It would reduce the need for the safe zone... although we're hearing from
user agent implementers that for performance reasons, even when a
PRF exists in the well-known location, they may fetch content before
fetching and evaluating the policy - and thus there are still safe zone
concerns.

> > I had assumed that if cdn.com  hosts content for foo.com and bar.com,
that
> > there would be some directory structure such as cdn.com/foo/ and
> > cdn.com/bar/ where all the files from foo and bar are located. But we've
> > heard from at least one CDN that in fact they use some hashing algorithm
> > and so what you really get are things like
> > cdn.com/15390u/3048038_foo_39483048.html as file names. There might be
some
> > string that is common to all the file names belonging to company foo,
but
> > they aren't all going to be put in a common directory.
> But doesn't the PRF at CDN still exclude the content for say foo.com in
terms
> of a URL regardless of how CDN internally refers to a file 'under'
> cdn.com/foo/?

The PRF at CDN would likely exclude all of foo.com's content from
its own policy. But foo.com might want them to be able to point to the
foo.com policy from the CDN PRF for the appropriate content. The
header mechanisms makes this practical.

My feeling is that your proposal may have some advantages and is
probably something that should be considred for a future version
of P3P, but it probably is not compelling enough to make the
change during the candidate recommendation stage of P3P1.0.
But I'm interested in hearing what other folks think.

Lorrie

Received on Thursday, 26 April 2001 22:55:47 UTC