Re: Disavowing Legal Liability from Lorrie Cranor on 2001-08-24 (www-p3p-policy@w3.org from August 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Thu, 23 Aug 2001 20:39:25 -0400
To: "Ben Wright" <Ben_Wright@compuserve.com>, "P3P Policy" <www-p3p-policy@w3.org>
Message-ID: <010501c12c35$3a6263e0$3a06cf87@research.att.com>

Section 4.5 of the specification says that full policies that
include mandatory extensions must not be represented
as compact policies. The DSA token you describe sounds
like it would be a mandatory extension. Thus what you
describe is a violation of the P3P specification.

Regards,

Lorrie Cranor
P3P Specification Working Group Chair


----- Original Message -----
From: "Ben Wright" <Ben_Wright@compuserve.com>
To: "P3P Policy" <www-p3p-policy@w3.org>
Sent: Thursday, August 23, 2001 3:45 PM
Subject: Disavowing Legal Liability


> P3P Policy List:
>
> I am a lawyer studying Internet Explorer 6's implementation of P3P.
>
> Web administrators will be reacting to IE 6's P3P implementation as the
> browser is rolled out to the market.  I am concerned that administrators
> will expose themselves to unwarranted legal liability through the
> statements they try to make in compact P3P policies.  I'm looking for a
way
> to disclaim liability in compact policies.
>
> I'm thinking about suggesting that web administrators add the token "DSA"
> at the end of their compact policies.  DSA is not defined in the P3P
> specification, but it would be defined in full P3P policies and elsewhere
> as meaning that the web administrator disavows any legal liability
> associated with the compact policy.
>
> I see in the update for P3P specification section 4.2 that "If an
> unrecognized token appears in a compact policy, the compact policy has the
> same semantics as if that token was not present."
> http://www.w3.org/P3P/updates.html
>
> My question:  Suppose a user agent like IE 6 sees, with respect to a
> certain cookie, a compact policy that ends with the token "DSA". For
> purposes of the user agent's decision on how to handle the cookie, will
the
> agent simply ignore the DSA token and treat the cookie as it otherwise
> would in the absence of the token?  It seems to me that the answer should
> be yes, but I'm not technically savvy enough to know for sure.
>
> Is anyone aware of someone doing something like this?
>
> I would be happy to hear other thoughts anyone wishes to share about this
> idea.
>
> --Ben Wright
> ben_wright@compuserve.com
> tel 214-403-6642
> http://ourworld.compuserve.com/homepages/Ben_Wright
>
>

Received on Thursday, 23 August 2001 20:39:17 UTC