- From: Ken Martin <ken@kpmartin.com>
- Date: Thu, 20 Sep 2001 14:03:09 -0500
- To: <www-p3p-policy@w3.org>
on 9/20/01 1:00 PM, Andreas Färber at andreas.faerber@web.de wrote: > But what you're saying basically means to > me that your service has been dependant on a small number of browsers, > namedly Microsoft Internet Explorer 3+, Netscape Navigator 3+, Opera and > some others. Additionally you seem to require your or others' users to > accept one or more Cookies in order for your service to work (otherwise you > would not have any problem with IE6 blocking Cookies based on P3P). Using > Cookies to save user preferences is clearly not unethical or something, I do > the same thing on one of my sites. But you already have two factors of > uncertainty there. Well, again, I think you're approahing this from a philosophical perspective. The "two factors of uncertainty" really aren't. We successfully deliver a web-based product specifically designed to be used in browsers. IE3+, NN3+ Opera and the rest are something that I can pretty much bank on. My logs and industry logs show that. We, of course, tell our users from the outset that cookies must be there to begin with, and error them out if they're not enabled. We have 220,000 (and growing daily) users making it past these "two factors of uncertainty" perfectly fine. All I'm saying is in reality... today... now... a use of cookies (an old and well-adopted standard) is now broken by a new standard's implementation and that it is necessary (or forced) that I get this working to ensure our users have *the same functionality they've always had*. We're not talking some obscure JavaScript that takes advantage of a proprietary DOM here... we're talking simple cookies. I've worked hard to try toimplement P3P correctly. Lorrie Cranor has been kind enough to help me and has found errors I've made. I've read tons of stuff both at the MS site and the W3C site. I seem basically compliant here... <http://validator.w3.org/p3p/20001215/p3p.pl?uri=frame.my-cast.com%2Fstd%2Fl ogin.jsp> ...and though there are things I'm *sure* that need fixing, the CP has none of the things that IE6 is supposed to reject. It's a very plain reality to me that this does force additional work. Being in support of privacy concepts in general, and wanting our product to work as always for our customers, I'm fine with that and have spent many hours trying to get it working. I've been web programming for years and am quite familiar that the ground is constantly shifting. I would like to use CSS-2, but can't due to lack of support. I would like to not use structural tables, but can't avoid it in some cases. But IE6+P3P(CP) doesn't let me decide. I must comply (which isn't exactly clear how to), or have whatever percentage of 220,000 users manually set the privacy, or redesign and reprogram a complex interdependent backend, or fail. No other options. Add in the fact that sometimes the HTTP response is handles by the server and sometimes by the backend (Java in our case) and implementation becomes tougher still. This might seem very easy and 'cut and dry' to those 'in the know', but IE6+P3P is brand new news with not the greatest tools and test capabilities for implementation. > ...if you want to have your system functioning in these different > situations, you need a system that does not *depend* on Cookies... When we started this huge project, there was no risk that anyone had heard of that simple cookies going back to the minimal domain that wrote them was going to be an issue. The W3C obviously understands this kind of issue as (for example) the HTML spec has always taken pains to be backward compatible. Also, there would be *a lot* of work to get session tracking to work in our JSP environment since we are load balanced. Besides, a key desire in our product is to just hit the page and already be logged in. Cookies are really what we and our customers want. We are a legitimate company trying to use a good and time-tested technology (cookies) in a way that is meant only to serve the customer. Though we offend none of the stated unsatisfactory IE6 compact tokens (in reality and in the actual CP), our product is broken in IE6. Now, you could say IE6+P3P is not forcing anything. Of course... I could become a farmer and IE6 would not affect me. But since I simply want to continue to deliver web content that way I always have, well yes... I'm forced. > If you are "supportive of P3P" then you clearly see that the approach Mr. > Wright is trying to take is not the right one and does not solve the problem > of Cookies not being sent to the server. I've obviously moved this to a different discussion, but though I am quite supportive of a structured, standardized way to deal with privacy, if there is the possibility that *a P3P policy can be used legally against someone* then I think it may need to accomodate the unfortunate subtlties of law that corporations require. I.e. if it can be used legally, it should address legal concerns. I otherwise have no comment or opinion to those ends. Ken Martin
Received on Thursday, 20 September 2001 15:10:00 UTC