Re: Policy Expiration Date and Cookie Expiration from Rigo Wenning on 2003-10-29 (www-p3p-policy@w3.org from October 2003)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 29 Oct 2003 20:03:58 +0100
To: Megan Cross <MCross@csatravelprotection.com>
Cc: www-p3p-policy@w3.org
Message-ID: <20031029190357.GK917@rigo.w3.org>

On Wed, Oct 29, 2003 at 10:29:43AM -0800, Megan Cross wrote:
> We are trying to implement a P3P policy, and we have some questions
> about the expiration dates on cookies.  
> 
> Given the following situation:
> We set a cookie on 11/01/2003 that expires in 1 year.   We want to
> have a shorter expiration date on our privacy policy so that we can
> change it if necessary, and we overwrite the cookie with every page
> hit.  

If you change your policy, I would suggest, that you remove the cookie
with the next exchange and set a new cookie with new expiries under the 
new policy. The expectation to have the same expiry on cookie and
policy is just some tip for less complexity. The expiry on Policy
Reference Files and Policies exists more for caching reasons. (avoid
roundtrips etc). 

In any way, the P3P Specification expects, that you honor the privacy
policy present on set-cookie for the lifetime of the cookie. (P3P1.0) If
you change your policy and replay the cookie, it is supposed to be
replayed under the old policy. Browsers don't test at replay until now.
It is a bit like a contract. Your car-dealer can't come 2 years later
and say: 'gee, we've changed the price and you owe us $500 more'. 

You can overcome the burden of changing the cookie, if your clients
agree to the use of the cookie under the new policy. But this is more
complex than just using a new cookie.

> 
> Do we still need to set the expiration date on the policy to be as
> long as the cookie expiration date?  I read somewhere that as long as
> we reset the cookie each time, this is not necessary.

No, definitely not. Those expiration dates on PRF and Policy don't mean
that you think your policy is valid for this amount of time. It is just
a caching for the browser, so that he does not have to check it every
time. E.g. I've set the expiry on w3.org for one week. Within that week,
for transition, I have to honor both policies, the old and the new one.
This is no trouble, if the policy changes towards more privacy friendly.
But if it is less privacy friendly, you can enact those changes only
after the expiry is over, in my case after one week and only for new
requests.

Best, 
-- 
Rigo Wenning            W3C/ERCIM
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

Received on Wednesday, 29 October 2003 14:04:05 UTC