Fw: Potential problem with P3P validator or P3P spec? from Yuichi Koike on 2001-04-17 (www-p3p-public-comments@w3.org from April 2001)

From: Yuichi Koike <koike@ay.jp.nec.com>
Date: Tue, 17 Apr 2001 15:27:01 +0900
To: <www-p3p-public-comments@w3.org>
Message-ID: <001f01c0c707$6998e460$3838380a@mmp.cl.nec.co.jp>

----- Original Message -----
From: Bryan Kocol
To: koike@ay.jp.nec.com ; p3p-comments@w3.org
Sent: Tuesday, April 17, 2001 11:08 AM
Subject: Potential problem with P3P validator or P3P spec?

Dear Mr. Koike and the W3C:

I have noticed a possible problem in the way your P3P validator is
validating the P3P candidate recommendation, which potentially may be a
contradiction in the P3P candidate recommendation itself. This problem is
also replicated in the IE 6 beta version.

My problem is this:  I am trying to validate a privacy policy which is set
in the header for this URL:

http://ww3.hitbox.com/bryan/tests/cookieme3.cgi

This includes the policy reference:

policyref="http://hitbox.com/w3c/p3p.xml"

and this policy reference contains the following:

<META xmlns="http://www.w3.org/2000/12/P3Pv1">
  <POLICY-REFERENCES>
    <POLICY-REF about="/w3c/hitbox.xml">
       <INCLUDE>/*</INCLUDE>
    </POLICY-REF>
</POLICY-REFERENCES>
</META>

However, both your validator and IE 6 have this problem:

"Policy Reference File does not specify P3P policy for
http://ww3.hitbox.com/bryan/tests/cookieme3.cgi "

This is not true, and it appears there is a bug in your validator. According
to the P3P candidate recommendation, section 2.2.2:

"The policyref directive gives a URI which specifies the location of the
policy reference file which will state the P3P policy covering the document
that pointed to the reference file, and possibly others as well..... The
policyref URI MUST NOT be used for any other purpose beyond identifying and
referencing P3P policies. "

However it appears that your validator is using the policyref URI to
identify which host the reference file applies to, rather than using the
document pointing to the reference file. The problem becomes more complex
here in section 2.3.2.5 :

"A policy reference file can only cover URIs on the same host as the
reference file. Therefore, the INCLUDE and EXCLUDE elements MUST specify
only local URI prefixes; they MUST NOT refer to URIs on other hosts."

This appears to be in contradiction with 2.2.2, or at least nullify any of
its implications. In effect, 2.3.2.5 is saying that the policyref URI MUST
reside on the same host as the document that is pointing to that reference
file. Is this case? If so, it should be clarified in 2.2.2. Or is it a bug?
If it's not a bug, the implications would be that I need to specify a
different policy reference file for "hitbox.com", www.hitbox.com and
"ww3.hitbox.com" because the policy reference file can only cover URI's with
the same host. Is this a correct assessment?

I also noticed that using the <EMBEDDED-INCLUDE> method to include different
hostnames in the policy reference file did not pass your validator or IE6 as
well.

I appreciate your response on this, thank you in advance for addressing this
issue. I will be awaiting your reply.

Sincerely,

Bryan Kocol
=========================================================
WebSideStory, Inc. -10182 Telesis Court - San Diego, CA 92121
Phone 858-546-0040 Fax 858-546-0480
WebSideStory: http://websidestory.com
StatMarket: http://statmarket.com
HitBOX: http://hitbox.com
Yep: http://yep.com

Received on Tuesday, 17 April 2001 02:27:07 UTC