RE: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification from Lorrie Cranor on 2001-12-10 (www-p3p-public-comments@w3.org from December 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Mon, 10 Dec 2001 15:02:22 -0500
To: "Dan Connolly" <connolly@w3.org>, <www-p3p-public-comments@w3.org>
Message-ID: <02e901c181b5$950e71a0$3e06cf87@research.att.com>

Dan,

I would like to follow up on your message to www-p3p-public-comments on
June 24, 2001 [1]. I understand that Rigo and Massimo have
discussed this issue with you, and I had assumed it had
been resolved. However, as I can find no documentation
that this issue has been resolved, I am sending you a reply now.
We would appreciate it if you would respond to us as soon as possible
to let us know whether this response is satisfactory.

I understand from Rigo and Massimo that your primary
concern has to do with the P3P group attempting to "reserve"
the name /w3c/p3p.xml. While our specification explains how
to use a file by this name, we do not prevent a file by this
name from being used for other purposes.

In your message you said:

> This /w3c/p3p.xml well-known location looks like
> a bad idea.
>
> This and the .favico and /robots.txt thingies are bad: they shift
> the choice of what name to choose for some resource
> from the publisher to the technology designer.
>
> By way of suggested alternative, I propose to delete
> the /w3c/p3p.xml stuff altogether; the
> P3P extension header is sufficient.

The working group considered this concern, but has
come to the conclusion that the well-known location
is, indeed, the best solution to the problem of allowing
user agents to quickly locate the metadata necessary
to evaluate a web site's privacy policy prior to making a
request that could potentially reveal personal information.
Furthermore, the well-known location is the easiest
mechanism for web sites to make known the location of
their policy reference file, as it does not require any server
configuration or editing a potentially large number of files.
Almost all the early adopters of P3P have chosen to
place their policy reference file at the well-known location.

Other than the philosophical issue you point out about
shifting the choice of what to name a resource, we
find no problems with our use of the well-known location. We do
offer alternatives to sites who don't wish to use this mechanism.
And our use of the name /w3c/p3p.xml does not prevent the
name from being used for unrelated purposes, as
a P3P user agent will check the xmlns attribute of any XML
it finds at that location before assuming that it has found a
P3P policy reference file.

We do not believe the P3P extension header is sufficient,
as use of this header does not allow the discovery
of a policy reference file prior to making a request that could
potentially reveal personal information. Furthermore,
use of the header is infeasible for many (mostly non-commercial)
web sites.

Regards,

Lorrie Cranor
P3P Specification Working Group Chair

[1]
http://lists.w3.org/Archives/Public/www-p3p-public-comments/2001Jun/0002.htm
l

Received on Monday, 10 December 2001 15:02:47 UTC