- From: Sean B. Palmer <sean@mysterylights.com>
- Date: Sun, 13 May 2001 17:00:05 +0100
- To: <www-p3p-public-comments@w3.org>
Hi,
Here are some general comments on P3P - w.r.t. the P3P specifications
and related materials - as it stands.
Firstly, a few comments on the CR specification at:-
http://www.w3.org/TR/2000/CR-P3P-20001215/
> 2.2.1 Well-Known Location
I think that the well-known location for any non-recommendation (and
even possibly the recommendation) versions of P3P should be a date
stamped area, to avoid confusion. It may already be too late, but if
you start using "/w3c/p3p.xml" as the well-known location for all of
the draft versions, there is no way that a user agent can know what
version the file is until it dereferences it. You could cut out a step
by asking people to use "/2000/12/w3c/p3p.xml", or perhaps
"/w3c/2001-12-p3p.xml" as the CR version, and so on for all future
versions.
It's difficult to keep track of previous versions of policies (as the
spec. recommends) if different versions of P3P all use the same URI.
> 2.2.2 HTTP Headers [...]
> `policyref="` URI `"`
Why aren't relative URI references permitted? It seems to me that
allowing this would allow people to cut down on data, and also save
time on some requests.
> P3P: policyref="http://catalog.example.com/P3P/PolicyReferences.xml"
[[[
The P3P header can be added to an HTTP response from IIS using Active
Server Pages (ASP) [...]
]]] - http://www.w3.org/TR/2001/NOTE-p3pdeployment-20010510
Indeed it can, using the following code:-
<%
Response.Buffer = TRUE
Response.AddHeader "P3P", "policyref=""http://x.org/p3p.xml"""
Response.Flush
%>
Where http://x.org/p3p.xml is obviously the policy's location.
> 2.2.3 The HTML link Tag [...]
> <link rel="P3Pv1"
> href="http://catalog.example.com/P3P/PolicyReferences.xml">
Error: this link form is illegal in HTML 4.01 onwards; list of link
types is clearly enumerated [1] in HTML 4.01, and "P3Pv1" isn't in
there. The only way to extend the list of link types is to point to a
metadata profile by setting the "profile" attribute on the <head>
element. I suggest you simply define the namespace for P3P as being a
metadata profile in (X)HTML and use that, so that the code becomes:-
<head profile="http://www.w3.org/2000/12/P3Pv1">
<link rel="P3Pv1"
href="http://catalog.example.com/P3P/PolicyReferences.xml">
> 2.3.2.5 The INCLUDE and EXCLUDE elements
The exact cascading of these elements is not specified - do the latter
elements always take precedence over the earlier ones?
> 3. Policy Syntax and Semantics
> P3P policies are encoded in XML. They may also be represented
> using the RDF data model ([RDF]); however, an RDF representation
> is not included in this specification. (Such a representation is
> planned to be made available as a W3C Note prior to submitting P3P
> as a Proposed Recommendation, together with a suitable RDF
> encoding of the policy reference file).
I haven't yet been able to find any public justification for using a
flat XML model to represent the P3P system over RDF (maybe I'm not
looking hard enough; if there is one, please accept my apologies).
Submitting it as a note afterwards implies that it won't be a part of
the recommendation as it stands, and hence any implementations thereof
will be proprietary. Because the RDF data model is such a precise and
repurposable model, I have to wonder why you didn't use this in the
first place, although the two most likely reasons that come to mind
are 1) simplicity, and 2) trouble in representing the datatypes. Both
of these are fair points, but you might want to look into some of the
DAML [2] work on datatypes and structuring, especially the 2001 March
version [3].
Of course, I would raise this point, because I'm an RDF developer :-)
> 3.2.4 The ENTITY element
>
> [...] `<DATA ref="#business.name"/>` PCDATA "</DATA>"
"business.name"? That might stop a lot of private entities from
creating privacy polices - or do privacy policies only apply to
registered companies? Judging by the list of compliant sites [4] even
people's homepages can be covered, and indeed I have put a P3P policy
on my own site, so I suggest you change "business.name" to be
something a little more abstract. For example, you could use
"entity.", and then have something like "entity.name" for private
policy creators, and "entity.business.name" for corporate policy
creators.
And more generally...
[[[
Should this specification prove very difficult or impossible
to implement, [...]
]]] - http://www.w3.org/TR/2000/CR-P3P-20001215/
Clearly not impossible because there are implementations, and perhaps
not difficult as soon as there are multiple widely-available
non-commercial software for doing so. After a couple of hours of
reading the specification and all related materials, browsing through
some P3P compliant sites, checking out tools and downloading them, and
setting up my Website, I actually managed to produce a half-decent P3P
policy for infomesh.net that validates correctly. Note that eventually
I just hacked out my policies by hand.
What I think you *do* need is more in the way of tutorials and
introductory material, although given the instability of P3P at the
moment, you'll probably want to hold back until Rec. This is a neat
project, and I have no doubts that tools and implementations will be
forthcoming :-)
As a minor sub-note, you might want to look into using EARL [5] as a
machine readable alternative for the P3P validator [6]. I'll probably
be hacking up a sample output in the near future, perhaps as part of
WAI ERT process.
Good work everyone,
[1] http://www.w3.org/TR/html401/types.html#type-links
[2] http://www.daml.org/
[3] http://www.daml.org/2001/03/daml+oil.daml
[4] http://www.w3.org/P3P/compliant_sites
[5] http://www.w3.org/2001/03/earl/
[6] http://www.w3.org/P3P/validator/20001215/
--
Kindest Regards,
Sean B. Palmer
@prefix : <http://webns.net/roughterms/> .
:Sean :hasHomepage <http://purl.org/net/sbp/> .
Received on Sunday, 13 May 2001 12:03:12 UTC