- From: Sean B. Palmer <sean@mysterylights.com>
- Date: Sun, 13 May 2001 17:00:05 +0100
- To: <www-p3p-public-comments@w3.org>
Hi, Here are some general comments on P3P - w.r.t. the P3P specifications and related materials - as it stands. Firstly, a few comments on the CR specification at:- http://www.w3.org/TR/2000/CR-P3P-20001215/ > 2.2.1 Well-Known Location I think that the well-known location for any non-recommendation (and even possibly the recommendation) versions of P3P should be a date stamped area, to avoid confusion. It may already be too late, but if you start using "/w3c/p3p.xml" as the well-known location for all of the draft versions, there is no way that a user agent can know what version the file is until it dereferences it. You could cut out a step by asking people to use "/2000/12/w3c/p3p.xml", or perhaps "/w3c/2001-12-p3p.xml" as the CR version, and so on for all future versions. It's difficult to keep track of previous versions of policies (as the spec. recommends) if different versions of P3P all use the same URI. > 2.2.2 HTTP Headers [...] > `policyref="` URI `"` Why aren't relative URI references permitted? It seems to me that allowing this would allow people to cut down on data, and also save time on some requests. > P3P: policyref="http://catalog.example.com/P3P/PolicyReferences.xml" [[[ The P3P header can be added to an HTTP response from IIS using Active Server Pages (ASP) [...] ]]] - http://www.w3.org/TR/2001/NOTE-p3pdeployment-20010510 Indeed it can, using the following code:- <% Response.Buffer = TRUE Response.AddHeader "P3P", "policyref=""http://x.org/p3p.xml""" Response.Flush %> Where http://x.org/p3p.xml is obviously the policy's location. > 2.2.3 The HTML link Tag [...] > <link rel="P3Pv1" > href="http://catalog.example.com/P3P/PolicyReferences.xml"> Error: this link form is illegal in HTML 4.01 onwards; list of link types is clearly enumerated [1] in HTML 4.01, and "P3Pv1" isn't in there. The only way to extend the list of link types is to point to a metadata profile by setting the "profile" attribute on the <head> element. I suggest you simply define the namespace for P3P as being a metadata profile in (X)HTML and use that, so that the code becomes:- <head profile="http://www.w3.org/2000/12/P3Pv1"> <link rel="P3Pv1" href="http://catalog.example.com/P3P/PolicyReferences.xml"> > 2.3.2.5 The INCLUDE and EXCLUDE elements The exact cascading of these elements is not specified - do the latter elements always take precedence over the earlier ones? > 3. Policy Syntax and Semantics > P3P policies are encoded in XML. They may also be represented > using the RDF data model ([RDF]); however, an RDF representation > is not included in this specification. (Such a representation is > planned to be made available as a W3C Note prior to submitting P3P > as a Proposed Recommendation, together with a suitable RDF > encoding of the policy reference file). I haven't yet been able to find any public justification for using a flat XML model to represent the P3P system over RDF (maybe I'm not looking hard enough; if there is one, please accept my apologies). Submitting it as a note afterwards implies that it won't be a part of the recommendation as it stands, and hence any implementations thereof will be proprietary. Because the RDF data model is such a precise and repurposable model, I have to wonder why you didn't use this in the first place, although the two most likely reasons that come to mind are 1) simplicity, and 2) trouble in representing the datatypes. Both of these are fair points, but you might want to look into some of the DAML [2] work on datatypes and structuring, especially the 2001 March version [3]. Of course, I would raise this point, because I'm an RDF developer :-) > 3.2.4 The ENTITY element > > [...] `<DATA ref="#business.name"/>` PCDATA "</DATA>" "business.name"? That might stop a lot of private entities from creating privacy polices - or do privacy policies only apply to registered companies? Judging by the list of compliant sites [4] even people's homepages can be covered, and indeed I have put a P3P policy on my own site, so I suggest you change "business.name" to be something a little more abstract. For example, you could use "entity.", and then have something like "entity.name" for private policy creators, and "entity.business.name" for corporate policy creators. And more generally... [[[ Should this specification prove very difficult or impossible to implement, [...] ]]] - http://www.w3.org/TR/2000/CR-P3P-20001215/ Clearly not impossible because there are implementations, and perhaps not difficult as soon as there are multiple widely-available non-commercial software for doing so. After a couple of hours of reading the specification and all related materials, browsing through some P3P compliant sites, checking out tools and downloading them, and setting up my Website, I actually managed to produce a half-decent P3P policy for infomesh.net that validates correctly. Note that eventually I just hacked out my policies by hand. What I think you *do* need is more in the way of tutorials and introductory material, although given the instability of P3P at the moment, you'll probably want to hold back until Rec. This is a neat project, and I have no doubts that tools and implementations will be forthcoming :-) As a minor sub-note, you might want to look into using EARL [5] as a machine readable alternative for the P3P validator [6]. I'll probably be hacking up a sample output in the near future, perhaps as part of WAI ERT process. Good work everyone, [1] http://www.w3.org/TR/html401/types.html#type-links [2] http://www.daml.org/ [3] http://www.daml.org/2001/03/daml+oil.daml [4] http://www.w3.org/P3P/compliant_sites [5] http://www.w3.org/2001/03/earl/ [6] http://www.w3.org/P3P/validator/20001215/ -- Kindest Regards, Sean B. Palmer @prefix : <http://webns.net/roughterms/> . :Sean :hasHomepage <http://purl.org/net/sbp/> .
Received on Sunday, 13 May 2001 12:03:12 UTC