- From: Rigo Wenning <rigo@w3.org>
- Date: Mon, 5 Nov 2001 15:36:19 +0100
- To: Yves BENIGOT <ybenigot@lexbase.fr>
- Cc: www-p3p-public-comments@w3.org
Dear Yves, thank you for your comment. The [Moderator Action] comes from the SPAM-protection. Comments inline.... On Tue, Oct 30, 2001 at 06:07:32AM -0500, Yves BENIGOT wrote: > I found that the default settings of Internet explorer 6 do > block session cookies when a third party site is using session > cookies and our site is using session cookies. > > After several days of data mining on the Net I found that the > only remedy is to setup a P3P so called "compact" policy and > send P3P headers before sending cookies. I'm very suprised, that this takes mining the Net. I thought it is much simpler to find out. Could you please describe how you faced the problem and which were your steps? It will help us to improve the information on our site and our outreach activities. > > Of course the W3C specification is not directly responsible if > a software editor's imlementation of P3P has some drawbacks, > *but* I want to point out that the P3P declaration of privacy > policies is very confusing in the specification. > > I found that there are - at least - four ways to do that : > a) send a P3P header with a compact policy > b) send a P3P header referencing the xml policy URL > c) send and XML policy as an xml link in the HTML pages > d) put the policy under /w3c/p3p.xml and put acoompanying files with it All information is in the P3P Specification[1] Except for the compact policies, those are all alternative possibilities. You can use them as you need them. A simple site might want to choose the well-known location at /w3c/p3p.xml, which is the simplest way to implement P3P. A very complicated site might want to use the P3P-header to locate the Policy Reference-File, which is much more flexible. A single web-site hosted by a free hoster e.g. can't access the web-server configuration, so he want's to use the Link-tag. Compact policies are apart from this. Compact policies only apply to cookies. They are just an optional performance optimization. The vocabulary is not as granular. Don't confuse this with the mechanisms to reference Policies. IE6 has implemented the automatic-decisioning only for compact policies because of the complexity of P3P on the client-side. > > Also some P3P implementing sites registred at W3C do mix > methods a) and b) while some others simply copied the w3c site > headers. You have to understand that compact policies are just an aggregation of the full policy. They are not saying something separate. It is only less granular. So those sites are implementing full policies AND compact policies. Both, in summary, should mean the same. The W3C-site is not using compact policies as it is not using cookies and compact policies only apply to cookies. > > It already took us several days to find the undocumented way to > make P3P work with Internet Explorer by guessing at the "fine > print", so I wonder if we will be able to use P3P at all for > privacy purposes. This was already documented in the public mailing-lists [2] and [3], which are archived and available to the public. The P3P-Implementation of IE is documented on the Microsoft-Site[4] This was referenced from a mail in the archive[5]. > > I strongly suggest that the specification must be more precise > about : > > a) how P3P policies are detected : the specification should not > provide so many alternatives which may or may not be > implemented, As I described, the mentioned things are alternatives. User-agents MUST be able to process all three. Currently IE6 only implements compact policies, but there will be new versions and also other P3P-Implementations that will implement full policies and also all those mechanisms to find the policy. > b) what is the intended behavior of the user agent : without a > clear idea of how the user agent will behave, it is very > tempting to code a very crude and browser specific P3P policy. As you are writing from France, your policy should be oriented around the french privacy legislation and actually you can ask the CNIL for help to set up the policy reflecting the european or french protection-level. Following european protection level should work with any browser-preferences I'm currently aware of. (except the total refusal of cookies) > > Also I suggest that a P3P implementation should leave decisions > to reject cookies to the user choice, only warning the user of > cookies or personnal information before they be sent. It should > not try to take decisions "by default" which are not compatible > with the present state of the Internet. Preferences are just decisions by the user, which are than applied to Web-Sites. The Working Group discussed the issue about the default behavior of browsers. This is left up to the implementation. Nevertheless, the Working Group came up with P3P Guidelines, which are annexed to the P3P Specification. Those Guidelines reflect mostly the values of the OECD-Guidelines and some net-specifics. W3C's P3P Specification Working Group is also hosting a Task Force working on the APPEL-Specification: A Privacy Preferences Exchange Language. This Language will allow actors on the web to produce P3P Preferences which can be downloaded and imported into your favorite P3P Implementation. > > I am using Internet Explorer 6 and I can see that on most sites > the infamous icon "cookies rejected" appears. In some cases > the site doesn't work, but there is no way to infer whether I > should change the confidentiality settings > or not. This is an implementation-question on IE6 and you should suggest that to Microsoft. I think their concern was not to bother the user too much with all kinds of questions while browsing... > Don't hesitate to ask if you have any further questions Best, -- Rigo Wenning W3C/INRIA Policy Analyst Privacy Activity Lead mail:rigo@w3.org 2004, Routes des Lucioles +33 (0)6 73 84 87 31 F-06902 Sophia Antipolis http://www.w3.org/ References: 1. http://www.w3.org/TR/P3P 2. http://lists.w3.org/Archives/Public/www-p3p-policy/ 3. http://lists.w3.org/Archives/Public/www-p3p-dev/ 4. http://msdn.microsoft.com/library/default.asp?url=/workshop/security/privacy/overview/privacyfaq.asp 5. http://lists.w3.org/Archives/Public/www-p3p-policy/2001Oct/0001.html
Received on Monday, 5 November 2001 09:37:20 UTC