Re: policy reference file about element from Rigo Wenning on 2002-04-25 (www-p3p-public-comments@w3.org from April 2002)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 25 Apr 2002 11:55:34 +0900
To: Clifford Lyon <Clifford.Lyon@cnet.com>
Cc: "'www-p3p-public-comments@w3.org'" <www-p3p-public-comments@w3.org>
Message-ID: <20020425025534.GD1734@localhost>

Dear M. Lyon, 

Your question can be answered by referring to the section 2.3 of the P3P
Specification. 

The 'about' attribute of the <POLICY-REF> - element contains the URI
identifying the Policy applicable to the resources described in the
<INCLUDE> - subelements. 

The 'about' attribute is not limited to relative URI's, so it can point
to any policy on the Web. You could even use W3C's public policy[1] by
inserting this URI in the 'about' - attribute of your PRF. 

In fact, the limitation you mention is on the <INCLUDE> and <EXCLUDE>
elements describing, to which realm of URI's the policy mentioned in the
'about' - attribute applies. The P3P Specification WG wanted to avoid,
that someone can make P3P - Statements about somebody else's Web-site,
thus generating confusion. 

So every Web-site (and real computer/host in a server-farm) has to have
it's own PRF. In the 'about' attribute the PRF indicates the Policy by
URI. If the policy is on the same machine, you can do this by a relative
URI (without full hostname) or by a full URI (with full hostname). 

The <INCLUDE> and <EXCLUDE> - Elements specify the URI's on your
Web-site, to which this policy applys. Those relative URI's in the
<INCLUDE> and <EXCLUDE> elements can NOT contain a hostname. They are
restricted to the Web-site (or computer) carrying the PRF. So one has to
have control over a given computer to make P3P-Statements about the
Web-site the computer is carrying.

I hope, this answers your question. If you have any further question,
please don't hesitate to ask or subscribe to one of our publicly
archived support mailing-lists: www-p3p-policy and/or www-p3p-dev.

  1. http://www.w3.org/2001/05/P3P/public.xml#public

Best, 

-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis

On Wed, Apr 24, 2002 at 01:01:34PM -0700, Clifford Lyon wrote:
> I understand that the 'about' element in the prf may be an absolute or
> relative URI. I thought I remembered that an absolute URI had to point
> to a policy file in the same top-level domain as the one where the prf
> is located, but when I went back to the working draft to double check,
> I didn't see anything about it. 
> 
> What if any is the restriction on the URI in the prf about element?
> 
> tia.

Received on Wednesday, 24 April 2002 22:57:02 UTC