Re: [Moderator Action] Mutiple policy files per site

• From: Rigo Wenning <rigo@w3.org>
• Date: Mon, 18 Feb 2002 16:55:46 +0100
• To: "Catton, Jeff" <Jeff_Catton@afcc.com>
• Cc: "'www-p3p-public-comments@w3.org'" <www-p3p-public-comments@w3.org>
• Message-ID: <20020218155546.GN18688@localhost>

I ran into the same issue when implementing P3P on W3C's site. 

As your <EXCLUDE>/us/en/*</EXCLUDE> matches already everything after
/us/en/, the statements about <INCLUDE>/us/en/images/*</INCLUDE> are
invalid. 

The Specification says:
When INCLUDE (and optionally, EXCLUDE) elements are present in a
POLICY-REF element, it means that the policy specified in the about
attribute of the POLICY-REF element applies to all the URIs at the
requested host corresponding to the local-URI(s) matched by any of the
INCLUDEs, but not matched by an EXCLUDE element.[1]

To express, what you want, you might consider writing:
<META xmlns="http://www.w3.org/2001/09/P3Pv1">
     <POLICY-REFERENCES>
         <POLICY-REF
 about="http://www.mydomain.com/privacy/p3p/policy20020114_main.p3p">
           <INCLUDE>/*</INCLUDE>
           <EXCLUDE>/us/en/</EXCLUDE>
           <INCLUDE>/us/en/images/*</INCLUDE>
           <INCLUDE>/us/en/xml/*</INCLUDE>
           <INCLUDE>/us/en/js/*</INCLUDE>
           <INCLUDE>/us/en/templates/*</INCLUDE>
           <INCLUDE>/us/en/include/*</INCLUDE>
           <INCLUDE>/us/en/dictionary/*</INCLUDE>
					 <EXCLUDE>....</EXCLUDE>
     </POLICY-REF>

by <EXCLUDE>...</EXCLUDE> I mean excluding all the subdirectories of
/us/en/, that have a different policy then policy20020114_main.p3p

Another way is to have a different policy for those entrypoints:

<POLICY-REF
 about="http://www.mydomain.com/privacy/p3p/pol_entrypoint.p3p">
            <INCLUDE>/</INCLUDE>
						<INCLUDE>/us/en/</INCLUDE>
						etc..
</POLICY-REF>

You might want to subscribe to our list www-p3p-policy for further
feedback (send email to  www-p3p-policy-request@w3.org with subscribe
in the subject)

  1. http://www.w3.org/TR/P3P/#ref_file_preexc

Best, 
-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis


On Mon, Feb 18, 2002 at 10:12:16AM -0500, Catton, Jeff wrote:
> In order to give a true picture our site privacy requirements, we are
> researching the ability and impact of breaking down the main policy file for
> a domain into its proper policy files.  The majority of our sites are of a
> brochure ware nature however, there are the occasional screen(s) that ask
> for some personal information (email and phone number so a customer service
> rep can respond). 
> 
> Due to the uncertainty of how P3P will be used in the future (if we only
> knew) for filtering techniques by the www search engines,  we would like to
> keep our entry points to our web sites at the lowest privacy level.  This
> will ensure that our main page is always found during our customer searches
> and allows our customer to enter various areas of our site with a higher
> level of privacy allowance needed.
> 
> In my testing I am tying to use multiple policies for a single domain. We
> are trying to INCUDE and EXCLUDE various subdirectories for each policy.
> Note that we are treating each policy as a standalone policy for the site in
> that, each policy has its own INCLUDE and EXCLUDE conditions.  Please see a
> sample multi-policy file;
> 
> 	** The directory structure of the site looks like this;
> 
> 		REL-PATH		POLICY-LEVEL
> 		==========		============
> 		/images			main
> 		/xml			main
> 		/js			main
> 		/templates		main
> 		/include			main
> 		/us			main
> 		/us/en			email
> 		/us/en/images		main
> 		/us/en/xml		main
> 		/us/en/js		main
> 		/us/en/templates	main
> 		/us/en/include		main
> 		/us/en/dictionary	main
> 
> 		<META xmlns="http://www.w3.org/2001/09/P3Pv1">
> 		<POLICY-REFERENCES>
> 		    <POLICY-REF
> about="http://www.mydomain.com/privacy/p3p/policy20020114_main.p3p">
> 		      <INCLUDE>/*</INCLUDE>
> 		      <EXCLUDE>/us/en/*</EXCLUDE>
> 		      <INCLUDE>/us/en/images/*</INCLUDE>
> 		      <INCLUDE>/us/en/xml/*</INCLUDE>
> 		      <INCLUDE>/us/en/js/*</INCLUDE>
> 		      <INCLUDE>/us/en/templates/*</INCLUDE>
> 		      <INCLUDE>/us/en/include/*</INCLUDE>
> 		      <INCLUDE>/us/en/dictionary/*</INCLUDE>
> 		</POLICY-REF>
> 
> 		    <POLICY-REF
> about="http://www.mydomain.com/privacy/p3p/policy20020114_email.p3p">
> 		      <INCLUDE>/us/en/*</INCLUDE>
> 		      <EXCLUDE>/us/en/images/*</EXCLUDE>
> 		      <EXCLUDE>/us/en/xml/*</EXCLUDE>
> 		      <EXCLUDE>/us/en/js/*</EXCLUDE>
> 		      <EXCLUDE>/us/en/templates/*</EXCLUDE>
> 		      <EXCLUDE>/us/en/include/*</EXCLUDE>
> 		      <EXCLUDE>/us/en/dictionary/*</EXCLUDE>
> 		</POLICY-REF>
> 
> 		</POLICY-REFERENCES>
> 		</META>
> 
> The above does not work for us and I am hoping that someone can help us out.
> As an example the directory /templates has not policy attached to the files,
> why?  How is the conditional INCLUDE - EXCLUDE statements suppose to work
> together and be specified when multiple policies are needed for a single
> domain.  
> 
> Thank you in advance for any help or direction to previous notes related to
> the above.
> 
> Best Regards,
> 
> Jeffery R. Catton
> CitiFinancial
> Senior Systems Consultant
> (574) 236-3104

Received on Monday, 18 February 2002 10:58:52 UTC