- From: <bede@scotty.mitre.org>
- Date: Mon, 26 Jun 1995 23:34:20 -0400
- To: immedia@netwest.com
- Cc: www-talk@www10.w3.org, peterd@bunyip.com, marc@matahari.ckm.ucsf.edu, michael@junction.net, rating@junction.net, uri@bunyip.com
Date: Mon, 26 Jun 1995 18:08:03 -0700 From: immedia@netwest.com (Ken Meyering) At 08:05 PM 6/26/95 -0400, bede@scotty.mitre.org wrote: >In this scheme, the HTTP client might receive a header like this: > > Content-Rating: MPAA "PG13+AC+AL" > >The client might also *send* a header like this as part of a >negotiation, as is now the case with "Accept:" headers. In the case >of a server, though, the server is claiming that the "MPAA" rated the >attached document "PG13+AC+AL". The client is free to verify this >claim, possibly by using a "content-rating" protocol. How would this scheme handle the following URL? (Pardon my honesty.) http://www.penthousemag.com/magazine/p06jun/06pet06.jpg OK, I'll take a stab at it. Let's say my client is configured to ask explicitly for Content-Rating: MPAA "PG13+AC+AL" Now, has ".../06pet06.jpg" been rated by yhe MPAA? Let's assume it has, and that it's been rated "R". The server shouldn't deliver the JPEG to my client. I'm thinking of the client-supplied rating as a threshold value. In this case, anything rated "worse" than "PG13+AC+AL" by MPAA gets filtered out. What "worse" means really boils down to a local policy decision, and my client software and other access control tools should be able to enforce this decision with a high (but not necessarily bulletproof) level of assurance. Similarly, if someone other than MPAA has rated ".../06pet06.jpg", the server shouldn't deliver, because my client specifically asked for MPAA ratings. Maybe my syntax should be extended to allow for "*" placeholders, although I'm not sure that makes any sense. This might also indicate a need for some way to translate between different rating schemes, but that's a different topic. Assume the server delivers ".../06pet06.jpg" with an appropriate rating. My client now has the option of checking with the MPAA online source for verification. In this case, I'd say we might want to require an exact match with the server's rating before putting the image onscreen, since a rating mismatch might also indicate an image mismatch, but this is a policy you'd want to be able to configure into the client. Let's assume my client says nothing up front, and the server delivers ".../06pet06.jpg" with the same "PG13+AC+AL" header. Now it's up to the client and/or the local rating mechanism to figure out whether to display the image. I might try to check with the MPAA to verify Penthouse's rating before deciding what to do, or I might just assume Penthouse is telling the truth and apply a configured policy threshold to their rating. The publisher is not short of reasons for being reasonably honest about ratings. Let's assume the MPAA isn't online and I haven't got anything more than the publisher's word about the rating. They could lie to me, but Penthouse is taking a pointless risk by doing so. At the very least, I might configure my local rating vector (which includes filtering at the local router) to categorically exclude client access to anything mentioning "www.penthousemag.com" [198.80.37.97]. I suppose I could also phone/write the local newspaper, an ambitious congressman or two, Senator Exon or a Liberal counterpart, the local Christian Coalition bunch, generally raise a fuss and try to portray Penthouse as a slimeball purveyor of online smut to innocent children. Shock/shame tactics like these have been used very successfully against adult magazines in stores like 7-11, and more recently against cable TV companies, and the news media are amazingly quick to jump on The-Internet-versus-our-kids horror stories these days. If my client resides at an elementary school, I don't imagine I'd want to allow access to "www.penthousemag.com" in the first place. The easiest way to handle this is to just filter out access to the IP address for that particular host. Most Internet access providers will do this for me, if I can't figure out how to do it myself. www.playboy.com would be in the same boat, as would other "adult" publishers in this context. IP addresses can be terms in what I've called the local "content-rating vector". Not all access control needs to be handled explicitly in the WWW client, and there are other tools better suited for this anyway. If my client is configured for a specific rating threshold and the server doesn't rate the image, I have to decide whether the absence of a rating is significant. I think the decision for or against depends on the circumstances. The technical capability to support this kind of policy decision is something which is needed from the client. - Bede McCall <bede@mitre.org> The MITRE Corporation Tel: (617) 271-2839 Bedford, Massachusetts FAX: (617) 271-2423
Received on Monday, 26 June 1995 23:34:23 UTC