W3C R. Lotenberg Internet-Draft IDcide Expires: January 31, 2001 M. Marchiori W3C/MIT/UNIVE August 2, 2000 The HTTP header for the Platform for Privacy Preferences 1.0 (P3P1.0) draft-w3c-p3p-header-01 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on January 31, 2001. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract The Platform for Privacy Preferences 1.0[4] (P3P1.0) specification describes how to associate a privacy policy with each URI request. Such associations are contained in a so-called policy reference file. This draft describes a new HTTP response header which indicates the location of such policy reference file. This header is intended to be a part of the P3P1.0 framework and should be treated in the full context of the P3P1.0 specification[4]. Lotenberg & Marchiori Expires January 31, 2001 [Page 1] Internet-Draft The HTTP header for P3P1.0 August 2000 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. The P3P HTTP header . . . . . . . . . . . . . . . . . . . . . 4 3. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 8 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 9 Lotenberg & Marchiori Expires January 31, 2001 [Page 2] Internet-Draft The HTTP header for P3P1.0 August 2000 1. Introduction 1.1 Background The Platform for Privacy Preferences 1.0[4] (P3P1.0, henceforth "P3P") is a specification currently under development at the World Wide Web Consortium (W3C)[6]. P3P creates a framework for standardized, machine-readable privacy policies, and consumer products that read these policies. P3P's design allows Web sites to deliver automated privacy statements, and makes it possible for users' browsers to review the statements and to automate decision-making based on these practices when appropriate. For more information on the P3P specification please consult the P3P specification document[4]. 1.2 Motivation Locating a P3P policy reference file is one of the first steps in the operation of the P3P protocol. A P3P policy reference file associates to a URI or set of URIs the appropriate privacy policies. User agents (e.g., web browsers) can use policy references to automatically locate the privacy policy which applies to a page, so that they can process that policy for the benefit of their user. The P3P HTTP header comes into play by providing the URI in which the policy reference file can be found. 1.3 Conventions The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" in this document are to be interpreted as described in RFC-2119[3]. Lotenberg & Marchiori Expires January 31, 2001 [Page 3] Internet-Draft The HTTP header for P3P1.0 August 2000 2. The P3P HTTP header Any document retrieved by HTTP may point to a policy reference file through the use of the P3P HTTP response header, the "PolicyRef" header. The PolicyRef header contains the URI of a policy reference file, which will usually state the P3P policy covering the document that pointed to the reference file, and possibly others as well. The URI specified in the PolicyRef header MUST NOT be used for any other purpose beyond identifying and referencing P3P policies. The P3P policy reference header SHOULD be inserted whenever a P3P-enabled server responds to a relevant request, including when it responds to HEAD and OPTIONS requests. Since policy references may be processed by agents anywhere along the response chain, the P3P header is an end-to-end HTTP extension. The PolicyRef header can be safely ignored by those applications/agents that do not understand it. Lotenberg & Marchiori Expires January 31, 2001 [Page 4] Internet-Draft The HTTP header for P3P1.0 August 2000 3. Header Syntax The policy reference header syntax is: P3P: "PolicyRef:" URI [; ] The URI field is defined as per RFC 2396[1]. In keeping with the rules for other HTTP headers, the PolicyRef portion of this header may be written in any case. The mechanism is optional and intentionally left undefined at this point to accommodate future enhancements. If this field is present it must be preceded by a semicolon ";". For example: 1. Client makes a GET request. GET /index.html HTTP/1.1 Host: catalog.example.com Accept: */* Accept-Language: de, en User-Agent: WonderBrowser/5.2 (RT-11) 2. Server returns content and the PolicyRef header pointing to the policy of the page. HTTP/1.1 200 OK PolicyRef: http://catalog.example.com/P3P/PolicyReferences.xml Content-Type: text/html Content-Length: 7413 Server: CC-Galaxy/1.3.18 Lotenberg & Marchiori Expires January 31, 2001 [Page 5] Internet-Draft The HTTP header for P3P1.0 August 2000 4. Security Considerations In the context of the P3P framework, agents that are P3P-enabled will usually request, at least once, the object referenced by the URI contained in the PolicyRef header, in order to retrieve the corresponding policy reference files, and possibly the policies referenced therein. This could potentially lead to disclosure of more information, as a P3P-enabled agent will issue more URI requests than a non-P3P-enabled To this extent, the P3P1.0 Specification[4] states that every P3P-enabled user agent and service SHOULD ensure that all the relevant communications that take place as part of fetching a P3P policy are part of a special "safe zone" in which minimal data collection takes place and any data that is collected is used only in non-identifiable ways. We refer to the P3P1.0 Specification[4] for a more complete discussion of this topic. There are no additional security requirements transporting the PolicyRef header beyond the requirements of the document it is associated with; so, if an HTML document would normally be served over a non-encrypted session, then the P3P protocol would not require nor recommend that the document be served over an encrypted session when a PolicyRef header is included with that document. Lotenberg & Marchiori Expires January 31, 2001 [Page 6] Internet-Draft The HTTP header for P3P1.0 August 2000 5. Acknowledgments This draft was produced by the P3P Specification Working Group[7]; please see authors and contributors of the Platform for Privacy Preferences 1.0 Specification[4]. Lotenberg & Marchiori Expires January 31, 2001 [Page 7] Internet-Draft The HTTP header for P3P1.0 August 2000 References [1] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Location (URI): Generic Syntax and Semantics", RFC 2396, August 1998. [2] Bradner, S.O., "The Internet Standards Process -- Revision 3", RFC 2026, BCP 9, October 1996. [3] Bradner, S.O., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [4] Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M. and J. Reagle, "The Platform for Privacy Preferences 1.0 (P3P1.0) Specification", W3C P3P1.0, August 2000, . [5] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [6] http://www.w3.org/ [7] http://www.w3.org/P3P/Group/Specification Authors' Addresses Ran Lotenberg IDcide Blauer Drive Saratoga, CA 20454 US Phone: +1 408 8721541 EMail: ran@idcide.com URI: http://www.idcide.com Massimo Marchiori W3C/MIT/UNIVE 545 Technology Square Cambridge, MA 02139 US Phone: +39 041 2908423 EMail: massimo@w3.org URI: http://www.w3.org/People/Massimo/ Lotenberg & Marchiori Expires January 31, 2001 [Page 8] Internet-Draft The HTTP header for P3P1.0 August 2000 Full Copyright Statement Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society. Lotenberg & Marchiori Expires January 31, 2001 [Page 9]