- From: Giles Hogben <giles.hogben@jrc.it>
- Date: Wed, 18 Feb 2004 10:22:07 +0100
- To: "'Lorrie Cranor'" <lorrie@cs.cmu.edu>
- Cc: "'public-p3p-spec'" <public-p3p-spec@w3.org>
>**>>> Here are the latest suggested changes (the guidelines text has >**>> changed >**>>> quite >**>>> a lot so please check): >**>>> >**>>> Text for 2.3.2.7. >**>>> ----------------- >**>>> Add: >**>>> User agents evaluating cookies SHOULD apply the results of a >**>> preference> match on the cookie's policy before setting >**the cookie. >**>> >**>> How about >**>> >**>> User agents that evaluate cookie polices SHOULD perform this >**>> evaluation before setting a cookie. >**> >**> This does not convey the advice. that the cookie should >**not be saved >**> if it doesn't match the user's preferences. >** >**I'm not sure we want to say that. A user might specify, for example, >**that cookies that don't match their preferences should be >**converted to >**session cookies rather than deleted altogether. Also, I >**could imagine a >**user agent that gives users the option of storing rejected >**cookies in a >**separate place for later analysis or inspection. So I think >**we should >**make the point that cookies should be evaluated before set time. But >**I'm not sure we want to specify what should happen as a >**result of that >**evaluation. We could say: >** >**User agents that evaluate cookie policies SHOULD perform this >**evaluation before setting a cookie so that the cookie can be >**discarded >**without being set if that is what is dictated by the user's >**preferences. I think that the crucial point is that whatever behavior is dictated by the evaluation should be carried out setting the cookie. So how about: User agents that evaluate cookie policies SHOULD perform this evaluation *and its resultant behavior* before setting a cookie so that the cookie can be discarded without being set if that is what is dictated by the user's preferences. >**>> >**>>> >**>>> Text for guidelines >**>>> ------------------- >**>>> Certain jurisdictions view the storage of cookies on a user's >**>> hard >**>>> drive as >**>>> an act of data processing. In such jurisdictions (e.g. the EU), >**>>> policies should always be evaluated before a cookie is set and >**>>> cookies >**>> should >**>>> not be >**>>> stored unless the cookie's policy is found to comply with the >**> user's >**>>> preferences. >**>> >**>> In my mail on Issue 1 I had suggested a section called "Timing of >**>> Notices to Users"... now I'm thinking the section should >**be "Timing >**>> of Policy Evaluation and Notice to Users" ... then we can include >**>> this >**>> paragraph at the end of that section. >**>> >**>> >**>> >**>>> >**>>> ------------------------------------- >**>>> Giles Hogben >**>>> European Commission Joint Research Centre >**>>> Institute for the Protection and Security of the Citizen >**>> Cybersecurity> New technologies for Combatting Fraud Unit >**>>> TP 267 >**>>> Via Enrico Fermi 1 >**>>> Ispra >**>>> 21020 VA >**>>> Italy >**>>> >**>>> giles.hogben@jrc.it >**>>> tel:+390332789187 >**>>> fax:+390332789576 >**>>> >**>>> >**>> >**>> >**> >** >**
Received on Wednesday, 18 February 2004 04:21:46 UTC