XML signed policy specification

The following is a proposal for future work on P3P submitted following the November 2002 Workshop on the Future of P3P


A serious problem for P3P is that if a company's practices contravene its stated privacy policy, there is little technical or legal framework to prove that a company made the statements, which existed on its server at a given time. I.e. it is too easy for a company to repudiate its policy statements. While P3P does increase the level of trust felt by consumers by providing more transparent and unambiguous information, it does not however provide any assurance as to the authenticity and integrity of this information. The aim of this item is to provide a watertight route of legal recourse and thereby to increase trust in consumers.

Probably the biggest obstacle in achieving these objectives is in driving the adoption of any measures taken. However, a prerequisite to this is to provide hooks within the P3P standard by which signed policies may be referenced, validated and later used as legal evidence.


Joseph Reagle of W3C has already gone some way towards outlining the detail of this solution and the solution would build on the document "A P3P Assurance Signature Profile".

Building on this, the requirements for the P3P specification are as follows:

  1. A mechanism for locating a signed version of a policy within a standard P3P policy. It has been suggested that the verification attribute should be used to identify the location of the signed policy. However it may be valuable to create another attribute so that user agents may easily identify the need to verify a signature. In any case, it needs to be clearly specified within the spec document where the signed version of a particular policy should be specified.
  2. A similar element needs to be created within PRF files to verify the binding to the policy. This should be optional but recommended (a SHOULD) where a signed policy is referenced.
  3. A full specification for the format of XML signed policies such as that specified within Reagle's P3P assurance profile document and Giles Hogben, Tom Jackson, Marc Wilikens (Joint Research Centre of the EC, I). A fully compliant research implementation of the P3P standard for privacy protection: experiences and recommendations. There is little further work necessary.
  4. If possible a sample tool for creating signed policies.
  5. Description of verification process for user agents. The problem of how to automate this should be visited. For example if a certificate is provided for a domain, which does not match the domain of the signed policy, what should the agent do - should there be a checksum repository to help user agents verify certificates?
  6. An addition to the APPEL specification so that signatures may be required under certain circumstances (e.g. "signaturerequired" attribute in a rule).


The JRC has already developed a prototype specification for this functionality. This specification will be used to create a demonstrator module to be integrated within the JRC proxy architecture. Further resources for integrating this into the P3P specification can also be provided by the JRC.

Time Frame

t is expected that the development of the architecture, specification and demonstrator will be finished by January 2004.

Giles Hogben

Last update $Date: 2003/03/17 09:50:38 $ by $Author: rigo $