Network Working Group M. Marchiori
Internet-Draft W3C/MIT/UNIVE
Expires: August 6, 2002 R. Lotenberg
IDcide
February 5, 2002
The HTTP header for the Platform for Privacy Preferences 1.0 (P3P1.0)
draft-marchiori-w3c-p3p-header-01
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 6, 2002.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
The Platform for Privacy Preferences 1.0[4] (P3P1.0) specification
describes how to associate a privacy policy with each URI request.
Such associations are contained in a so-called policy reference
file. This draft describes a new HTTP response header which
indicates the location of such policy reference file. This header is
intended to be a part of the P3P1.0 framework and should be treated
in the full context of the P3P1.0 specification[4].
Marchiori & Lotenberg Expires August 6, 2002 [Page 1]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The P3P HTTP header . . . . . . . . . . . . . . . . . . . . . 4
3. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Compact Policies . . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
Marchiori & Lotenberg Expires August 6, 2002 [Page 2]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
1. Introduction
1.1 Background
The Platform for Privacy Preferences 1.0[4] (P3P1.0, henceforth
"P3P") is a specification currently under development at the World
Wide Web Consortium (W3C)[8].
P3P creates a framework for standardized, machine-readable privacy
policies, and consumer products that read these policies. P3P's
design allows Web sites to deliver automated privacy statements, and
makes it possible for users' browsers to review the statements and
to automate decision-making based on these practices when
appropriate.
For more information on the P3P specification please consult the P3P
specification document[4].
1.2 Motivation
Locating a P3P policy reference file is one of the first steps in
the operation of the P3P protocol. A P3P policy reference file
associates to a URI or set of URIs the appropriate privacy policies.
User agents (e.g., web browsers) can use policy references to
automatically locate the privacy policy which applies to a page, so
that they can process that policy for the benefit of their user.
The P3P HTTP header comes into play by providing the URI in which
the policy reference file can be found.
1.3 Conventions
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" in
this document are to be interpreted as described in RFC-2119[3].
Marchiori & Lotenberg Expires August 6, 2002 [Page 3]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
2. The P3P HTTP header
Any document retrieved by HTTP may point to a policy reference file
through the use of the P3P HTTP response header, the "PolicyRef"
header.
The PolicyRef header contains the URI of a policy reference file,
which will usually state the P3P policy covering the document that
pointed to the reference file, and possibly others as well. The URI
specified in the PolicyRef header MUST NOT be used for any other
purpose beyond identifying and referencing P3P policies.
The P3P policy reference header SHOULD be inserted whenever a
P3P-enabled server responds to a relevant request, including when it
responds to HEAD and OPTIONS requests.
Since policy references may be processed by agents anywhere along
the response chain, the P3P header is an end-to-end HTTP extension.
The PolicyRef header can be safely ignored by those
applications/agents that do not understand it.
Marchiori & Lotenberg Expires August 6, 2002 [Page 4]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
3. Header Syntax
The P3P header gives one or more comma-separated directives. The
syntax follows, specified using ABNF rules (as per RFC2234[5]):
p3p-header = `P3P: ` p3p-header-field *(`,` p3p-header-field)
p3p-header-field = policy-ref-field | compact-policy-field | extension-field
policy-ref-field = `policyref="` URI-reference `"`
extension-field = token [`=` (token | quoted-string) ]
Here, URI-reference is defined as per RFC 2396[1], token and
quoted-string are defined by HTTP1.1[6].
In keeping with the rules for other HTTP headers, the P3P portion of
this header may be written in any case.
The policyref directive gives a URI which specifies the location of
the policy reference file which will state the P3P policy covering
the document that pointed to the reference file, and possibly others
as well.
The compact-policy-field is used to specify "compact policies". They
are described in the next section.
User agents which find unrecognized directives (in the
extension-fields) MUST ignore the unrecognized directives. This is
to allow easier deployment of future versions of P3P.
For example:
1.
Client makes a GET request.
GET /index.html HTTP/1.1
Host: catalog.example.com
Accept: */*
Accept-Language: de, en
User-Agent: WonderBrowser/5.2 (RT-11)
2.
Marchiori & Lotenberg Expires August 6, 2002 [Page 5]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
Server returns content and the PolicyRef header pointing to the
policy of the page.
HTTP/1.1 200 OK
P3P: policyref="http://catalog.example.com/P3P/PolicyReferences.xml"
Content-Type: text/html
Content-Length: 7413
Server: CC-Galaxy/1.3.18
Marchiori & Lotenberg Expires August 6, 2002 [Page 6]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
4. Compact Policies
Compact policies are essentially summaries of P3P policies. They can
be used by user agents to quickly get approximate information about
P3P policies, therefore improving performance.
For an in-depth explanation of compact policies, we refer to the
P3P1.0[4] specification. Here, we limit to stating the syntax:
compact-policy-field = `CP="` compact-policy `"`
compact-policy = compact-token *(" " compact-token)
compact-token = compact-access |
compact-disputes |
compact-remedies |
compact-non-identifiable |
compact-purpose |
compact-recipient |
compact-retention |
compact-categories |
compact-test
compact-access = "NOI" | "ALL" | "CAO" | "IDC" | "OTI" | "NON"
compact-disputes = "DSP"
compact-remedies = "COR" | "MON" | "LAW"
compact-non-identifiable = "NID"
compact-purpose = "CUR" | "ADM" [creq] | "DEV" [creq] | "TAI" [creq] |
"PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |
"CON" [creq] | "HIS" [creq] | "TEL" [creq] | "OTP" [creq]
creq = "a" | "i" | "o"
compact-recipient = "OUR" | "DEL" [creq] | "SAM" [creq] | "UNR" [creq] |
"PUB" [creq] | "OTR" [creq]
compact-retention = "NOR" | "STP" | "LEG" | "BUS" | "IND"
compact-category = "PHY" | "ONL" | "UNI" | "PUR" | "FIN" | "COM" |
"NAV" | "INT" | "DEM" | "CNT" | "STA" | "POL" |
"HEA" | "PRE" | "LOC" | "GOV" | "OTC"
compact-test = "TST"
Marchiori & Lotenberg Expires August 6, 2002 [Page 7]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
5. Security Considerations
There are no additional security requirements transporting the P3P
header beyond the requirements of the document it is associated
with.
Marchiori & Lotenberg Expires August 6, 2002 [Page 8]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
6. Notes
This draft is also present on the W3C site at the address
http://www.w3.org/2002/02/draft-marchiori-w3c-p3p-header-01.txt.
Enriched HTML and XML versions can be found at the addresses
http://www.w3.org/2002/02/draft-marchiori-w3c-p3p-header-01.html and
http://www.w3.org/2002/02/draft-marchiori-w3c-p3p-header-01.xml
respectively. The XML version is compliant to RFC-2629[7].
Marchiori & Lotenberg Expires August 6, 2002 [Page 9]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
7. Acknowledgments
This draft was produced by the P3P Specification Working Group[9];
please see authors and contributors of the Platform for Privacy
Preferences 1.0 Specification[4].
Thanks to Marshall Rose for his conversion tools from the
RFC-2629[7] XML format to HTML and RFC.
Marchiori & Lotenberg Expires August 6, 2002 [Page 10]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
References
[1] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
Resource Location (URI): Generic Syntax and Semantics", RFC
2396, August 1998.
[2] Bradner, S.O., "The Internet Standards Process -- Revision 3",
RFC 2026, BCP 9, October 1996.
[3] Bradner, S.O., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, BCP 14, March 1997.
[4] Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall,
M. and J. Reagle, "The Platform for Privacy Preferences 1.0
(P3P1.0) Specification", W3C P3P1.0, December 2000,
<http://www.w3.org/TR/P3P/>.
[5] Crocker, D. and P. Overel, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[6] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", RFC 2616, June 1999.
[7] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, June
1999.
[8] http://www.w3.org/
[9] http://www.w3.org/P3P/Group/Specification
Authors' Addresses
Massimo Marchiori
W3C/MIT/UNIVE
200 Technology Square
Cambridge, MA 02139
US
Phone: +39 041 2908423
EMail: massimo@w3.org
URI: http://www.w3.org/People/Massimo/
Marchiori & Lotenberg Expires August 6, 2002 [Page 11]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
Ran Lotenberg
IDcide
Blauer Drive
Saratoga, CA 20454
US
Phone: +1 408 8721541
EMail: ran@idcide.com
URI: http://www.idcide.com
Marchiori & Lotenberg Expires August 6, 2002 [Page 12]
�
Internet-Draft The HTTP header for P3P1.0 February 2002
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC editor function is currently provided by the
Internet Society.
Marchiori & Lotenberg Expires August 6, 2002 [Page 13]
�