This bug is for complaints about the w3c p3p workinggroup proposal: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. This complaint collector is for use after "The last call review period ends 31 October 2000." It is requested that all questions raised here be answered before mozilla.org consider implementation of this specification. Here is a short list of reasonable complaints from before the w3c lastcall. http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Oct/thread.html * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Oct/0022.html http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Sep/thread.html * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Sep/0009.html * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Sep/0010.html ^ This is troubling <q content-type="text/excerpt"> While it would be nice if there was a technical means to protect users from negligent web sites, I'm really not sure how this could be done. Certainly there are some things a sophisticated user agent could look for, like set cookie requests from sites that claim not to use cookies. But there is a limit to what technology can do for us here. So I think we have to rely on web sites to make accurate statements.</q> http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Aug/thread.html * http://dollar.ecom.cmu.edu/p3pcritique/ * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Aug/0023.html * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Aug/0022.html * http://lists.w3.org/Archives/Public/www-p3p-public-comments/2000Aug/0012.html

timeless, you said in bug 62399 that "Microsoft's [P3P] actions appear to be anticompetitive". Can you explain, please? I see no hint to that in the documents you referenced.

The article says <quote> Because Passport authentication is done using a Web browser, people using competing products, such as AOL's Netscape 6.1 or Opera, would not be able to use the enhancements unless those browsers are also made P3P-compliant. The same restriction would apply to older versions of Internet Explorer. [...] Restricting the use of the new security and privacy features to IE 6 users "would be a mistake," said Guernsey Research analyst Chris LeTocq. "It doesn't make sense for Microsoft to shut out the largest part of its installed base from Passport services." </quote>but that's about it - as always, 0 technical details. I don't see how Microsoft could shut out non-P3P-supporting clients, since the potocol is designed to be optional for the client. It is the client requesting the P3P statement and acting upon it as it pleases. P3P is like a machine-readable privacy policy, so how could a website force clients to support it? Not deliver any content unless the statement has been fetched? What about caches then?

Sorry, can someone (timeless?) explain to me why should this block p3p checking in? That article from cnet you point to is meaningless to me. It only increase the arguement of having a p3p implementation checked into mozilla.

<quote src="http://www.w3.org/2001/10/patent-response"> Indeed, W3C has already found itself in a situation where implementers of a W3C Working Draft (the P3P specification) faced possible patent infringement litigation by a patent holder who had participated in the Working Group developing P3P. The immediate result was to bring P3P development to a halt. W3C then made a call to the developer community for prior art, and conducted a patent analysis. W3C's analysis concluded that there was no infringement. </quote> <http://www.w3.org/1999/05/P3P-PatentPressRelease> <http://www.w3.org/TR/1999/NOTE-P3P-analysis-19991027>

I think you are all missing the gist of the Microsoft message. First read what the Microsoft guy said. He didn't say that Hotmail/passport would not work in another browser type, just that the P3P features won't work. He then went on to say that MS has put P3P on its own web sites. And no, this doesn't mean special P3P support in IIS, just that MS owned web sites have P3P specifications ready to be used by a P3P client. The reality is client-side P3P support can be queried within IE6 - this enables some privacy features for passport that don't exist when you are using Mozilla, Opera, or Netscape. And of course, I agree that I see no reason why Mozilla shouldn't support the P3P standard on its own. Mozilla will not be enabling Microsoft to dominate the world by implementing this web standard. The objections made in the public comments are handled well. The "excerpt" is taken out of context of the specification. Of course, her answer was perfectly fine - Mozilla could be a smart agent that could detect cases where some policies aren't being followed (like her cookie example). There isn't a whole lot that a P3P agent can do about whether the site decides to see collected information when they said they wouldn't. I say that this should just get set to INVALID or WONTFIX. I think you are all missing the gist of the Microsoft message. First read what the Microsoft guy said. He didn't say that Hotmail/passport would not work in another browser type, just that the P3P features won't work. He then went on to say that MS has put P3P on its own web sites. And no, this doesn't mean special P3P support in IIS, just that MS owned web sites have P3P specifications ready to be used by a P3P client. The reality is client-side P3P support can be queried within IE6 - this enables some privacy features for passport that don't exist when you are using Mozilla, Opera, or Netscape. And of course, I agree that I see no reason why Mozilla shouldn't support the P3P standard on its own. Mozilla will not be enabling Microsoft to dominate the world by implementing this web standard. The objections made in the public comments are handled well. The "excerpt" is taken out of context of the specification. Of course, her answer was perfectly fine - Mozilla could be a smart agent that could detect cases where some policies aren't being followed (like her cookie example). There isn't a whole lot that a P3P agent can do about whether the site decides to see collected information when they said they wouldn't. I say that this should just get set to INVALID or WONTFIX.

bjv@motive.com: did you notice that microsoft disallowed mozilla browsers from accessing msn.com for a while? that tells me that microsoft has a good record for openess and not requiring proprietary features (like 'Netscape' or 'Microsoft' in the useragent) akin to requiring that i accept an unacceptable P3P policy.

I really hate to be put in the position of defending Microsoft, so I won't. Locking out other browsers was stupid. What they did at MSN had little to do with supporting P3P privacy (a non P3P agent can still work when talking to a site that can present a P3P privacy statement). You are free to distrust Microsoft all you want. However, P3P is a w3c standard that is nearing its final approval. Microsoft is the first to put P3P in a browser/agent - so what. There are many message boards that you can vent, but I'd just assume leave this conversation out of the bugzilla database. I suggest you take this to news://news.mozilla.org/netscape.public.mozilla.general

Can this not just be closed? It is a mootpoint anyway. extensions/p3p exists [wish it would compile on my FreeBSD box with 0.9.9 though] and it is an open standard. Read the Dutch or German version of the c't magazine for an extensive article on p3p and what Microsoft does with it [short summary: they just use it]. This ``bug'' is not contributing to anything other than FUD.

i'd prefer to keep it open. for one mozilla.org has not activated p3p for its default builds and I hope to keep this as a reminder that we never should.

timeless, is your concern that presentation of the p3p files to the useragent and its acceptance might be a consent (or opt-in agreement) in the legal sense, and it happens automatic (after the user sat the pref), while today sites would have to ask users explicitly (annoying for user, reputation-risking for site), so less sites dare to require ridiculous privacy disclosure? Please spell out your concerns in a detailed way, comparing today's situtation with what you fear could happen, if P3P were adapted.

taking P3P bugs

per discussion with mvl and dwitte, moving bugs in our p3p impl to nobody@mozilla.org and adding helpwanted keyword moving to Cookies

p3p has been permanently cvs removed, marking wontfix.