[OWASP-GUIDE] P3P

Mark Curphey mark at curphey.com
Mon Jan 20 03:25:41 EST 2003


I was kinda being facetious, its late here but not as late as it is with
you!

I look at the guide as a way to describe web security technology and
show how it should be implemented correctly (or in some cases whether it
actually works). P3P is getting a lot of attention in corporate US and
with EU directives on privacy it is a big topic, even if you don't think
the technology is adequate. I actually do but I am happy to differ.

I don't understand your statement about the guide suggesting people make
the most worst privacy statement possible. It seems like its analogous
to saying "sure were insecure, don't put your credit card in" just
because we all see lots of security issues, or am i missing the point? 

On Sun, 2003-01-19 at 23:28, Alex Russell wrote:
> Yes, but the W3C has also backed the horrendous cluster-fsck that is
> XHTML 2.0. They aren't the purveyors of everything worth paying
> attention to.
> 
> Regardless, I can see how it might be relevant were it actually
> something that was useful for site developers in helping to protect
> their user's privacy, but it's not (IMHO). I'd much rather see a section
> that deals with privacy by suggesting that if developers REALLY care
> about privacy, that they state on their sites that they will collect
> whatever information they like and do whatever they please with it, as
> it more accurately refelcts today's situation. As an addendum, we might
> add that only procedural controls (i.e., legislation) are going to be an
> effective in providing adequate privacy protection for users. Anything
> else is either a smokescreen or snake oil, althoug I think P3P is more
> the former than the latter, as it seemed well intentioned to start with.
> 
> But then, that's just my opinion.
> 
> Am I wrong on this one? Is it something that developers care about and
> I'm just missing the boat? (it happens regularly, I'm afraid)
> 
> On Mon, 19 Jan 2003, Mark Curphey wrote:
> 
> > Yeah, W3C ;-)
> >
> > On Sun, 2003-01-19 at 23:44, Alex Russell wrote:
> > > On Saturday 18 January 2003 02:19, Mark Curphey wrote:
> > > > I was just chatting to Tim Smith about P3P and he offered to write a
> > > > chapter on P3P and re-write the privacy section of the Guide V2.
> > > >
> > > > I think this would be great content.
> > > >
> > > > Does everyone else ?
> > >
> > > Frankly, I'm not sure. I have a hard time either putting P3P forward as a
> > > solution to any serious problem, and I'm having a hard time figuring out
> > > why it would have a place in the Guide. As always, I'm willing to be
> > > convinced either way.
> > >
> > > Anyone got a compelling argument for why we should have such a thing?
> 
> -- 
> Alex Russell
> alex at SecurePipe.com
> alex at netWindows.org
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
> are you planning your Web Server Security? Click here to get a FREE
> Thawte SSL guide and find the answers to all your  SSL security issues.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide
> 






More information about the Owasp-guide mailing list