Re: [apps-discuss] Call For Adoption: draft-nottingham-safe-hint

[Mark Nottingham <mnot@mnot.net>]

Hi Ted,

On 23 Jul 2014, at 12:49 pm, Ted Hardie <ted.ietf@gmail.com> wrote:

> Note:  the very first time I came to the IETF in person was to argue against Nathaniel Borenstein's KidCode
> https://datatracker.ietf.org/doc/draft-borenstein-kidcode/.   The scars I got from the politics, backstabbing, and insanity that lead through that discussion to the IETF VAC effort (voluntary access control, see:  http://lists.w3.org/Archives/Public/www-talk/msg01707.html) and on to the spin up of p3p (http://www.w3.org/P3P/) still throb on cold nights.  
> 
> There is not even a single bit of good to be done here.  The amount of misapprehension and mischief available is simply too high.  Forget it and walk away.
> 
> I oppose adoption of this draft.
> 
> With all respect to those not quite so scarred,

I was a member of the P3P WG, and I bear the scars as well, so I’ll assume that your appeal to authority above wasn’t directed at me.

Let me construct my own appeal to authority below — the authority of *implementor interest*.

This discussion represents my main concern around asking for this draft to be standards track — defining the vocabulary to use when describing policy like this is a hornet’s nest for any standards activity, particularly when the set of people standardising it are NOT well-educated in this area, just bystanders (yes, being a parent makes one a stakeholder here, but that doesn’t make one educated on the underlying issues).

Note that I’m not really a stakeholder either; I just wrote down a mechanism that had some interesting properties:

* It is simple and single-bit, avoiding the pain of P3P
* It aligns the interests of the parties involved (unlike DNT)
* it works well with HTTP 

After I wrote it down, I let it sit. After a while, I got interest from the people at Microsoft who implement Family Safety; they are very well-educated in the issues here, and they decided it was interesting enough to implement. Then Mozilla came on board.

That told me that it might be worth standardising. I brought this draft here to see if we could do something small and simple to allow preferences to be expressed and then acted upon; the use case is very clearly defined in the draft. 

I did not do this to open up a can of worms of inventing a taxonomy for Web content safety; my scars and yours tell me that doing that is an especially stupid thing to do. This draft, however, does not do so; it’s just a bit, and it’s site-defined. If this devolves into an exercise of describing different levels of safety, etc., I’ll do my best to shoot the entire thing in the head personally, as that smacks of the worst of this process. 

Anyone suggesting a “NSFW” preference should identify the use cases and convince implementers. So far I’m hearing people with opinions and “good ideas" being answered by crickets on the implementer side.

In my estimation, it should take this draft a few weeks to get through the WG; there are a few editorial issues, but it’s substantially ready to get to the IESG. If it takes longer than that, it tells me that something is very, very wrong.

Cheers,

P.S. Some big Web sites have privately expressed to me that if this is standardised, some jurisdictions will require Web sites to honour it with jurisdictional (not site-specific) semantics. This very well may happen, and in that case, I’d encourage those big Web sites to use their (extensive) lobbying capabilities to make sure that there were a carve-out of an appropriate shape, so that the site retains its ability to define what “safe” is. I don’t, however, think that that’s a valid reason to resist standardisation here. After all, a sufficiently motivated jurisdiction can already do that with Cookies today; all this mechanism does is relieve end users of the burden of setting cookies for multiple sites.


--
Mark Nottingham   http://www.mnot.net/