Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Sep 13, 2012, at 4:28 PM, Roy T. Fielding wrote: > > Regardless, I am +0 to revert, for none of the above reasons. > I am not fond of the performance hit of checking for a browser > version and setting an environment variable, just to support a > standard that is not being backed by the standards group. > I'd rather focus on new standards that aren't being manipulated > by EC/DC politics and the trolls that they feed. I would, however, > like to leave the three browsermatch lines in the config > (commented out) as an example. > +1 > With regard to open letters, I'm done with that after our experience > with Sun. If I had thought there was any chance of a letter working, > it would have been the first action proposed. I am not opposed to > the idea of sending official feedback through our friends at Microsoft, > but please understand that it won't be effective unless we can make > it in their own interest to stop abusing the standard. > I doubt that an open letter would/will change anything, but it's open for a reason: so that the larger community, and not just MS (or whoever it is directed to) is aware of our position and the rationale behind it. It's to garner support for our POV and, as such, I still think it's worthwhile, esp if we do adjust the config file to comment them out. > Apache's original mission is still important to me, even if the > rest of the world has forgotten. > I think it's also important to the PMC and the developers as well.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Sep 13, 2012, at 4:48 AM, Eric Covener wrote: > On Sat, Aug 11, 2012 at 3:51 AM, wrote: >> Author: fielding >> Date: Sat Aug 11 07:51:52 2012 >> New Revision: 1371878 >> >> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >> Log: >> Apache does not tolerate deliberate abuse of open standards > > I've come around on this one over time. While I appreciate the > message/intent, I don't think this is reasonable for the default > configuration because it errs on the side of ditching a privacy header > and information loss for a (sensitive) header that we're not yet > interpreting. For those of you who haven't been following along, I'll include some links at the bottom for background. DNT is not a privacy header. There is no magic pixy dust that sprinkles privacy bits on anyone that receives it. DNT is supposed to be an expression of user preference so that recipients will respect that user's desires. It really is a question of deployment. Right now, nobody can comply with DNT on the server because none of the response mechanisms have been approved yet and the meaning of DNT is not agreed. There are a few sites that had been recognizing DNT as equivalent to their prior cookie-based opt-out, but most of those have since removed support of DNT (either for all UAs or only for IE 10.0) because of the default issue. OTOH, if we were to attempt an implementation of DNT, then we could address it directly with the user instead of dropping the header field. Unfortunately, the WG has not yet agreed on a mechanism for a server to indicate that it "supports DNT in general, but for your specific user agent we need to ask again to confirm that it was by choice". There is also a general problem that, because compliance means long-term data controls and access restrictions are promised by the service owner, we can't respond as DNT compliant even if we have complied within our own server software. > IMO it's enough even without this specific DNT text: > > "An HTTP intermediary must not add, delete, or modify the DNT header > field in requests forwarded through that intermediary unless that > intermediary has been specifically installed or configured to do so by > the user making the requests. For example, an Internet Service > Provider must not inject DNT: 1 on behalf of all of their users who > have not selected a choice." Yes (I wrote that part too), but keep in mind that we don't comply with DNT yet, nor are we likely to until the access log issues are resolved. I agree that we cannot have the config remain if we intend to comply with the standard, but that simply doesn't matter if IE 10.0 destroys DNT before we can even get there. > I'd like to revert it, but this is not yet a veto. I'd like to hear > what others think and would appreciate an ACK from Roy/Greg/Jim who > voted for the backport to avoid any churn. Strictly speaking, I don't think it is possible to veto a change made in a prior release, but I think this one should be reverted (or at least modified) if any of our PMC members feel so strongly now that they would have vetoed it last month. Consensus is important here. Given the pathetic way that the Tracking Protection working group members have addressed this issue, both for and against the behavior of IE 10.0, I have lost any energy I once had for defending Mozilla's original definition. It was the only issue of substance that the WG had managed to record consensus, in over a year of deliberation. I would prefer that the WG change the text, one way or the other, before we make another change, but I also want anything we do to be based on what we think is right, not what others think or fail to do. Regardless, I am +0 to revert, for none of the above reasons. I am not fond of the performance hit of checking for a browser version and setting an environment variable, just to support a standard that is not being backed by the standards group. I'd rather focus on new standards that aren't being manipulated by EC/DC politics and the trolls that they feed. I would, however, like to leave the three browsermatch lines in the config (commented out) as an example. With regard to open letters, I'm done with that after our experience with Sun. If I had thought there was any chance of a letter working, it would have been the first action proposed. I am not opposed to the idea of sending official feedback through our friends at Microsoft, but please understand that it won't be effective unless we can make it in their own interest to stop abusing the standard. Apache's original mission is still important to me, even if the rest of the world has forgotten. http://oreilly.com/catalog/opensources/book/brian.html Roy The following links may help with background. http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx http://www.computerwo
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Thu, Sep 13, 2012 at 1:33 PM, Tim Bannister wrote: > On 13 Sep 2012, at 18:24, Jeff Trawick wrote: > >> I don't think it is a transparency issue so much as a poor choice of >> venues for airing the disagreement. We've put something in the .conf >> file that many administrators will need to remove and almost none will >> have a need to keep. The message to Microsoft, such as it is, suffers >> because of that. > > s/administrators/packagers/ ? No packager is going to ship those lines. (IOW, the whole conversation is about the tiny subset of sites that start with the httpd.apache.org 2.4 default .conf and actually use DNT...) > > -- > Tim Bannister – is...@jellybaby.net > -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Sep 13, 2012, at 1:24 PM, Jeff Trawick wrote: > On Thu, Sep 13, 2012 at 12:31 PM, Jim Jagielski wrote: >> I think we are all in agreement, however, that MS is >> violating the standard... are we not? >> >> With that as a given, do we Do Nothing? I don't think so; >> We shouldn't, by action or inaction, permit violations. Now, >> with that as a given, the question is How Do We Respond. >> >> At the very least, the commit sparked some interest and >> involvement, even if much of it was worthless and clueless. >> I like the idea of using that as a "door-opener" for an >> Open Letter. Ideally, in that letter we explain the problem >> and the rationale for the commit, we also explain how >> to *remove* the "offending" commit (even though it's pretty >> ez of course) and that we are keeping the commit in place >> until such time as MS changes course, but we are aware that >> it could affect adversely affect "innocent" users and so >> we want to make sure that they have all the info they need >> to remove it. >> >> The idea is to restore the transparency... If we had made a >> more public "splash" about this, maybe it wouldn't have created >> such a storm of uncluefull backlash; it's the idea that we >> did something "sneaky", I think, is what some people find >> (understandably) upsetting. > > I don't think it is a transparency issue so much as a poor choice of > venues for airing the disagreement. We've put something in the .conf > file that many administrators will need to remove and almost none will > have a need to keep. The message to Microsoft, such as it is, suffers > because of that. > I agree.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On 13 Sep 2012, at 18:24, Jeff Trawick wrote: > I don't think it is a transparency issue so much as a poor choice of > venues for airing the disagreement. We've put something in the .conf > file that many administrators will need to remove and almost none will > have a need to keep. The message to Microsoft, such as it is, suffers > because of that. s/administrators/packagers/ ? -- Tim Bannister – is...@jellybaby.net smime.p7s Description: S/MIME cryptographic signature
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Thu, Sep 13, 2012 at 12:31 PM, Jim Jagielski wrote: > I think we are all in agreement, however, that MS is > violating the standard... are we not? > > With that as a given, do we Do Nothing? I don't think so; > We shouldn't, by action or inaction, permit violations. Now, > with that as a given, the question is How Do We Respond. > > At the very least, the commit sparked some interest and > involvement, even if much of it was worthless and clueless. > I like the idea of using that as a "door-opener" for an > Open Letter. Ideally, in that letter we explain the problem > and the rationale for the commit, we also explain how > to *remove* the "offending" commit (even though it's pretty > ez of course) and that we are keeping the commit in place > until such time as MS changes course, but we are aware that > it could affect adversely affect "innocent" users and so > we want to make sure that they have all the info they need > to remove it. > > The idea is to restore the transparency... If we had made a > more public "splash" about this, maybe it wouldn't have created > such a storm of uncluefull backlash; it's the idea that we > did something "sneaky", I think, is what some people find > (understandably) upsetting. I don't think it is a transparency issue so much as a poor choice of venues for airing the disagreement. We've put something in the .conf file that many administrators will need to remove and almost none will have a need to keep. The message to Microsoft, such as it is, suffers because of that. -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Sep 13, 2012 7:48 AM, "Eric Covener" wrote: > > On Sat, Aug 11, 2012 at 3:51 AM, wrote: > > Author: fielding > > Date: Sat Aug 11 07:51:52 2012 > > New Revision: 1371878 > > > > URL: http://svn.apache.org/viewvc?rev=1371878&view=rev > > Log: > > Apache does not tolerate deliberate abuse of open standards > > I've come around on this one over time. While I appreciate the > message/intent, I don't think this is reasonable for the default > configuration because it errs on the side of ditching a privacy header > and information loss for a (sensitive) header that we're not yet > interpreting. IMO it's enough even without this specific DNT text: > > "An HTTP intermediary must not add, delete, or modify the DNT header > field in requests forwarded through that intermediary unless that > intermediary has been specifically installed or configured to do so by > the user making the requests. For example, an Internet Service > Provider must not inject DNT: 1 on behalf of all of their users who > have not selected a choice." > > I'd like to revert it, but this is not yet a veto. I'd like to hear > what others think and would appreciate an ACK from Roy/Greg/Jim who > voted for the backport to avoid any churn. Microsoft is putting their users at risk, not us. I believe the change should remain.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
I think we are all in agreement, however, that MS is violating the standard... are we not? With that as a given, do we Do Nothing? I don't think so; We shouldn't, by action or inaction, permit violations. Now, with that as a given, the question is How Do We Respond. At the very least, the commit sparked some interest and involvement, even if much of it was worthless and clueless. I like the idea of using that as a "door-opener" for an Open Letter. Ideally, in that letter we explain the problem and the rationale for the commit, we also explain how to *remove* the "offending" commit (even though it's pretty ez of course) and that we are keeping the commit in place until such time as MS changes course, but we are aware that it could affect adversely affect "innocent" users and so we want to make sure that they have all the info they need to remove it. The idea is to restore the transparency... If we had made a more public "splash" about this, maybe it wouldn't have created such a storm of uncluefull backlash; it's the idea that we did something "sneaky", I think, is what some people find (understandably) upsetting.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Thu, Sep 13, 2012 at 12:48 PM, Eric Covener wrote: > On Sat, Aug 11, 2012 at 3:51 AM, wrote: >> Author: fielding >> Date: Sat Aug 11 07:51:52 2012 >> New Revision: 1371878 >> >> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >> Log: >> Apache does not tolerate deliberate abuse of open standards > > I've come around on this one over time. While I appreciate the > message/intent, I don't think this is reasonable for the default > configuration because it errs on the side of ditching a privacy header > and information loss for a (sensitive) header that we're not yet > interpreting. IMO it's enough even without this specific DNT text: > > "An HTTP intermediary must not add, delete, or modify the DNT header > field in requests forwarded through that intermediary unless that > intermediary has been specifically installed or configured to do so by > the user making the requests. For example, an Internet Service > Provider must not inject DNT: 1 on behalf of all of their users who > have not selected a choice." What about _this_ specific DNT text: "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing each service to either adjust their behavior to meet the user's expectations or reach a separate agreement with the user to satisfy all parties. Key to that notion of expression is that it MUST reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control." The header being removed does not conform to this requirement. > > I'd like to revert it, but this is not yet a veto. I'd like to hear > what others think and would appreciate an ACK from Roy/Greg/Jim who > voted for the backport to avoid any churn.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On 09/13/2012 03:27 PM, Jeff Trawick wrote: > On Thu, Sep 13, 2012 at 7:48 AM, Eric Covener wrote: >> On Sat, Aug 11, 2012 at 3:51 AM, wrote: >>> Author: fielding >>> Date: Sat Aug 11 07:51:52 2012 >>> New Revision: 1371878 >>> >>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >>> Log: >>> Apache does not tolerate deliberate abuse of open standards >> >> I've come around on this one over time. While I appreciate the >> message/intent, I don't think this is reasonable for the default >> configuration because it errs on the side of ditching a privacy header >> and information loss for a (sensitive) header that we're not yet >> interpreting. IMO it's enough even without this specific DNT text: >> >> "An HTTP intermediary must not add, delete, or modify the DNT header >> field in requests forwarded through that intermediary unless that >> intermediary has been specifically installed or configured to do so by >> the user making the requests. For example, an Internet Service >> Provider must not inject DNT: 1 on behalf of all of their users who >> have not selected a choice." >> >> I'd like to revert it, but this is not yet a veto. I'd like to hear >> what others think and would appreciate an ACK from Roy/Greg/Jim who >> voted for the backport to avoid any churn. > > I agree that it should be reverted. I don't think it is technically > justifiable for the default conf to remove it for IE 10. I don't > think any particular web server deployment that has the general > intention of respecting DNT should unset it for IE 10. > > If the will exists within the group, an open letter to Microsoft could > be posted on httpd.apache.org regarding IE 10 flouting the user choice > intent of the DNT specification. > I to agree that it should be reverted, if nothing else, then at least for the time being, till this has been thoroughly discussed. Technically speaking, as httpd may be used as an intermediary (more specifially, a proxy/reverse proxy), it is difficult to justify forcing backends to take into account that we are altering the DNT, as Eric pointed out in the RFC quote. As I understand it, the patch would apply to both httpd itself and any backend that it proxies to, who may or may not be of the same opinion about whether the DNT standard has been broken by IE. Furthermore, as we ourselves do not support or use this DNT header ourselves, there is the question of what the patch actually achieves for httpd. What Microsoft has done is, to say the least, disappointing from a technical aspect, as it muddies the waters, and I think Jeff's thoughts about an open letter would be a very good idea, but it is hard for me to technically justify editing the DNT header from within httpd, thus also denying DNT for those who explicitly want it on. The error, as I see it, lies with Microsoft, and in the end, it should be Microsoft that fixes it, not httpd that has to make a workaround. With regards, Daniel.
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Thu, Sep 13, 2012 at 7:48 AM, Eric Covener wrote: > On Sat, Aug 11, 2012 at 3:51 AM, wrote: >> Author: fielding >> Date: Sat Aug 11 07:51:52 2012 >> New Revision: 1371878 >> >> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >> Log: >> Apache does not tolerate deliberate abuse of open standards > > I've come around on this one over time. While I appreciate the > message/intent, I don't think this is reasonable for the default > configuration because it errs on the side of ditching a privacy header > and information loss for a (sensitive) header that we're not yet > interpreting. IMO it's enough even without this specific DNT text: > > "An HTTP intermediary must not add, delete, or modify the DNT header > field in requests forwarded through that intermediary unless that > intermediary has been specifically installed or configured to do so by > the user making the requests. For example, an Internet Service > Provider must not inject DNT: 1 on behalf of all of their users who > have not selected a choice." > > I'd like to revert it, but this is not yet a veto. I'd like to hear > what others think and would appreciate an ACK from Roy/Greg/Jim who > voted for the backport to avoid any churn. I agree that it should be reverted. I don't think it is technically justifiable for the default conf to remove it for IE 10. I don't think any particular web server deployment that has the general intention of respecting DNT should unset it for IE 10. If the will exists within the group, an open letter to Microsoft could be posted on httpd.apache.org regarding IE 10 flouting the user choice intent of the DNT specification.
DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
On Sat, Aug 11, 2012 at 3:51 AM, wrote: > Author: fielding > Date: Sat Aug 11 07:51:52 2012 > New Revision: 1371878 > > URL: http://svn.apache.org/viewvc?rev=1371878&view=rev > Log: > Apache does not tolerate deliberate abuse of open standards I've come around on this one over time. While I appreciate the message/intent, I don't think this is reasonable for the default configuration because it errs on the side of ditching a privacy header and information loss for a (sensitive) header that we're not yet interpreting. IMO it's enough even without this specific DNT text: "An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests. For example, an Internet Service Provider must not inject DNT: 1 on behalf of all of their users who have not selected a choice." I'd like to revert it, but this is not yet a veto. I'd like to hear what others think and would appreciate an ACK from Roy/Greg/Jim who voted for the backport to avoid any churn.