Deploying a P3P policy actually isn't very hard. There are some great tools for creating the policy itself. But it can be difficult to know exactly what to do. I followed these instructions but still have a few questions, so I'll document exactly what I did below.
The first step is to create the policy. I used IBM's P3P policy editor. It's a Java program, so it will run most anywhere. Using the tool takes a little work since it's not clear at first what you're editing. Create your policy from a template if you can since that will save a lot of decisions later. Once you've done that, select Policy->Policy Properties and fill in the information about your service and organization. If you look at the errors, you see that you have to fill just about everything in. Make sure you add a "privacy seal" even if it's just a notice that your customer service department can answer questions.
The policy itself is in the "groups" on the right. Double click each one and make sure you agree with what it says. Clicking on "Errors" will show you things left undone and clicking on "HTML Policy" will show you the human readable version of what you're creating. At the bottom it provides an analysis of how this policy will play in IE. Very helpful.
When you're done and there are no errors, you need to save four things:
- The policy itself as name.xml where name is the name you selected under "Web Sites" in the Policy Properties pane. You will likely have just one, but you can have many covering different parts of your site.
- A policy reference file as p3p.xml. This file provides discovery services for the policies. Whether you have one or many policies for your site, this file tells programs which policy applies where and how to find them
- A human readable policy
- A compact policy. This is a string of three and four letter acronyms that specify the policy in a compact manner.
Put the first two in http://yoursite.com/w3c/... Put the third in whatever URL you specified the human readable policy would be referenced by.
The compact policy is used in the HTTP headers that your server returns for ant HTTP request. This gets rid of one or more round trips to the server to request the XML version of the policy. In my experience, this was a necessary step to get IE to recognize the policy.
Having Apache return the compact policy in the header requires building and installing the mod_header module. I'd already done that so I simply added this line to my HTTP configuration file:
Header append P3P "CP=\\"NOI DSP ADMo DEVo TAIo ... DEM STA\\""
Once you've got all this installed, you should be able to open IE, double click on the eyeball with the red slash through it in the status bar and confirm that your cookies are no longer blocked. If there are no blocked cookies, the eyeball is not there at all.
That's it from a technology standpoint. The trickier part is deciding whether you can actually live with the restrictions you'll need to put in place to let IE store your cookies.
The whole thing feels like a waste of time. Your product won't be better and most people won't be any more protected when your done. But you need to do it in an IE world.