Sieve Notification Using Presence Information
draft-ietf-sieve-notify-presence-04

[Ballot discuss]
[The authors have offered to expand the guidance on caching.  I expect the changes will be sufficient.]

The first and third paragraphs of the security considerations section seem to be in conflict.  The first paragraph states
that "implementations MUST ensure that users can not create scripts that access the presence information of others without the proper access controls."  The third paragraph advocates "caching presence tests for periods of time, even
across Sieve script instances."  Is it reasonable to expect an implementation to ensure that the different script
instances *all* satisfy the access controls?

[Ballot comment]
In Section 2, the first time XMPP is mentioned there is no reference to the XMPP spec. The reference only appears later. Adding a reference the first time XMPP appears in the text would be useful.

[Ballot comment]
As far as I can tell so far, nothing in this document would make it hard to later
extend its ideas to cover other types of presence information, up to and including
queries against current location (PIDF-LO) enabling rules like "only send me an
SMS notification if I'm in the country" - so, I'm entering this as a comment instead
of a discuss.

Please consider further reinforcing that these notification capability parameter values
are going to be derived from potentially several inputs, including calendars as well
as presence servers. It would help to informatively reference PIDF (RFC3863),
especially in the registration of the "status" element, pointing to PIDF's "note" element
in section 4.1.6.

Also please consider calling out considering RPID and PDIF-LO when choosing
new capability parameter names in the discussion of  adding new presence items.

[Ballot comment]
1.The language in the Security Considerations section is inconsistent in the way it deals with the actions needed to be considered by implementations to mitigate the security threats described in this section.

While the first paragraph ends with:

> In addition, implementations MUST
  ensure that users can not create scripts that access the presence
  information of others without the proper access controls.

the third one says:

>  Implementations might consider providing options for rate limiting,
  or for caching presence tests for periods of time, even across Sieve
  script instances.

For consitency purposes it would be better to use 2119 language in both places or none. My preference would be for a MAY or SHOULD to be used in the later case.

2. The OPS-DIR review by Peter Koch questioned the free format of the status information for:

> Description:  A human-readable description of the user's availability
        status.  This is similar to the presence element with the same
        name that's defined in Section 2.2.2.2 of RFC 3921.
  Syntax:  There is no formal definition for the values this item may
        take.  It is free-form and may be in any language, and is meant
        for human consumption.

I think that it would be better to clarify that as per RFC 3921 this is a natural language description  (which is more clear than 'any language') and that Sieve already specifies that strings are in UTF-8 (RFC 5228, section 2.1)

[Ballot discuss]
[This is a preliminary discuss.  I may have additional issues before the telechat, but wanted to raise this issue now
in hopes of resolving it beforehand.]

The first and third paragraphs of the security considerations section seem to be in conflict.  The first paragraph states
that "implementations MUST ensure that users can not create scripts that access the presence information of others without the proper access controls."  The third paragraph advocates "caching presence tests for periods of time, even
across Sieve script instances."  Is it reasonable to expect an implementation to ensure that the different script
instances *all* satisfy the access controls?

  (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?
         
          Shepherd: Cyrus Daboo  I have
          personally reviewed this document and believe it ready for
          submission to the IESG.

  (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?
         
          It has had review from WG members. Not from non-WG
          members. No concerns with the nature of those reviews.

  (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?
         
          No.

  (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.  Has an IPR disclosure related to this document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.
         
          No concerns with this document.

  (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?
         
          There is WG consensus behind this.

  (1.f)  Has anyone threatened an appeal or otherwise indicated extreme
          discontent?  If so, please summarise the areas of conflict in
          separate email messages to the Responsible Area Director.  (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)
         
          No.

  (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?
         
          ID nits were checked.

  (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].
         
          References are split into two sections.

  (1.i)  Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?
         
          Yes.

  (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?
         
          Yes.

  (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up?  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document.  If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.

          Working Group Summary
            Was there anything in WG process that is worth noting?  For
            example, was there controversy about particular points or
            were there decisions where the consensus was particularly
            rough?

          Document Quality
            Are there existing implementations of the protocol?  Have a
            significant number of vendors indicated their plan to
            implement the specification?  Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive issues?  If
            there was a MIB Doctor, Media Type or other expert review,
            what was its course (briefly)?  In the case of a Media Type
            review, on what date was the request posted?

          Personnel
            Who is the Document Shepherd for this document?  Who is the
            Responsible Area Director? Is an IANA expert needed?

Technical Summary

The SIEVE notify presence extension adds an option to the notify extension to allow sending SIEVE notifications based on the presence status of the owner of the SIEVE script.

The security considerations section covers several identified security
concerns.

Working Group Summary

This document has been discussed and reviewed in the SIEVE Working Group.
There is consensus in the Working Group to publish this document
as a Proposed Standard.

Document Quality

Several implementers have indicated they will implement this extension as time allows.

Personal

Document Shepherd: Cyrus Daboo
AD: Alexey Melnikov

[Note]: changed to 'Cyrus Daboo is the document shepherd.
AD review comments (a missing IANA registration and unclear text about "status" allowing for "unknown" due to inability to retrieve it) need to be dealt with post IETF LC.'

IANA understands that, upon approval of this document, a single IANA
Action must be completed.

Two new registrations are to be made in the Notification-Capability
Parameters registry located at:

http://www.iana.org/assignments/notification-capability-parameters/notification-capability-parameters.xhtml

They are:

Capability name: busy
Description: An indication of whether the user is considered "busy" now
(the value "yes") or not (the value "no"). The meaning of "busy" is left
to the implementation, and may be a state that's synthesized from other
information.
Syntax: Has one of the values "yes", "no", or "unknown". The value MUST
be in lower case.
Reference: [RFC-to-be]
Contact: The Sieve discussion list,

Capability name: show
Description: The availability status of the user. This is similar to the
presence element with the same name that's defined in Section 2.2.2.1 of
RFC 3921.
Syntax: Has one of the values "away", "chat", "dnd", "offline", "xa", or
"unknown". The value MUST be in lower case.
Reference: [ RFC-to-be ]
Contact: The Sieve discussion list,

IANA understands that this is the only action required to be completed
upon approval of this document.

[Note]: 'AD review comments (a missing IANA registration and unclear text about "status" allowing for "unknown" due to inability to retrieve it) need to be dealt with post IETF LC.' added by Alexey Melnikov

AD review comments (a missing IANA registration and unclear text about "status" allowing for "unknown" due to inability to retrieve it) need to be dealt with post IETF LC.