SIMPLE J. Rosenberg
Internet-Draft Cisco Systems
Expires: August 22, 2005 February 21, 2005
Presence Authorization Rules
draft-ietf-simple-presence-rules-02
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 22, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
Authorization is a key function in presence systems. Authorization
policies, also known as authorization rules, specify what presence
information can be given to which watchers, and when. This
specification defines an Extensible Markup Language (XML) document
format for expressing presence authorization rules. Such a document
can be manipulated by clients using the XML Configuration Access
Protocol (XCAP), although other techniques are permitted.
Rosenberg Expires August 22, 2005 [Page 1]
Internet-Draft Presence Authorization February 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Structure of Permission Statements . . . . . . . . . . . . . 5
3.1 Conditions . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.1 Identity . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.2 Anonymous . . . . . . . . . . . . . . . . . . . . . . 6
3.1.3 Sphere . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.1 Subscription Handling . . . . . . . . . . . . . . . . 7
3.3 Transformations . . . . . . . . . . . . . . . . . . . . . 9
3.3.1 Providing Access to Data Component Elements . . . . . 9
3.3.1.1 Device Information . . . . . . . . . . . . . . . . 9
3.3.1.2 Person Information . . . . . . . . . . . . . . . . 10
3.3.1.3 Service Information . . . . . . . . . . . . . . . 11
3.3.2 Providing Access to Presence Attributes . . . . . . . 12
3.3.2.1 Provide Activities . . . . . . . . . . . . . . . . 12
3.3.2.2 Provide Class . . . . . . . . . . . . . . . . . . 12
3.3.2.3 Provide Device ID . . . . . . . . . . . . . . . . 13
3.3.2.4 Provide Mood . . . . . . . . . . . . . . . . . . . 13
3.3.2.5 Provide Place-is . . . . . . . . . . . . . . . . . 13
3.3.2.6 Provide Place-type . . . . . . . . . . . . . . . . 13
3.3.2.7 Provide Privacy . . . . . . . . . . . . . . . . . 13
3.3.2.8 Provide Relationship . . . . . . . . . . . . . . . 14
3.3.2.9 Provide Sphere . . . . . . . . . . . . . . . . . . 14
3.3.2.10 Provide Status-Icon . . . . . . . . . . . . . . 14
3.3.2.11 Provide Time-Offset . . . . . . . . . . . . . . 14
3.3.2.12 Provide User-Input . . . . . . . . . . . . . . . 14
3.3.2.13 Provide Note . . . . . . . . . . . . . . . . . . 15
3.3.2.14 Component ID . . . . . . . . . . . . . . . . . . 15
3.3.2.15 Provide Unknown Attribute . . . . . . . . . . . 16
3.3.2.16 Provide All Attributes . . . . . . . . . . . . . 16
4. When to Apply the Authorization Policies . . . . . . . . . . 17
5. Example Document . . . . . . . . . . . . . . . . . . . . . . 17
6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . 18
7. Schema Extensibility . . . . . . . . . . . . . . . . . . . . 21
8. XCAP Usage . . . . . . . . . . . . . . . . . . . . . . . . . 22
8.1 Application Unique ID . . . . . . . . . . . . . . . . . . 22
8.2 Structure of Permission Statements . . . . . . . . . . . . 22
8.3 Additional Constraints . . . . . . . . . . . . . . . . . . 22
8.4 Naming Conventions . . . . . . . . . . . . . . . . . . . . 22
8.5 Authorization Policies . . . . . . . . . . . . . . . . . . 22
8.6 XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 22
9. Security Considerations . . . . . . . . . . . . . . . . . . 22
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . 23
10.1 XCAP Application Usage ID . . . . . . . . . . . . . . . 23
10.2 URN Sub-Namespace Registration . . . . . . . . . . . . . 23
Rosenberg Expires August 22, 2005 [Page 2]
Internet-Draft Presence Authorization February 2005
10.3 XML Schema Registrations . . . . . . . . . . . . . . . . 24
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
11.1 Normative References . . . . . . . . . . . . . . . . . . . 24
11.2 Informative References . . . . . . . . . . . . . . . . . . 26
Author's Address . . . . . . . . . . . . . . . . . . . . . . 26
Intellectual Property and Copyright Statements . . . . . . . 27
Rosenberg Expires August 22, 2005 [Page 3]
Internet-Draft Presence Authorization February 2005
1. Introduction
The Session Initiation Protocol (SIP) for Instant Messaging and
Presence (SIMPLE) specifications allow a user, called a watcher, to
subscribe to another user, called a presentity [18], in order to
learn their presence information [21]. This subscription is handed
by a presence agent. The logical processing of the presence agent is
described in the presence data model [15]. In that model, the
subscription authorization decision, the selection of the composition
policy, and the governance of privacy filtering are all described by
a presence authorization document. This specification defines a
format for such a document.
Typically, a user will place a multiplicity of authorization
documents on a server, each one applying in certain situations. In
addition to the user, the service provider may have its own
authorization policies which apply in other situations. These
documents are combined together to produce a single authorization
policy which guides presence server processing.
[12] specifies a framework for representing authorization policies,
and is applicable to systems such as geo-location and presence. In
that framework, an authorization document is a sequence of rules.
Each rule contains conditions, actions, and transformations. The
conditions specify under what conditions the rule is to be applied to
presence server processing. The actions element tells the server
what actions to take. In the context of the data model, these
actions include the subscription authorization decision and the
selection of the composition policy. The transformations element
indicates how the presence data is to be manipulated before being
presented to that watcher, and serves as the guide for the privacy
filtering operation. [12] identifies a small number of specific
conditions, actions and permissions common to presence and location
services, and leaves it to other specifications, such as this one, to
fill in usage specific details.
These documents can be manipulated by clients using several means.
One such mechanism is the XML Configuration Access Protocol (XCAP)
[2]. This specification defines the details necessary for using XCAP
to manage presence authorization documents.
2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 [1] and
indicate requirement levels for compliant implementations.
Rosenberg Expires August 22, 2005 [Page 4]
Internet-Draft Presence Authorization February 2005
3. Structure of Permission Statements
A permission statement is an XML document, formatted according to the
schema defined in [12]. Permission statement documents inherit the
MIME type of common policy documents, application/auth-policy+xml.
As described in [12], this document is composed of three parts -
conditions, actions, and transformations. Each action or
transformation, which is also called a permission, has the property
of being a positive grant of information to the watcher. As a
result, there is a well-defined mechanism for combining actions and
transformations obtained from several sources. This mechanism is
privacy safe, since the lack of any action or transformation can only
result in less information being presented to a watcher.
This section defines the new conditions, actions and transformations
defined by this specification.
3.1 Conditions
3.1.1 Identity
Although the <identity> element is defined in [12], that
specification indicates that the interpretation of the <id> element
depends on the specific protocol in use and its authentication
mechanisms. This sub-section defines that interpretation for systems
based on [21].
For requests that are authenticated using SIP [9] digest
authentication [8], the identity used for comparisons to the <id>,
<domain> and <except> fields is set equal to the user and domain part
of the SIP Address of Record (AOR) for the user that has
authenticated themselves. For example, consider the following "user
record":
SIP AOR: sip:alice@example.com
digest username: ali
digest password: f779ajvvh8a6s6
digest realm: example.com
If the presence server receives a SUBSCRIBE request, challenges it
with the realm set to "example.com", and the subsequent SUBSCRIBE
contains an Authorization header field with a username of "ali" and a
digest response generated with the password "f779ajvvh8a6s6", the
identity used in matching operations is "sip:alice@example.com".
For requests that are authenticated using RFC 3325 [22], the username
and domain part of the URI are matched against the user and host
Rosenberg Expires August 22, 2005 [Page 5]
Internet-Draft Presence Authorization February 2005
parts of the SIP URI in the P-Asserted-Identity header field.
For requests that are authenticated using the SIP Identity mechanism
[14], the username and domain part of the URI are matched against the
user and host parts of the URI in the From header field of the
request, assuming that the signature in the Identity header field has
been validated.
In SIP systems, it is possible for a user to have aliases - that is,
there are multiple SIP AOR "assigned" to a single user. In terms of
this specification, there is no relationship between those aliases.
Each would look like a different user. This will be the consequence
for systems were the watcher is in a different domain than the
presentity. However, even if the watcher and presentity are in the
same domain, and the presence server knows that there are aliases for
the watcher, these aliases are not mapped to each other or used in
any way.
3.1.2 Anonymous
The <anonymous> element is defined in [12]. However, it is necessary
to explicitly define how an identity is considered to be anonymous
for a particular using protocol, such as SIP. The request is
considered anonymous if it was authenticated by the presence server
using the <anonymous> username defined in RFC 3261, if the asserted
identity [22] has a URI in the "anonymous.invalid" domain [17], or if
the From field has a username of anonymous within some domain, and
the Identity header field is present with a valid signature provided
by that domain [14].
3.1.3 Sphere
The <sphere> element is defined in [12]. However, each application
making use of the common policy specification needs to determine how
the presence server computes the value of the sphere to be used in
the evaluation of the condition.
To compute the value of <sphere>, the default composition policy is
applied for the presentity [15]. The result will be a raw presence
document with a single <person> element, possibly containing a
<sphere> element, which is defined in the Rich Presence Information
Data Format [13]. If the <sphere> is present, that value is used in
the evaluation of the <sphere> condition. If the <sphere> element is
not present in the presence document, the value is set to undefined.
Care must be taken in using <sphere> as a condition for determining
the subscription handling. Since the value of <sphere> changes
dynamically, a state change can cause a subscription to be suddenly
Rosenberg Expires August 22, 2005 [Page 6]
Internet-Draft Presence Authorization February 2005
terminated. The watcher has no way to know, aside from polling, when
their subscription would be re-instated as the value of <sphere>
changes. For this reason, <sphere> is primarily useful for matching
on rules that define transformations.
3.2 Actions
3.2.1 Subscription Handling
The <sub-handling> element specifies the subscription authorization
decision that the server should make. It also specifies whether or
not the presence document for the watcher should be constructed using
"polite blocking" or not. Usage of polite blocking and the
subscription authorization decision are specified jointly since
proper privacy handling requires a correlation between them. As
discussed in [12], since the combination algorithm runs independently
for each permission, if correlations exist between permissions, they
must be merged into a single variable. That is what is done here.
The <sub-handling> element is an enumerated Integer type. The
defined values are:
block: This action tells the server to place the subscription in the
rejected state. It has the value of zero, and it represents the
default value. No value of the sub-handling element can ever be
lower than this. Strictly speaking, it is not necessary to every
include an explicit block action, since the default in the absence
of any action will be block. However, it is included for
completeness.
confirm: This action tells the server to place the subscription in
the "pending" state, and await input from the presentity to
determine how to proceed. It has a value of one.
polite-block: This action tells the server to place the subscription
into the "accepted" state. Furthermore, it selects the
composition policy, and sets it to support a polite blocking
operation. The specific composition policy to accomplish these
goals is at the discretion of the service provider. In all cases,
the result of the composition policy SHOULD produce a presence
document that is delivered to the watcher which indicates that the
user is unavailable for communication. A reasonable document
would exclude device and person information elements, and include
only a single service whose basic status is set to closed [3].
This action has a value of two.
allow: This action tells the server to place the subscription into
the "accepted" state. Furthermore, it selects the default
composition policy as defined by [15]. This action has a value of
Rosenberg Expires August 22, 2005 [Page 7]
Internet-Draft Presence Authorization February 2005
three.
NOTE WELL: Placing a value of block for this element does not
guarantee that a subscription is denied! If any matching rule has
any other value for this element, the subscription will receive
treatment based on the maximum of those other values. This is
based on the combining rules defined in [12].
Future specifications can define additional values for this
permission, allowing for the selection of other composition policies.
The exact behavior of a presence server upon a change in the
sub-handling value can be described by utilizing the subscription
processing state machine in Figure 1 of RFC 3857 [10]. Each
subscription is associated with a set of permissions that represents
the combination of all permissions that apply to that subscription,
using the combining rules in [12].
If the sub-handling permission changes value to "block", this causes
a "rejected" event to be generated into the subscription state
machine for all affected subscriptions. This will cause the state
machine to move into the terminated state, resulting in the
transmission of a NOTIFY to the watcher with a Subscription-State
header field with value "terminated" and a reason of "rejected" [11],
which terminates their subscription. If a new subscription arrives
later on, and the value of sub-handling that applies to that
subscription is "block", the subscription processing follows the
"subscribe, policy=reject" branch from the init state, and a 403
response to the SUBSCRIBE is generated.
If the sub-handling permission changes value to confirm, the
processing depends on the states of the affected subscriptions.
Unfortunately, the state machine in RFC 3857 does not define an event
corresponding to an authorization decision of "pending". If the
subscription is in the active state, it moves back into the pending
state. This causes a NOTIFY to be sent, updating the
Subscription-State [11] to "pending". No reason is included in the
Subscription-State header field (none are defined to handle this
case). No further documents are sent to this watcher. There is no
change in state if the subscription is in the pending, waiting or
terminated states. If a new subscription arrives later on, and the
value of sub-handling that apples to that subscription is "pending",
the subscription processing follows the "subscribe, no policy" branch
from the init state, and a 202 response to the SUBSCRIBE is
generated, followed by a NOTIFY with Subscription-State of pending.
No presence document is included in that NOTIFY.
If the sub-handling permission changes value to "polite-block" or
Rosenberg Expires August 22, 2005 [Page 8]
Internet-Draft Presence Authorization February 2005
"allow", this causes an "approved" event to be generated into the
state machine for all affected subscriptions. This will cause the
machine to move into the active state if it is currently in pending,
resulting in the transmission of a NOTIFY with a Subscription-State
header field of "active", and the inclusion of a presence document in
that NOTIFY. If a new subscription arrives later on, and the value
of sub-handling that applies to that subscription is is
"polite-block" or "allow", the subscription processing follows the
"subscribe, policy=accept" branch from the init state, and a 200 OK
response to the SUBSCRIBE is generated, followed by a NOTIFY with
Subscription-State of "active" with a presence document in the body
of the NOTIFY.
3.3 Transformations
The transformations defined here are used to drive the behavior of
the privacy filtering operation described in [15]. Each
transformation defines the visibility a watcher is granted to a
particular component of the presence document. One group of
transformations grant visibility to person, device and service data
elements based on identifying information for those elements.
Another group of transformations provide access to particular data
elements in the presence document.
3.3.1 Providing Access to Data Component Elements
The transformations in this section provide access to person, device
and service data component elements. Once access has been granted to
such an element, access to specific presence attributes for that
element is controlled by the permissions defined in Section 3.3.2.
3.3.1.1 Device Information
The <provide-devices> permission allows a watcher to see <device>
information present in the presence document. It is a set variable.
Each member of the set provides a way to identify a device or group
of devices. This specification defines three types of elements in
the set - <class>, which identifies a device instance by class,
<device-id>, which identifies a device instance by device ID, and
<instance-id>, which identifies a device instance by instance ID.
Each member of the set is identified by its type (class, device-id or
instance-id) and value (value of the class, value of the device-id,
or value of the instance-id).
For example, consider the following <provide-devices> element:
<provide-devices>
Rosenberg Expires August 22, 2005 [Page 9]
Internet-Draft Presence Authorization February 2005
<device-id>urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6</device-id>
<class>biz</class>
</provide-devices>
This set has two members. This is combined with a <provide-devices>
element from a different rule:
<provide-devices>
<class>home</class>
<class>biz</class>
</provide-devices>
The result of the set combination (using the union operation) is a
set with four elements:
<provide-devices>
<class>home</class>
<class>biz</class>
<device-id>urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6</device-id>
</provide-devices>
The <provide-devices> element can also take on the special value
<all-devices> which is a short-hand notation for all device instances
present in the presence document.
Permission is granted to see a particular device instance if one of
the device identifiers in the set identifies that device instance.
If a <class> permission is granted to the watcher, and the <class> of
the device instance matches the value of the <class> permission
based on case sensitive equality, the device instance is included in
the presence document. If a <device-id> permission is granted to the
watcher, and the <device-id> of the device instance matches the value
of the <device-id> permission based on URI equivalence, the device
instance is included in the presence document. If a <instance-id>
permission is granted to the watcher, and the <instance-id> of the
device instance matches the value of the <instance-id> permission
based on case sensitive equality, the device instance is included in
the presence document. In addition, a device instance is included in
the presence document if the <all-devices> permission was granted to
the watcher.
3.3.1.2 Person Information
The <provide-persons> permission allows a watcher to see the <person>
information present in the presence document. It is a set variable.
Each member of the set provides a way to identify a person instance.
Rosenberg Expires August 22, 2005 [Page 10]
Internet-Draft Presence Authorization February 2005
This specification defines two types of elements in the set -
<class>, which identifies a person instance by class, and
<instance-id>, which identifies an instance by its instance ID. Each
member of the set is identified by its type (class or instance-id)
and value (value of the class or value of the instance-id). The
<provide-persons> element can also take on the special value
<all-devices> which is a short-hand notation for all person instances
present in the presence document. The set combination is done
identically to the <provide-person> element.
Permission is granted to see a particular person instance if one of
the person identifiers in the set identifies that person instance.
If a <class> permission is granted to the watcher, and the <class>
of the person instance matches the value of the <class> permission
based on case sensitive equality, the person instance is included in
the presence document. If a <instance-id> permission is granted to
the watcher, and the <instance-id> of the person instance matches
the value of the <instance-id> permission based on case sensitive
equality, the person instance is included in the presence document.
In addition, a service instance is included in the presence document
if the <all-persons> permission was granted to the watcher.
3.3.1.3 Service Information
The <provide-services> permission allows a watcher to see service
information present in <tuple> elements in the presence document.
Like <provide-devices>, it is a set variable. Each member of the set
provides a way to identify a service instance. This specification
defines four types of elements in the set - <class>, which identifies
a service instance by class, <instance-id>, which identifies a
service by its instance ID, <service-uri>, which identifies a service
by its service URI, and <service-uri-scheme>, which identifies a
service by its service URI scheme. Each member of the set is
identified by its type (class, instance-id, service-uri or
service-uri-scheme) and value (value of the class, value of the
instance-id, value of the service-uri or value of the
service-uri-scheme ). The <provide-services> element can also take
on the special value <all-services> which is a short-hand notation
for all service instances present in the presence document. The set
combination is done identically to the <provide-person> element.
Permission is granted to see a particular service instance if one of
the service identifiers in the set identifies that service instance.
If a <class> permission is granted to the watcher, and the <class>
of the service instance matches the value of the <class> permission
based on case sensitive equality, the service instance is included in
the presence document. If a <service-uri> permission is granted to
the watcher, and the <service-uri> of the service instance matches
Rosenberg Expires August 22, 2005 [Page 11]
Internet-Draft Presence Authorization February 2005
the value of the <service-uri> permission based on URI equivalence,
the service instance is included in the presence document. If a
<instance-id> permission is granted to the watcher, and the
<instance-id> of the service instance matches the value of the
<instance-id> permission based on case sensitive equality, the
service instance is included in the presence document. If a
<service-uri-scheme> permission is granted to the watcher, and the
scheme of the service URI for the service instance matches the value
of <service-uri-scheme> based on case sensitive equality, the service
instance is included in the presence document. In addition, a
service instance is included in the presence document if the
<all-services> permission was granted to the watcher.
3.3.2 Providing Access to Presence Attributes
The permissions of Section 3.3.1 provide coarse grained access to
presence data by allowing or blocking specific services or devices,
and allowing or blocking person information.
Once person, device or service information is included in the
document, the permissions in this section define which presence
attributes are reported there. Certain information is always
reported. In particular, the <contact>, <service-class> [13],
<basic> status and <timestamp> elements in all <tuple> elements, if
present, are provided to watchers . The <timestamp> element in all
<person> elements, if present, is provided to watchers. The
<timestampt> and <device-id> elements in all <device> elements, if
present, is provided to all watchers. Note, however, that the
<contact> and <device-id> element values are obfuscated by default,
unless permission is granted to see their actual value using the
<component-id> permission.
3.3.2.1 Provide Activities
This permission controls access to the <activities> element defined
in [13]. The name of the element providing this permission is
<provide-activities>, and it is a boolean type. If its value is
TRUE, then the <activities> element in the person data element is
reported to the watcher. If FALSE, this presence attribute is
removed if present.
3.3.2.2 Provide Class
This permission controls access to the <class> element defined in
[13]. The name of the element providing this permission is
<provide-class>, and it is a boolean type. If its value is TRUE,
then the <class> element in the person, service or device data
element is reported to the watcher. If FALSE, this presence
Rosenberg Expires August 22, 2005 [Page 12]
Internet-Draft Presence Authorization February 2005
attribute is removed if present.
3.3.2.3 Provide Device ID
This permission controls access to the <device-id> element defined in
[13]. The name of the element providing this permission is
<provide-device-id>, and it is a boolean type. If its value is TRUE,
then the <device-id> element in the service data element is reported
to the watcher. If FALSE, this presence attribute is removed if
present.
3.3.2.4 Provide Mood
This permission controls access to the <mood> element defined in
[13]. The name of the element providing this permission is
<provide-mood>, and it is a boolean type. If its value is TRUE, then
the <mood> element in the person data element is reported to the
watcher. If FALSE, this presence attribute is removed if present.
3.3.2.5 Provide Place-is
This permission controls access to the <place-is> element defined in
[13]. The name of the element providing this permission is
<provide-place-is>, and it is a boolean type. If its value is TRUE,
then the <place-is> element in the person data element is reported to
the watcher. If FALSE, this presence attribute is removed if
present.
3.3.2.6 Provide Place-type
This permission controls access to the <place-type> element defined
in [13]. The name of the element providing this permission is
<provide-place-type>, and it is a boolean type. If its value is
TRUE, then the <place-type> element in the person data element is
reported to the watcher. If FALSE, this presence attribute is
removed if present.
3.3.2.7 Provide Privacy
This permission controls access to the <privacy> element defined in
[13]. The name of the element providing this permission is
<provide-privacy>, and it is a boolean type. If its value is TRUE,
then the <privacy> element in the service data element is reported to
the watcher. If FALSE, this presence attribute is removed if
present.
Rosenberg Expires August 22, 2005 [Page 13]
Internet-Draft Presence Authorization February 2005
3.3.2.8 Provide Relationship
This permission controls access to the <relationship> element defined
in [13]. The name of the element providing this permission is
<provide-relationship>, and it is a boolean type. If its value is
TRUE, then the <relationship> element in the service data element is
reported to the watcher. If FALSE, this presence attribute is
removed if present.
3.3.2.9 Provide Sphere
This permission controls access to the <sphere> element defined in
[13]. The name of the element providing this permission is
<provide-sphere>, and it is a boolean type. If its value is TRUE,
then the <sphere> element in the person data element is reported to
the watcher. If FALSE, this presence attribute is removed if
present.
3.3.2.10 Provide Status-Icon
This permission controls access to the <status-icon> element defined
in [13]. The name of the element providing this permission is
<provide-status-icon>, and it is a boolean type. If its value is
TRUE, then any <status-icon> element in the person or service data
element is reported to the watcher. If FALSE, this presence
attribute is removed if present.
3.3.2.11 Provide Time-Offset
This permission controls access to the <time-offset> element defined
in [13]. The name of the element providing this permission is
<provide-time-offset>, and it is a boolean type. If its value is
TRUE, then the <time-offset> element in the person data element is
reported to the watcher. If FALSE, this presence attribute is
removed if present.
3.3.2.12 Provide User-Input
This permission controls access to the <user-input> element defined
in [13]. The name of the element providing this permission is
<provide-user-input>, and it is an enumerated integer type. Its
value defines what information is provided to watchers:
false: This value indicates that the <user-input> element is removed
from the document. It is assigned the numeric value of 0.
Rosenberg Expires August 22, 2005 [Page 14]
Internet-Draft Presence Authorization February 2005
bare: This value indicates that the <user-input> element is to be
retained. However, any "idle-threshold" and "since" attributes
are to be removed. This value is assigned the numeric value of 1.
thresholds: This value indicates that the <user-input> element is to
be retained. However, only the "idle-threshold" attribute is to
be retained. This value is assigned to the numeric value of 2.
full: This value indicates that the <user-input> element is to be
retained, including any attributes. This value is assigned to the
numeric value of 3.
3.3.2.13 Provide Note
This permission controls access to the <note> element defined in [3]
for <tuple> and [15] for <person> and <device>. The name of the
element providing this permission is <provide-note>, and it is a
boolean type. If its value is TRUE, then the <note> elements in the
person, service or device data elements are reported to the watcher.
If FALSE, this presence attribute is removed if present.
3.3.2.14 Component ID
The service and device components both include identifiers (the
<contact> and <device-id> elements, respectively), which can reveal
information to a watcher about the presentity. However, these
identifiers must be present in the document in order for it to be
meaningful. As a result, the <component-ID> permission defines
transformations that can be applied to these identifiers (both of
which are URI). It is an enumerated integer type. Its values are:
randomize: This instructs the presence server to randomize the
service URI and device ID, such that its value is different in
each notification sent to a watcher, and each value is chosen with
a minimum of 128 bits of randomness. The precise mechanism for
this randomization is a matter of implementation. The service URI
MUST still be usable for reaching that particular service,
however. The value of this permission is assigned a numeric value
of 0.
obfuscate: This instructs the presence server to apply a static
transformation to the service URI and device ID, such that the
actual value is never revealed to the watcher. However, since the
transformation is done through a static function, the value seen
by the watcher remains unchanged as long as the URI remains
unchanged. The service URI MUST still be usable for reaching that
particular service, however. The value of this permission is
Rosenberg Expires August 22, 2005 [Page 15]
Internet-Draft Presence Authorization February 2005
assigned a numeric value of 1.
allow: This instructs the presence server to provide the service URI
and device ID to the watcher without modification for the purposes
of privacy. The value of this permission is assigned a numeric
value of 2.
3.3.2.15 Provide Unknown Attribute
It is important that systems be allowed to include proprietary or new
presence information, and that users be able to set permissions for
that information, without requiring an upgrade of the presence server
and authorization system. For this reason, the
<provide-unknown-attribute> permission is defined. This permission
indicates that the unknown presence attribute with the given name
(supplied as mandatory attribute of the <provide-unknown-attribute>
element) should be included in the document. Its type is boolean.
The value of the name attribute MUST be a qualified element name
(meaning that the namespace prefix MUST be included), which will be
matched to all unknown child elements of the PIDF <tuple>, <device>
or <person< elements with the same qualified name. The namespace
bindings are taken from those in scope at the point in the document
where the <provide-unknown-attribute> is present. In this context,
"unknown" means that the presence server is not aware of any schemas
that define authorization policies for that element. By definition,
this will exclude the <provide-unknown-attribute> rule from being
applied to any of the presence status extensions defined by RPID.
Another consequence of this definition is that the interpretation of
the <provide-unknown-attribute> element can change should the
presence server be upgraded with a new schema that defines
authorization rules for elements included in a
<provide-unknown-attribute>. The <provide-unknown-attribute>
permissions for those elements will then be ignored, resulting in a
removal of those elements from presence documents sent to watchers.
The system remains privacy safe, but behavior might not be as
expected. Developers of systems which allow clients to set policies
are advised to check the capabilities of the server, as defined in
[20], before uploading a new authorization document, to make sure
that the behavior will be as expected.
3.3.2.16 Provide All Attributes
This permission grants access to all presence attributes in all of
the person, device and tuple elements that are present in the
document. It is effectively a macro that expands into a set of
Rosenberg Expires August 22, 2005 [Page 16]
Internet-Draft Presence Authorization February 2005
provide-activities, provide-class, provide-device-id, provide-mood,
provide-place-is, provide-place-type, provide-privacy,
provide-relationship, provide-sphere, provide-status-icon,
provide-time-offset, provide-user-input, provide-note and
provide-unknown-attribute permissions such that each presence
attribute in the document has a permission for it, and also includes
the component-id permission with a value of "allow".
4. When to Apply the Authorization Policies
This specification does not mandate at what point in the processing
of presence data the privacy filtering aspects of the authorization
policy are applied. However, they must be applied such that the
final presence document sent to the watcher is compliant to the
privacy policy described in the document. More concretely, if the
document sent to a watcher is D, and the privacy filtering operation
applied do a presence document x is F(x), then D MUST have the
property that D = F(D). A corollary of this is that F(F(D)) = D for
all D.
The subscription processing aspects of the document get applied by
the server when it decides to accept or reject the subscription.
5. Example Document
The following presence authorization document specifies permissions
for the user "user@example.com".
Rosenberg Expires August 22, 2005 [Page 17]
Internet-Draft Presence Authorization February 2005
<?xml version="1.0" encoding="UTF-8"?>
<cr:ruleset xmlns="urn:ietf:params:xml:ns:pres-rules"
xmlns:cr="urn:ietf:params:xml:ns:common-policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:ns:pres-rules pres-rules.xsd">
<cr:rule id="1">
<cr:conditions>
<cr:identity>
<cr:id>user@example.com</cr:id>
</cr:identity>
</cr:conditions>
<cr:actions>
<sub-handling>allow</sub-handling>
</cr:actions>
<cr:transformations>
<provide-services>
<service-uri-scheme>sip</service-uri-scheme>
<service-uri-scheme>mailto</service-uri-scheme>
</provide-services>
<provide-person>
<all-persons/>
</provide-person>
<provide-activities>true</provide-activities>
<provide-user-input>bare</provide-user-input>
<provide-unknown-attribute name="foo">true</provide-unknown-attribute>
</cr:transformations>
</cr:rule>
</cr:ruleset>
6. XML Schema
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:ietf:params:xml:ns:pres-rules"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:cr="urn:ietf:params:xml:ns:common-policy"
xmlns:pr="urn:ietf:params:xml:ns:pres-rules"
elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:import namespace="urn:ietf:params:xml:ns:common-policy"
schemaLocation="common-policy.xsd"/>
<xs:simpleType name="booleanPermission">
<xs:restriction base="xs:boolean"/>
</xs:simpleType>
<xs:element name="service-uri-scheme" type="xs:token"/>
Rosenberg Expires August 22, 2005 [Page 18]
Internet-Draft Presence Authorization February 2005
<xs:element name="class" type="xs:token"/>
<xs:element name="instance-id" type="xs:token"/>
<xs:element name="service-uri" type="xs:anyURI"/>
<xs:complexType name="provideServicePermission">
<xs:choice>
<xs:element name="all-services">
<xs:complexType/>
</xs:element>
<xs:sequence minOccurs="0" maxOccurs="unbounded">
<xs:choice>
<xs:element ref="pr:service-uri"/>
<xs:element ref="pr:service-uri-scheme"/>
<xs:element ref="pr:instance-id"/>
<xs:element ref="pr:class"/>
<xs:any namespace="##other"/>
</xs:choice>
</xs:sequence>
</xs:choice>
</xs:complexType>
<xs:element name="provide-services" type="pr:provideServicePermission"
substitutionGroup="cr:transformation"/>
<xs:element name="device-id" type="xs:anyURI"/>
<xs:complexType name="provideDevicePermission">
<xs:choice>
<xs:element name="all-devices">
<xs:complexType/>
</xs:element>
<xs:sequence>
<xs:choice>
<xs:element ref="pr:device-id"/>
<xs:element ref="pr:instance-id"/>
<xs:element ref="pr:class"/>
<xs:any namespace="##other"/>
</xs:choice>
</xs:sequence>
</xs:choice>
</xs:complexType>
<xs:element name="provide-devices" type="pr:provideDevicePermission"
substitutionGroup="cr:transformation"/>
<xs:complexType name="providePersonPermission">
<xs:choice>
<xs:element name="all-persons">
<xs:complexType/>
</xs:element>
<xs:sequence>
<xs:choice>
<xs:element ref="pr:instance-id"/>
<xs:element ref="pr:class"/>
Rosenberg Expires August 22, 2005 [Page 19]
Internet-Draft Presence Authorization February 2005
<xs:any namespace="##other"/>
</xs:choice>
</xs:sequence>
</xs:choice>
</xs:complexType>
<xs:element name="provide-person" type="pr:providePersonPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-activities" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-class" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-device-id" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-mood" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-place-is" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-place-type" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-privacy" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-relationship" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-status-icon" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-sphere" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-time-offset" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-user-input" substitutionGroup="cr:transformation">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="false"/>
<xs:enumeration value="bare"/>
<xs:enumeration value="thresholds"/>
<xs:enumeration value="full"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="provide-note" type="pr:booleanPermission"
substitutionGroup="cr:transformation"/>
<xs:simpleType name="componentIDPermission">
<xs:restriction base="xs:token">
<xs:enumeration value="randomize"/>
<xs:enumeration value="obfuscate"/>
<xs:enumeration value="allow"/>
</xs:restriction>
</xs:simpleType>
Rosenberg Expires August 22, 2005 [Page 20]
Internet-Draft Presence Authorization February 2005
<xs:element name="component-id" type="pr:componentIDPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="sub-handling" substitutionGroup="cr:action">
<xs:simpleType>
<xs:restriction base="xs:token">
<xs:enumeration value="block"/>
<xs:enumeration value="confirm"/>
<xs:enumeration value="polite-block"/>
<xs:enumeration value="allow"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:complexType name="unknownBooleanPermission">
<xs:simpleContent>
<xs:extension base="pr:booleanPermission">
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="provide-unknown-attribute"
type="pr:unknownBooleanPermission"
substitutionGroup="cr:transformation"/>
<xs:element name="provide-all-attributes">
<xs:complexType/>
</xs:element>
</xs:schema>
7. Schema Extensibility
It is anticipated that future changes to this specification are
accomplished through extensions that define new types of permissions.
These extensions MUST exist within a different namespace.
Furthermore, the schema defined above and the namespace for elements
defined within it MUST NOT be altered by future specifications.
Changes in the basic schema, or in the interpretation of elements
within that schema, may result in violations of user privacy due to
mis-interpretation of documents.
This specification also defines two substitution groups. One is for
service identifiers, and one is for device identifiers. It is
expected that future extensions will specify new ways of identifying
services and devices for inclusion in a document. These new
permissions MUST be assigned to this substitution group.
Rosenberg Expires August 22, 2005 [Page 21]
Internet-Draft Presence Authorization February 2005
8. XCAP Usage
The following section defines the details necessary for clients to
manipulate presence authorization documents from a server using XCAP.
8.1 Application Unique ID
XCAP requires application usages to define a unique application usage
ID (AUID) in either the IETF tree or a vendor tree. This
specification defines the "pres-rules" AUID within the IETF tree, via
the IANA registration in Section 10.
8.2 Structure of Permission Statements
The structure of permission statements is defined in Section 3.
8.3 Additional Constraints
There are no additional constraints defined by this specification.
8.4 Naming Conventions
When a presence agent receives a subscription for some user foo
within a domain, it will look for all documents within http://[xcap
root]/ pres-rules/users/foo, and use all documents found beneath that
point to guide authorization policy.
8.5 Authorization Policies
This application usage does not modify the default XCAP authorization
policy, which is that only a user can read, write or modify their own
documents. A server can allow priveleged users to modify documents
that they don't own, but the establishment and indication of such
policies is outside the scope of this document.
8.6 XML Schema
The XML schema is defined in Section 6.
9. Security Considerations
Presence authorization policies contain very sensitive information.
They indicate which other users are "liked" or "disliked" by a user.
As such, when these documents are transported over a network, they
SHOULD be encrypted.
Modification of these documents by an attacker can disrupt the
service seen by a user, often in subtle ways. As a result, when
Rosenberg Expires August 22, 2005 [Page 22]
Internet-Draft Presence Authorization February 2005
these documents are transported, the transport SHOULD provide
authenticity and message integrity.
In the case where XCAP is used to transfer the document, clients
SHOULD use HTTP over TLS, and servers SHOULD define the root services
URI as an https URI. The server SHOULD authenticate the client over
the resulting TLS connection using HTTP digest.
10. IANA Considerations
There are several IANA considerations associated with this
specification.
10.1 XCAP Application Usage ID
This section registers an XCAP Application Usage ID (AUID) according
to the IANA procedures defined in [2].
Name of the AUID: pres-rules
Description: Presence rules are documents that describe the
permissions that a presentity [18] has granted to users that seek
to watch their presence.
10.2 URN Sub-Namespace Registration
This section registers a new XML namespace, per the guidelines in
[16]
URI: The URI for this namespace is
urn:ietf:params:xml:ns:pres-rules.
Registrant Contact: IETF, SIMPLE working group, (simple@ietf.org),
Jonathan Rosenberg (jdrosen@jdrosen.net).
XML:
Rosenberg Expires August 22, 2005 [Page 23]
Internet-Draft Presence Authorization February 2005
BEGIN
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>Presence Rules Namespace</title>
</head>
<body>
<h1>Namespace for Permission Statements</h1>
<h2>urn:ietf:params:xml:ns:pres-rules</h2>
<p>See <a href="[[[URL of published RFC]]]">RFCXXXX</a>.</p>
</body>
</html>
END
10.3 XML Schema Registrations
This section registers an XML schema per the procedures in [16].
URI: urn:ietf:params:xml:schema:pres-rules.
Registrant Contact: IETF, SIMPLE working group, (simple@ietf.org),
Jonathan Rosenberg (jdrosen@jdrosen.net).
The XML for this schema can be found as the sole content of
Section 6.
11. References
11.1 Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Rosenberg, J., "The Extensible Markup Language (XML)
Configuration Access Protocol (XCAP)",
draft-ietf-simple-xcap-06 (work in progress), February 2005.
[3] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, W. and
J. Peterson, "Presence Information Data Format (PIDF)", RFC
3863, August 2004.
[4] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler,
Rosenberg Expires August 22, 2005 [Page 24]
Internet-Draft Presence Authorization February 2005
"Extensible Markup Language (XML) 1.0 (Second Edition)", W3C
FirstEdition REC-xml-20001006, October 2000.
[5] Moats, R., "URN Syntax", RFC 2141, May 1997.
[6] Murata, M., St. Laurent, S. and D. Kohn, "XML Media Types", RFC
3023, January 2001.
[7] Moats, R., "A URN Namespace for IETF Documents", RFC 2648,
August 1999.
[8] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A. and L. Stewart, "HTTP Authentication:
Basic and Digest Access Authentication", RFC 2617, June 1999.
[9] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002.
[10] Rosenberg, J., "A Watcher Information Event Template-Package
for the Session Initiation Protocol (SIP)", RFC 3857, August
2004.
[11] Roach, A., "Session Initiation Protocol (SIP)-Specific Event
Notification", RFC 3265, June 2002.
[12] Schulzrinne, H., "A Document Format for Expressing Privacy
Preferences", draft-ietf-geopriv-common-policy-03 (work in
progress), October 2004.
[13] Schulzrinne, H., Gurbani, V., Kyzivat, P. and J. Rosenberg,
"RPID: Rich Presence: Extensions to the Presence Information
Data Format (PIDF)", draft-ietf-simple-rpid-04 (work in
progress), October 2004.
[14] Peterson, J., "Enhancements for Authenticated Identity
Management in the Session Initiation Protocol (SIP)",
draft-ietf-sip-identity-04 (work in progress), February 2005.
[15] Rosenberg, J., "A Data Model for Presence",
draft-ietf-simple-presence-data-model-01 (work in progress),
October 2004.
[16] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
January 2004.
[17] Peterson, J., "A Privacy Mechanism for the Session Initiation
Protocol (SIP)", RFC 3323, November 2002.
Rosenberg Expires August 22, 2005 [Page 25]
Internet-Draft Presence Authorization February 2005
11.2 Informative References
[18] Day, M., Rosenberg, J. and H. Sugano, "A Model for Presence and
Instant Messaging", RFC 2778, February 2000.
[19] Day, M., Aggarwal, S., Mohr, G. and J. Vincent, "Instant
Messaging / Presence Protocol Requirements", RFC 2779, February
2000.
[20] Rosenberg, J., "An Extensible Markup Language (XML)
Representation for Expressing Presence Policy Capabilities",
draft-rosenberg-simple-pres-policy-caps-01 (work in progress),
July 2004.
[21] Rosenberg, J., "A Presence Event Package for the Session
Initiation Protocol (SIP)", RFC 3856, August 2004.
[22] Jennings, C., Peterson, J. and M. Watson, "Private Extensions
to the Session Initiation Protocol (SIP) for Asserted Identity
within Trusted Networks", RFC 3325, November 2002.
Author's Address
Jonathan Rosenberg
Cisco Systems
600 Lanidex Plaza
Parsippany, NJ 07054
US
Phone: +1 973 952-5000
EMail: jdrosen@cisco.com
URI: http://www.jdrosen.net
Rosenberg Expires August 22, 2005 [Page 26]
Internet-Draft Presence Authorization February 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Rosenberg Expires August 22, 2005 [Page 27]
