SIMPLE J. Rosenberg Internet-Draft Cisco Systems Expires: August 22, 2005 February 21, 2005 Presence Authorization Rules draft-ietf-simple-presence-rules-02 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 22, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract Authorization is a key function in presence systems. Authorization policies, also known as authorization rules, specify what presence information can be given to which watchers, and when. This specification defines an Extensible Markup Language (XML) document format for expressing presence authorization rules. Such a document can be manipulated by clients using the XML Configuration Access Protocol (XCAP), although other techniques are permitted. Rosenberg Expires August 22, 2005 [Page 1] Internet-Draft Presence Authorization February 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Structure of Permission Statements . . . . . . . . . . . . . 5 3.1 Conditions . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1 Identity . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.2 Anonymous . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3 Sphere . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1 Subscription Handling . . . . . . . . . . . . . . . . 7 3.3 Transformations . . . . . . . . . . . . . . . . . . . . . 9 3.3.1 Providing Access to Data Component Elements . . . . . 9 3.3.1.1 Device Information . . . . . . . . . . . . . . . . 9 3.3.1.2 Person Information . . . . . . . . . . . . . . . . 10 3.3.1.3 Service Information . . . . . . . . . . . . . . . 11 3.3.2 Providing Access to Presence Attributes . . . . . . . 12 3.3.2.1 Provide Activities . . . . . . . . . . . . . . . . 12 3.3.2.2 Provide Class . . . . . . . . . . . . . . . . . . 12 3.3.2.3 Provide Device ID . . . . . . . . . . . . . . . . 13 3.3.2.4 Provide Mood . . . . . . . . . . . . . . . . . . . 13 3.3.2.5 Provide Place-is . . . . . . . . . . . . . . . . . 13 3.3.2.6 Provide Place-type . . . . . . . . . . . . . . . . 13 3.3.2.7 Provide Privacy . . . . . . . . . . . . . . . . . 13 3.3.2.8 Provide Relationship . . . . . . . . . . . . . . . 14 3.3.2.9 Provide Sphere . . . . . . . . . . . . . . . . . . 14 3.3.2.10 Provide Status-Icon . . . . . . . . . . . . . . 14 3.3.2.11 Provide Time-Offset . . . . . . . . . . . . . . 14 3.3.2.12 Provide User-Input . . . . . . . . . . . . . . . 14 3.3.2.13 Provide Note . . . . . . . . . . . . . . . . . . 15 3.3.2.14 Component ID . . . . . . . . . . . . . . . . . . 15 3.3.2.15 Provide Unknown Attribute . . . . . . . . . . . 16 3.3.2.16 Provide All Attributes . . . . . . . . . . . . . 16 4. When to Apply the Authorization Policies . . . . . . . . . . 17 5. Example Document . . . . . . . . . . . . . . . . . . . . . . 17 6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . 18 7. Schema Extensibility . . . . . . . . . . . . . . . . . . . . 21 8. XCAP Usage . . . . . . . . . . . . . . . . . . . . . . . . . 22 8.1 Application Unique ID . . . . . . . . . . . . . . . . . . 22 8.2 Structure of Permission Statements . . . . . . . . . . . . 22 8.3 Additional Constraints . . . . . . . . . . . . . . . . . . 22 8.4 Naming Conventions . . . . . . . . . . . . . . . . . . . . 22 8.5 Authorization Policies . . . . . . . . . . . . . . . . . . 22 8.6 XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 22 9. Security Considerations . . . . . . . . . . . . . . . . . . 22 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . 23 10.1 XCAP Application Usage ID . . . . . . . . . . . . . . . 23 10.2 URN Sub-Namespace Registration . . . . . . . . . . . . . 23 Rosenberg Expires August 22, 2005 [Page 2] Internet-Draft Presence Authorization February 2005 10.3 XML Schema Registrations . . . . . . . . . . . . . . . . 24 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 11.1 Normative References . . . . . . . . . . . . . . . . . . . 24 11.2 Informative References . . . . . . . . . . . . . . . . . . 26 Author's Address . . . . . . . . . . . . . . . . . . . . . . 26 Intellectual Property and Copyright Statements . . . . . . . 27 Rosenberg Expires August 22, 2005 [Page 3] Internet-Draft Presence Authorization February 2005 1. Introduction The Session Initiation Protocol (SIP) for Instant Messaging and Presence (SIMPLE) specifications allow a user, called a watcher, to subscribe to another user, called a presentity [18], in order to learn their presence information [21]. This subscription is handed by a presence agent. The logical processing of the presence agent is described in the presence data model [15]. In that model, the subscription authorization decision, the selection of the composition policy, and the governance of privacy filtering are all described by a presence authorization document. This specification defines a format for such a document. Typically, a user will place a multiplicity of authorization documents on a server, each one applying in certain situations. In addition to the user, the service provider may have its own authorization policies which apply in other situations. These documents are combined together to produce a single authorization policy which guides presence server processing. [12] specifies a framework for representing authorization policies, and is applicable to systems such as geo-location and presence. In that framework, an authorization document is a sequence of rules. Each rule contains conditions, actions, and transformations. The conditions specify under what conditions the rule is to be applied to presence server processing. The actions element tells the server what actions to take. In the context of the data model, these actions include the subscription authorization decision and the selection of the composition policy. The transformations element indicates how the presence data is to be manipulated before being presented to that watcher, and serves as the guide for the privacy filtering operation. [12] identifies a small number of specific conditions, actions and permissions common to presence and location services, and leaves it to other specifications, such as this one, to fill in usage specific details. These documents can be manipulated by clients using several means. One such mechanism is the XML Configuration Access Protocol (XCAP) [2]. This specification defines the details necessary for using XCAP to manage presence authorization documents. 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 [1] and indicate requirement levels for compliant implementations. Rosenberg Expires August 22, 2005 [Page 4] Internet-Draft Presence Authorization February 2005 3. Structure of Permission Statements A permission statement is an XML document, formatted according to the schema defined in [12]. Permission statement documents inherit the MIME type of common policy documents, application/auth-policy+xml. As described in [12], this document is composed of three parts - conditions, actions, and transformations. Each action or transformation, which is also called a permission, has the property of being a positive grant of information to the watcher. As a result, there is a well-defined mechanism for combining actions and transformations obtained from several sources. This mechanism is privacy safe, since the lack of any action or transformation can only result in less information being presented to a watcher. This section defines the new conditions, actions and transformations defined by this specification. 3.1 Conditions 3.1.1 Identity Although the element is defined in [12], that specification indicates that the interpretation of the element depends on the specific protocol in use and its authentication mechanisms. This sub-section defines that interpretation for systems based on [21]. For requests that are authenticated using SIP [9] digest authentication [8], the identity used for comparisons to the , and fields is set equal to the user and domain part of the SIP Address of Record (AOR) for the user that has authenticated themselves. For example, consider the following "user record": SIP AOR: sip:alice@example.com digest username: ali digest password: f779ajvvh8a6s6 digest realm: example.com If the presence server receives a SUBSCRIBE request, challenges it with the realm set to "example.com", and the subsequent SUBSCRIBE contains an Authorization header field with a username of "ali" and a digest response generated with the password "f779ajvvh8a6s6", the identity used in matching operations is "sip:alice@example.com". For requests that are authenticated using RFC 3325 [22], the username and domain part of the URI are matched against the user and host Rosenberg Expires August 22, 2005 [Page 5] Internet-Draft Presence Authorization February 2005 parts of the SIP URI in the P-Asserted-Identity header field. For requests that are authenticated using the SIP Identity mechanism [14], the username and domain part of the URI are matched against the user and host parts of the URI in the From header field of the request, assuming that the signature in the Identity header field has been validated. In SIP systems, it is possible for a user to have aliases - that is, there are multiple SIP AOR "assigned" to a single user. In terms of this specification, there is no relationship between those aliases. Each would look like a different user. This will be the consequence for systems were the watcher is in a different domain than the presentity. However, even if the watcher and presentity are in the same domain, and the presence server knows that there are aliases for the watcher, these aliases are not mapped to each other or used in any way. 3.1.2 Anonymous The element is defined in [12]. However, it is necessary to explicitly define how an identity is considered to be anonymous for a particular using protocol, such as SIP. The request is considered anonymous if it was authenticated by the presence server using the username defined in RFC 3261, if the asserted identity [22] has a URI in the "anonymous.invalid" domain [17], or if the From field has a username of anonymous within some domain, and the Identity header field is present with a valid signature provided by that domain [14]. 3.1.3 Sphere The element is defined in [12]. However, each application making use of the common policy specification needs to determine how the presence server computes the value of the sphere to be used in the evaluation of the condition. To compute the value of , the default composition policy is applied for the presentity [15]. The result will be a raw presence document with a single element, possibly containing a element, which is defined in the Rich Presence Information Data Format [13]. If the is present, that value is used in the evaluation of the condition. If the element is not present in the presence document, the value is set to undefined. Care must be taken in using as a condition for determining the subscription handling. Since the value of changes dynamically, a state change can cause a subscription to be suddenly Rosenberg Expires August 22, 2005 [Page 6] Internet-Draft Presence Authorization February 2005 terminated. The watcher has no way to know, aside from polling, when their subscription would be re-instated as the value of changes. For this reason, is primarily useful for matching on rules that define transformations. 3.2 Actions 3.2.1 Subscription Handling The element specifies the subscription authorization decision that the server should make. It also specifies whether or not the presence document for the watcher should be constructed using "polite blocking" or not. Usage of polite blocking and the subscription authorization decision are specified jointly since proper privacy handling requires a correlation between them. As discussed in [12], since the combination algorithm runs independently for each permission, if correlations exist between permissions, they must be merged into a single variable. That is what is done here. The element is an enumerated Integer type. The defined values are: block: This action tells the server to place the subscription in the rejected state. It has the value of zero, and it represents the default value. No value of the sub-handling element can ever be lower than this. Strictly speaking, it is not necessary to every include an explicit block action, since the default in the absence of any action will be block. However, it is included for completeness. confirm: This action tells the server to place the subscription in the "pending" state, and await input from the presentity to determine how to proceed. It has a value of one. polite-block: This action tells the server to place the subscription into the "accepted" state. Furthermore, it selects the composition policy, and sets it to support a polite blocking operation. The specific composition policy to accomplish these goals is at the discretion of the service provider. In all cases, the result of the composition policy SHOULD produce a presence document that is delivered to the watcher which indicates that the user is unavailable for communication. A reasonable document would exclude device and person information elements, and include only a single service whose basic status is set to closed [3]. This action has a value of two. allow: This action tells the server to place the subscription into the "accepted" state. Furthermore, it selects the default composition policy as defined by [15]. This action has a value of Rosenberg Expires August 22, 2005 [Page 7] Internet-Draft Presence Authorization February 2005 three. NOTE WELL: Placing a value of block for this element does not guarantee that a subscription is denied! If any matching rule has any other value for this element, the subscription will receive treatment based on the maximum of those other values. This is based on the combining rules defined in [12]. Future specifications can define additional values for this permission, allowing for the selection of other composition policies. The exact behavior of a presence server upon a change in the sub-handling value can be described by utilizing the subscription processing state machine in Figure 1 of RFC 3857 [10]. Each subscription is associated with a set of permissions that represents the combination of all permissions that apply to that subscription, using the combining rules in [12]. If the sub-handling permission changes value to "block", this causes a "rejected" event to be generated into the subscription state machine for all affected subscriptions. This will cause the state machine to move into the terminated state, resulting in the transmission of a NOTIFY to the watcher with a Subscription-State header field with value "terminated" and a reason of "rejected" [11], which terminates their subscription. If a new subscription arrives later on, and the value of sub-handling that applies to that subscription is "block", the subscription processing follows the "subscribe, policy=reject" branch from the init state, and a 403 response to the SUBSCRIBE is generated. If the sub-handling permission changes value to confirm, the processing depends on the states of the affected subscriptions. Unfortunately, the state machine in RFC 3857 does not define an event corresponding to an authorization decision of "pending". If the subscription is in the active state, it moves back into the pending state. This causes a NOTIFY to be sent, updating the Subscription-State [11] to "pending". No reason is included in the Subscription-State header field (none are defined to handle this case). No further documents are sent to this watcher. There is no change in state if the subscription is in the pending, waiting or terminated states. If a new subscription arrives later on, and the value of sub-handling that apples to that subscription is "pending", the subscription processing follows the "subscribe, no policy" branch from the init state, and a 202 response to the SUBSCRIBE is generated, followed by a NOTIFY with Subscription-State of pending. No presence document is included in that NOTIFY. If the sub-handling permission changes value to "polite-block" or Rosenberg Expires August 22, 2005 [Page 8] Internet-Draft Presence Authorization February 2005 "allow", this causes an "approved" event to be generated into the state machine for all affected subscriptions. This will cause the machine to move into the active state if it is currently in pending, resulting in the transmission of a NOTIFY with a Subscription-State header field of "active", and the inclusion of a presence document in that NOTIFY. If a new subscription arrives later on, and the value of sub-handling that applies to that subscription is is "polite-block" or "allow", the subscription processing follows the "subscribe, policy=accept" branch from the init state, and a 200 OK response to the SUBSCRIBE is generated, followed by a NOTIFY with Subscription-State of "active" with a presence document in the body of the NOTIFY. 3.3 Transformations The transformations defined here are used to drive the behavior of the privacy filtering operation described in [15]. Each transformation defines the visibility a watcher is granted to a particular component of the presence document. One group of transformations grant visibility to person, device and service data elements based on identifying information for those elements. Another group of transformations provide access to particular data elements in the presence document. 3.3.1 Providing Access to Data Component Elements The transformations in this section provide access to person, device and service data component elements. Once access has been granted to such an element, access to specific presence attributes for that element is controlled by the permissions defined in Section 3.3.2. 3.3.1.1 Device Information The permission allows a watcher to see information present in the presence document. It is a set variable. Each member of the set provides a way to identify a device or group of devices. This specification defines three types of elements in the set - , which identifies a device instance by class, , which identifies a device instance by device ID, and , which identifies a device instance by instance ID. Each member of the set is identified by its type (class, device-id or instance-id) and value (value of the class, value of the device-id, or value of the instance-id). For example, consider the following element: Rosenberg Expires August 22, 2005 [Page 9] Internet-Draft Presence Authorization February 2005 urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 biz This set has two members. This is combined with a element from a different rule: home biz The result of the set combination (using the union operation) is a set with four elements: home biz urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 The element can also take on the special value which is a short-hand notation for all device instances present in the presence document. Permission is granted to see a particular device instance if one of the device identifiers in the set identifies that device instance. If a permission is granted to the watcher, and the of the device instance matches the value of the permission is granted to the watcher, and the of the device instance matches the value of the permission based on URI equivalence, the device instance is included in the presence document. If a permission is granted to the watcher, and the of the device instance matches the value of the permission based on case sensitive equality, the device instance is included in the presence document. In addition, a device instance is included in the presence document if the permission was granted to the watcher. 3.3.1.2 Person Information The permission allows a watcher to see the information present in the presence document. It is a set variable. Each member of the set provides a way to identify a person instance. Rosenberg Expires August 22, 2005 [Page 10] Internet-Draft Presence Authorization February 2005 This specification defines two types of elements in the set - , which identifies a person instance by class, and , which identifies an instance by its instance ID. Each member of the set is identified by its type (class or instance-id) and value (value of the class or value of the instance-id). The element can also take on the special value which is a short-hand notation for all person instances present in the presence document. The set combination is done identically to the element. Permission is granted to see a particular person instance if one of the person identifiers in the set identifies that person instance. If a permission is granted to the watcher, and the permission is granted to the watcher, and the permission was granted to the watcher. 3.3.1.3 Service Information The permission allows a watcher to see service information present in elements in the presence document. Like , it is a set variable. Each member of the set provides a way to identify a service instance. This specification defines four types of elements in the set - , which identifies a service instance by class, , which identifies a service by its instance ID, , which identifies a service by its service URI, and , which identifies a service by its service URI scheme. Each member of the set is identified by its type (class, instance-id, service-uri or service-uri-scheme) and value (value of the class, value of the instance-id, value of the service-uri or value of the service-uri-scheme ). The element can also take on the special value which is a short-hand notation for all service instances present in the presence document. The set combination is done identically to the element. Permission is granted to see a particular service instance if one of the service identifiers in the set identifies that service instance. If a permission is granted to the watcher, and the permission is granted to the watcher, and the of the service instance matches Rosenberg Expires August 22, 2005 [Page 11] Internet-Draft Presence Authorization February 2005 the value of the permission based on URI equivalence, the service instance is included in the presence document. If a permission is granted to the watcher, and the permission is granted to the watcher, and the scheme of the service URI for the service instance matches the value of based on case sensitive equality, the service instance is included in the presence document. In addition, a service instance is included in the presence document if the permission was granted to the watcher. 3.3.2 Providing Access to Presence Attributes The permissions of Section 3.3.1 provide coarse grained access to presence data by allowing or blocking specific services or devices, and allowing or blocking person information. Once person, device or service information is included in the document, the permissions in this section define which presence attributes are reported there. Certain information is always reported. In particular, the , [13], status and elements in all elements, if present, are provided to watchers . The element in all elements, if present, is provided to watchers. The and elements in all elements, if present, is provided to all watchers. Note, however, that the and element values are obfuscated by default, unless permission is granted to see their actual value using the permission. 3.3.2.1 Provide Activities This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.2 Provide Class This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person, service or device data element is reported to the watcher. If FALSE, this presence Rosenberg Expires August 22, 2005 [Page 12] Internet-Draft Presence Authorization February 2005 attribute is removed if present. 3.3.2.3 Provide Device ID This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the service data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.4 Provide Mood This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.5 Provide Place-is This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.6 Provide Place-type This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.7 Provide Privacy This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the service data element is reported to the watcher. If FALSE, this presence attribute is removed if present. Rosenberg Expires August 22, 2005 [Page 13] Internet-Draft Presence Authorization February 2005 3.3.2.8 Provide Relationship This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the service data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.9 Provide Sphere This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.10 Provide Status-Icon This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then any element in the person or service data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.11 Provide Time-Offset This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the element in the person data element is reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.12 Provide User-Input This permission controls access to the element defined in [13]. The name of the element providing this permission is , and it is an enumerated integer type. Its value defines what information is provided to watchers: false: This value indicates that the element is removed from the document. It is assigned the numeric value of 0. Rosenberg Expires August 22, 2005 [Page 14] Internet-Draft Presence Authorization February 2005 bare: This value indicates that the element is to be retained. However, any "idle-threshold" and "since" attributes are to be removed. This value is assigned the numeric value of 1. thresholds: This value indicates that the element is to be retained. However, only the "idle-threshold" attribute is to be retained. This value is assigned to the numeric value of 2. full: This value indicates that the element is to be retained, including any attributes. This value is assigned to the numeric value of 3. 3.3.2.13 Provide Note This permission controls access to the element defined in [3] for and [15] for and . The name of the element providing this permission is , and it is a boolean type. If its value is TRUE, then the elements in the person, service or device data elements are reported to the watcher. If FALSE, this presence attribute is removed if present. 3.3.2.14 Component ID The service and device components both include identifiers (the and elements, respectively), which can reveal information to a watcher about the presentity. However, these identifiers must be present in the document in order for it to be meaningful. As a result, the permission defines transformations that can be applied to these identifiers (both of which are URI). It is an enumerated integer type. Its values are: randomize: This instructs the presence server to randomize the service URI and device ID, such that its value is different in each notification sent to a watcher, and each value is chosen with a minimum of 128 bits of randomness. The precise mechanism for this randomization is a matter of implementation. The service URI MUST still be usable for reaching that particular service, however. The value of this permission is assigned a numeric value of 0. obfuscate: This instructs the presence server to apply a static transformation to the service URI and device ID, such that the actual value is never revealed to the watcher. However, since the transformation is done through a static function, the value seen by the watcher remains unchanged as long as the URI remains unchanged. The service URI MUST still be usable for reaching that particular service, however. The value of this permission is Rosenberg Expires August 22, 2005 [Page 15] Internet-Draft Presence Authorization February 2005 assigned a numeric value of 1. allow: This instructs the presence server to provide the service URI and device ID to the watcher without modification for the purposes of privacy. The value of this permission is assigned a numeric value of 2. 3.3.2.15 Provide Unknown Attribute It is important that systems be allowed to include proprietary or new presence information, and that users be able to set permissions for that information, without requiring an upgrade of the presence server and authorization system. For this reason, the permission is defined. This permission indicates that the unknown presence attribute with the given name (supplied as mandatory attribute of the element) should be included in the document. Its type is boolean. The value of the name attribute MUST be a qualified element name (meaning that the namespace prefix MUST be included), which will be matched to all unknown child elements of the PIDF , or is present. In this context, "unknown" means that the presence server is not aware of any schemas that define authorization policies for that element. By definition, this will exclude the rule from being applied to any of the presence status extensions defined by RPID. Another consequence of this definition is that the interpretation of the element can change should the presence server be upgraded with a new schema that defines authorization rules for elements included in a . The permissions for those elements will then be ignored, resulting in a removal of those elements from presence documents sent to watchers. The system remains privacy safe, but behavior might not be as expected. Developers of systems which allow clients to set policies are advised to check the capabilities of the server, as defined in [20], before uploading a new authorization document, to make sure that the behavior will be as expected. 3.3.2.16 Provide All Attributes This permission grants access to all presence attributes in all of the person, device and tuple elements that are present in the document. It is effectively a macro that expands into a set of Rosenberg Expires August 22, 2005 [Page 16] Internet-Draft Presence Authorization February 2005 provide-activities, provide-class, provide-device-id, provide-mood, provide-place-is, provide-place-type, provide-privacy, provide-relationship, provide-sphere, provide-status-icon, provide-time-offset, provide-user-input, provide-note and provide-unknown-attribute permissions such that each presence attribute in the document has a permission for it, and also includes the component-id permission with a value of "allow". 4. When to Apply the Authorization Policies This specification does not mandate at what point in the processing of presence data the privacy filtering aspects of the authorization policy are applied. However, they must be applied such that the final presence document sent to the watcher is compliant to the privacy policy described in the document. More concretely, if the document sent to a watcher is D, and the privacy filtering operation applied do a presence document x is F(x), then D MUST have the property that D = F(D). A corollary of this is that F(F(D)) = D for all D. The subscription processing aspects of the document get applied by the server when it decides to accept or reject the subscription. 5. Example Document The following presence authorization document specifies permissions for the user "user@example.com". Rosenberg Expires August 22, 2005 [Page 17] Internet-Draft Presence Authorization February 2005 user@example.com allow sip mailto true bare true 6. XML Schema Rosenberg Expires August 22, 2005 [Page 18] Internet-Draft Presence Authorization February 2005 Rosenberg Expires August 22, 2005 [Page 19] Internet-Draft Presence Authorization February 2005 Rosenberg Expires August 22, 2005 [Page 20] Internet-Draft Presence Authorization February 2005 7. Schema Extensibility It is anticipated that future changes to this specification are accomplished through extensions that define new types of permissions. These extensions MUST exist within a different namespace. Furthermore, the schema defined above and the namespace for elements defined within it MUST NOT be altered by future specifications. Changes in the basic schema, or in the interpretation of elements within that schema, may result in violations of user privacy due to mis-interpretation of documents. This specification also defines two substitution groups. One is for service identifiers, and one is for device identifiers. It is expected that future extensions will specify new ways of identifying services and devices for inclusion in a document. These new permissions MUST be assigned to this substitution group. Rosenberg Expires August 22, 2005 [Page 21] Internet-Draft Presence Authorization February 2005 8. XCAP Usage The following section defines the details necessary for clients to manipulate presence authorization documents from a server using XCAP. 8.1 Application Unique ID XCAP requires application usages to define a unique application usage ID (AUID) in either the IETF tree or a vendor tree. This specification defines the "pres-rules" AUID within the IETF tree, via the IANA registration in Section 10. 8.2 Structure of Permission Statements The structure of permission statements is defined in Section 3. 8.3 Additional Constraints There are no additional constraints defined by this specification. 8.4 Naming Conventions When a presence agent receives a subscription for some user foo within a domain, it will look for all documents within http://[xcap root]/ pres-rules/users/foo, and use all documents found beneath that point to guide authorization policy. 8.5 Authorization Policies This application usage does not modify the default XCAP authorization policy, which is that only a user can read, write or modify their own documents. A server can allow priveleged users to modify documents that they don't own, but the establishment and indication of such policies is outside the scope of this document. 8.6 XML Schema The XML schema is defined in Section 6. 9. Security Considerations Presence authorization policies contain very sensitive information. They indicate which other users are "liked" or "disliked" by a user. As such, when these documents are transported over a network, they SHOULD be encrypted. Modification of these documents by an attacker can disrupt the service seen by a user, often in subtle ways. As a result, when Rosenberg Expires August 22, 2005 [Page 22] Internet-Draft Presence Authorization February 2005 these documents are transported, the transport SHOULD provide authenticity and message integrity. In the case where XCAP is used to transfer the document, clients SHOULD use HTTP over TLS, and servers SHOULD define the root services URI as an https URI. The server SHOULD authenticate the client over the resulting TLS connection using HTTP digest. 10. IANA Considerations There are several IANA considerations associated with this specification. 10.1 XCAP Application Usage ID This section registers an XCAP Application Usage ID (AUID) according to the IANA procedures defined in [2]. Name of the AUID: pres-rules Description: Presence rules are documents that describe the permissions that a presentity [18] has granted to users that seek to watch their presence. 10.2 URN Sub-Namespace Registration This section registers a new XML namespace, per the guidelines in [16] URI: The URI for this namespace is urn:ietf:params:xml:ns:pres-rules. Registrant Contact: IETF, SIMPLE working group, (simple@ietf.org), Jonathan Rosenberg (jdrosen@jdrosen.net). XML: Rosenberg Expires August 22, 2005 [Page 23] Internet-Draft Presence Authorization February 2005 BEGIN Presence Rules Namespace

Namespace for Permission Statements

urn:ietf:params:xml:ns:pres-rules

See RFCXXXX.

END 10.3 XML Schema Registrations This section registers an XML schema per the procedures in [16]. URI: urn:ietf:params:xml:schema:pres-rules. Registrant Contact: IETF, SIMPLE working group, (simple@ietf.org), Jonathan Rosenberg (jdrosen@jdrosen.net). The XML for this schema can be found as the sole content of Section 6. 11. References 11.1 Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Rosenberg, J., "The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)", draft-ietf-simple-xcap-06 (work in progress), February 2005. [3] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, W. and J. Peterson, "Presence Information Data Format (PIDF)", RFC 3863, August 2004. [4] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, Rosenberg Expires August 22, 2005 [Page 24] Internet-Draft Presence Authorization February 2005 "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C FirstEdition REC-xml-20001006, October 2000. [5] Moats, R., "URN Syntax", RFC 2141, May 1997. [6] Murata, M., St. Laurent, S. and D. Kohn, "XML Media Types", RFC 3023, January 2001. [7] Moats, R., "A URN Namespace for IETF Documents", RFC 2648, August 1999. [8] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [9] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [10] Rosenberg, J., "A Watcher Information Event Template-Package for the Session Initiation Protocol (SIP)", RFC 3857, August 2004. [11] Roach, A., "Session Initiation Protocol (SIP)-Specific Event Notification", RFC 3265, June 2002. [12] Schulzrinne, H., "A Document Format for Expressing Privacy Preferences", draft-ietf-geopriv-common-policy-03 (work in progress), October 2004. [13] Schulzrinne, H., Gurbani, V., Kyzivat, P. and J. Rosenberg, "RPID: Rich Presence: Extensions to the Presence Information Data Format (PIDF)", draft-ietf-simple-rpid-04 (work in progress), October 2004. [14] Peterson, J., "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", draft-ietf-sip-identity-04 (work in progress), February 2005. [15] Rosenberg, J., "A Data Model for Presence", draft-ietf-simple-presence-data-model-01 (work in progress), October 2004. [16] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [17] Peterson, J., "A Privacy Mechanism for the Session Initiation Protocol (SIP)", RFC 3323, November 2002. Rosenberg Expires August 22, 2005 [Page 25] Internet-Draft Presence Authorization February 2005 11.2 Informative References [18] Day, M., Rosenberg, J. and H. Sugano, "A Model for Presence and Instant Messaging", RFC 2778, February 2000. [19] Day, M., Aggarwal, S., Mohr, G. and J. Vincent, "Instant Messaging / Presence Protocol Requirements", RFC 2779, February 2000. [20] Rosenberg, J., "An Extensible Markup Language (XML) Representation for Expressing Presence Policy Capabilities", draft-rosenberg-simple-pres-policy-caps-01 (work in progress), July 2004. [21] Rosenberg, J., "A Presence Event Package for the Session Initiation Protocol (SIP)", RFC 3856, August 2004. [22] Jennings, C., Peterson, J. and M. Watson, "Private Extensions to the Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks", RFC 3325, November 2002. Author's Address Jonathan Rosenberg Cisco Systems 600 Lanidex Plaza Parsippany, NJ 07054 US Phone: +1 973 952-5000 EMail: jdrosen@cisco.com URI: http://www.jdrosen.net Rosenberg Expires August 22, 2005 [Page 26] Internet-Draft Presence Authorization February 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Rosenberg Expires August 22, 2005 [Page 27]