Network Working Group M. Wahl Internet-Draft Informed Control Inc. Intended status: Standards Track December 12, 2006 Expires: June 15, 2007 P3P Policy Attributes for LDAP draft-wahl-ldap-p3p-03 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 15, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Wahl Expires June 15, 2007 [Page 1] Internet-Draft P3P Policy Attributes for LDAP December 2006 Abstract This document defines attributes for use in the Lightweight Directory Access Protocol (LDAP) which contain URIs for privacy policy documents. These documents describe the privacy policy concerning access to a directory server, and the privacy policies that apply to the contents of the directory (a subtree of entries). Wahl Expires June 15, 2007 [Page 2] Internet-Draft P3P Policy Attributes for LDAP December 2006 1. Introduction The W3C Platform for Privacy Preferences 1.1 (P3P1.1) specifications [1] describe an XML document format for encoding privacy policy information for an Internet-accessible resource. The initial targeted application for P3P was web sites accessed by web browsers using HTTP, and thus the specifications include a lookup mechanisms and conventions for how to find a P3P document governing a web site. These mechanisms are specific to the HTTP protocol and do not translate well into other protocols that use URIs which are not HTTP URIs. One of the major network-accessible repositories of personal information within an enterprise is its directory service. It is desirable to be able to determine the privacy policy of a directory service: what policy statements does the enterprise make concerning the contents of the directory? In addition, as most directory servers log personal identifiers in their log files, it is also desirable to be able to determine the privacy policy of the directory server itself. This document discusses how LDAP clients can obtain the URI of a P3P privacy policy statement from a directory server via LDAPv3 [2]. These attributes enable a directory client to retrieve the privacy policies and ensure their appropriateness to the planned interaction, before sending further requests to the directory server. The words "MUST", "SHOULD" and "MAY" are used as defined in RFC 2119 [3]. Please send comments to the author at mark.wahl@informed-control.com. Wahl Expires June 15, 2007 [Page 3] Internet-Draft P3P Policy Attributes for LDAP December 2006 2. Policy documents The attributes defined in this document contain Uniform Resource Identifiers (URIs) [4]. The URIs are anticipated to be of a scheme, such as http [7], which has a protocol for the retrieval of an XML document. This document does not define how to retrieve XML content from the directory server itself; it is expected that an LDAP client that wishes to parse P3P-formatted XML documents would also be capable of having an HTTP client embedded within it, it just needs to know what HTTP URI to use to obtain the document. Unlike the use of privacy policies by web sites accessed via HTTP as described in section 2 of P3P1.1 [1], this specification does not incorporate the indirection procedures of the policy reference file. (Policy reference files are not used as their INCLUDE and EXCLUDE elements assume a relative URL hierarchy that incompatible with the hierarchy used in LDAP URLs, and the policy documents are likely stored on a different kind of server than the directory server itself). Instead, the URI retrieved from the directory server directly identifies the document containing the POLICIES element, and the POLICY within that element. The URI stored in the directory attributes defined in the sections below MUST identify a file which is an UTF-8 encoded XML format document. That file MUST contain a POLICIES element, as defined in section 3.2 of P3P1.1 [1]. The URI MUST contain a URI fragment that specifies the name of the policy within that POLICIES element. For example, a directory entry might contain the attribute subtreeP3PrivacyPolicy: http://www.example.com/pol.xml#policy-ds The client SHOULD then attempt to contact the server for www.example.com via HTTP, and obtain the file /pol.xml. The policy file is UTF-8 encoded, and defined in section 3.2 of P3P1.1 [1]. Wahl Expires June 15, 2007 [Page 4] Internet-Draft P3P Policy Attributes for LDAP December 2006 A policy file might resemble (contents simplified for readability): ... ... ... ... ... The client would then locate the POLICY element which has a name matching that of the fragment in the URI, policy-ds. The POLICY element is defined in section 3.2.2 of P3P1.1, and the client processing of this information MUST be in accordance with section 2.4.4 of P3P1.1. Wahl Expires June 15, 2007 [Page 5] Internet-Draft P3P Policy Attributes for LDAP December 2006 3. Attribute for Directory Server Privacy Policy The serverP3PrivacyPolicy attribute publishes the policy of the directory server as it relates to collecting data from the LDAP client. The purpose of this attribute is to ensure that directory clients have the ability to become aware of the privacy implications of further interactions with a particular directory server. Based on this information, the directory client might choose to disconnect or might present an end user with information on the privacy policy. The semantics of this attribute are analogous to those of a web server publishing via HTTP and P3P the policy for browsers accessing a web site hosted on that server. Specifically, it informs the directory client that operation requests sent to the directory server might be used for one or more purposes, as described in the policy document. The attribute type is defined as follows (with lines wrapped for readability): attributeTypes: ( 1.3.6.1.4.1.21008.97.74.1.1 NAME 'serverP3PrivacyPolicy' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE directoryOperation ) The value is a single URI, which is encoded as a string in the UTF-8 charset. The form of URI is specified in section 2 above. The caseExactMatch and Directory String syntax are defined in RFC 4517 [6]. This attribute MAY be present in the directory server's root DSE. The attribute is retrievable if a client performs a base object search of the root DSE (with a distinguished name of zero length) with a filter of "(objectClass=*)", as described in section 5.1 of RFC 4512 [5]. Wahl Expires June 15, 2007 [Page 6] Internet-Draft P3P Policy Attributes for LDAP December 2006 4. Attribute for Directory Subtree Privacy Policy The subtreeP3PrivacyPolicy attribute publishes the policy of the directory service as it relates to the privacy protection of a subtree of entries, typically entries representing individual persons, that are in a particular subtree of the directory. The semantics of this attribute is different from that of the previous section. This attribute provides a directory client that might be searching and extracting information from a particular directory subtree information about individuals, with the privacy policy governing that information. How these individuals' information was entered into the directory is outside of the scope of this document, but is is assumed that the privacy policy applied to the gathering of this information, and SHOULD be respected by clients that are searching it. The attribute type is defined as follows: attributeTypes: ( 1.3.6.1.4.1.21008.97.74.1.2 NAME 'subtreeP3PrivacyPolicy' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) The value is a single URI, which is encoded as a string in the UTF-8 charset. The form of URI is specified in section 2 above. The caseExactMatch and Directory String syntax are defined in RFC 4517 [6]. This attribute MAY be present in any entry. In order to allow this class to be present on objects of many different structural classes, an auxiliary object class is defined. objectClasses: ( 1.3.6.1.4.1.21008.97.74.1.3 NAME 'subtreeP3PrivacyPolicyClass' AUXILIARY MAY ( subtreeP3PrivacyPolicy ) ) This auxiliary class might most usefully be combined with the organization or organizationalUnit classes. Clients MUST NOT assume the absence of this class in an entry's objectClass implies that the subtreeP3PrivacyPolicy attribute is not present in the entry, as this attribute might be part of a privately- defined schema object class, or be provided through collective attributes. Wahl Expires June 15, 2007 [Page 7] Internet-Draft P3P Policy Attributes for LDAP December 2006 A client SHOULD locate this attribute in entries which are typically used for the base object of subtrees of entries representing people, before searching to extract data from those entries. For example, the attribute may be stored in the base organization entry, or in an organizationalUnit entry for a particular category of users (such as employees or customers). Representation of privacy policy links in deployments intending to apply multiple privacy policies within a naming content is outside of the scope of this document. Wahl Expires June 15, 2007 [Page 8] Internet-Draft P3P Policy Attributes for LDAP December 2006 5. Data Schema This document does not attempt to define a general mapping between the LDAP schema representation and the P3P Basic Data Structures and base data schema. For a policy referenced by a serverP3PPrivacyPolicy, the anticipated P3P data structures that would be used in the policy would be those of the login, cert, access log and Internet addresses of sections 5.5 of P3P1.1 [1]. The login id would correspond to the distinguished name or other identifier which the client provides in an authenticated bind request. A client which sends add, modify or modDN operations SHOULD also check for the subtreeP3PrivacyPolicy for the subtree in which these operations are targeted. Wahl Expires June 15, 2007 [Page 9] Internet-Draft P3P Policy Attributes for LDAP December 2006 6. Security Considerations This document addresses two security concerns with LDAP directories. The first concern is that most directory servers maintain a log of client requests. For each connection, the log might contain the incoming connection's source IP addresses, the distinguished name or other forms of identity used in bind requests, the type and fields of requests sent by the client, as well as the server's responses. This log may contain personally identifiable information, particularly bind information, as well as information that could later be correlated with other server's log information, in order to identify the user and their patterns of operations. Some organizations which operate directory services, in particular publicly accessible services or those which are available to the organization's partners and customers, may wish to advertise the privacy policy of their directory servers, in order to ensure that persons operating directory clients accessing those servers are aware of what data is being collected and the procedures surrounding this. The second concern is that most directories contain a significant quantity of personally identifiable and personal information about individuals who are represented by entries in the directory. Directory clients SHOULD ensure that information which is obtained from the directory is handled in such a way that the privacy protections asserted for those individual's information is not violated. This document defines a mechanism for a client to at least be able to obtain the privacy protection requirements in the form of a P3P policy element, and a client application which parses this can determine whether its handling of the information is in accordance with the policy. Directory server deployments which provide unrestricted or public access to information SHOULD permit clients to search to retrieve the serverP3PrivacyPolicy attribute from the root DSE without needing to have bound. The server SHOULD also consider this operation part of the P3P "Safe Zone", as described in section 2.4.3 of P3P1.1 [1]. Directory clients SHOULD exercise good practice when determining how to access the resources identified by the URIs present in the serverP3PrivacyPolicy and subtreeP3PrivacyPolicy attributes. Section 7 of RFC 3986 [4] also discusses security considerations when handling URIs. Wahl Expires June 15, 2007 [Page 10] Internet-Draft P3P Policy Attributes for LDAP December 2006 7. IANA Considerations The following declarations will be submitted to IANA to register the attribute type and object class definitions. Subject: Request for LDAP Descriptor Registration Descriptor (short name): serverP3PrivacyPolicy Object Identifier: 1.3.6.1.4.1.21008.97.74.1.1 Person & email address to contact for further information: Mark Wahl Usage: attributeTypes Specification: RFC XXXX Author/Change Controller: IESG Comments: Subject: Request for LDAP Descriptor Registration Descriptor (short name): subtreeP3PrivacyPolicy Object Identifier: 1.3.6.1.4.1.21008.97.74.1.2 Person & email address to contact for further information: Mark Wahl Usage: attributeTypes Specification: RFC XXXX Author/Change Controller: IESG Comments: Subject: Request for LDAP Descriptor Registration Descriptor (short name): subtreeP3PrivacyPolicyClass Object Identifier: 1.3.6.1.4.1.21008.97.74.1.3 Person & email address to contact for further information: Mark Wahl Usage: objectClasses Specification: RFC XXXX Author/Change Controller: IESG Comments: Wahl Expires June 15, 2007 [Page 11] Internet-Draft P3P Policy Attributes for LDAP December 2006 8. References 8.1. Normative References [1] Cranor, L., Dobbs, B., Egelman, S., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J., Schunter, M., Stampley, D., and R. Wenning, "The Platform for Privacy Preferences 1.1 (P3P1.1) Specification", February 2006, . [2] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, BCP 14, March 1997. [4] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", RFC 3986, January 2005. [5] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Directory Information Models", RFC 4512, June 2006. [6] Legg, S., "LDAP: Syntaxes and Matching Rules", RFC 4517, June 2006. 8.2. Informative References [7] "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Wahl Expires June 15, 2007 [Page 12] Internet-Draft P3P Policy Attributes for LDAP December 2006 Appendix A. Copyright Copyright (C) The Internet Society 2006. This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Wahl Expires June 15, 2007 [Page 13] Internet-Draft P3P Policy Attributes for LDAP December 2006 Author's Address Mark Wahl Informed Control Inc. PO Box 90626 Austin, TX 78709 US Email: mark.wahl@informed-control.com Wahl Expires June 15, 2007 [Page 14] Internet-Draft P3P Policy Attributes for LDAP December 2006 Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Wahl Expires June 15, 2007 [Page 15]