Geopriv J. Winterbottom Internet-Draft Andrew Corporation Intended status: Standards TrackJune 22, 2007H. Tschofenig Expires:December 24,April 8, 2008 Nokia Siemens Networks M. Thomson Andrew Corporation October 6, 2007 HELD Protocol Context Management Extensionsdraft-winterbottom-geopriv-held-context-00.txtdraft-winterbottom-geopriv-held-context-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onDecember 24, 2007.April 8, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes a protocol extension forHELD enabling an End-Pointthe HTTP Enabled Location Delivery (HELD) protocol. It allows a Target to managestatefultheir location information onan LCS.a Location Information Server (LIS) through the application of constraints invoked by accessing a location URI. Constraints described in this memo restrict how often location can be accessed through a location URI, how long the URI is valid for, and the type of location information returned when a location URI is accessed. Extension points are also provided. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.Detailed DescriptionWhat is a Context? . . . . . . . . . . . . . . . . . . . . . . 5 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Limited Use URIs . . . . . . . . . . . . . . . . . . . . . 6 4.2. Snapshot URIs . . . . . . . . . . . . . . . . . . . . . . 7 4.3. LocationURI and id Generation RulesType URIs . . . . . . . . . . . . .9. . . . . . . 7 5.XML SchemaProtocol Details . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Create Context Message . . . . . . . . . . . . . . . . . . 8 5.2. Update Context Message . . . . . . . . . . . . . . . . . . 9 5.3. Context Response Message . . . . . . . . . . . . . . . . . 106. Guidelines For Defining5.4. ContextData ExtensionsError Messages . . . . . . . . . . . . . . . . . . 12 5.5. Location URI and Context Identifier Generation Rules . . . 12 6. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Security Considerations . . . . . . . . . . . . . . . . . . .1317 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . .1519 8.1. URN Sub-Namespace Registration for urn:ietf:params:xml:ns:geopriv:held:context . . . . . . .1519 8.2. XML Schema Registration . . . . . . . . . . . . . . . . .1519 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .1721 Appendix A. Context Extensions . . . . . . . . . . . . . . . . . 22 Appendix B. HELD Compliance to IETF Location Configuration Protocol Location Reference Requirements . . . . . . 24 10. Normative References . . . . . . . . . . . . . . . . . . . . .18 Author's Address .26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .1927 Intellectual Property and Copyright Statements . . . . . . . . . .2028 1. Introduction TheHELDHTTP Enabled Location Delivery (HELD) protocol specification [I-D.ietf-geopriv-http-location-delivery] provides a set of features that can be used byan End-Pointa Target to retrieve location information froman LCS.a Location Information Server (LIS). The basic HELD specification does this in a more or less statelessmanner. There are situations however, where the End-Point wants or requires explicit management of data inmanner, and when astateful manner on the LCS. This specification describes an extension tolocation URI is retrieved theHELD protocol to support End-Point managementTarget has no way ofstate information contained in a "context" oncontrolling how theLCS. Information contained in a context relates toURI is used; aspecific End-Point. One of the most critical pieces of functionality providedLocation Recipient inthis specification ispocession of theability to void a location URI. This is important, because without this functionality there is no way stop a third-party that has yourlocation URIfrom obtaining your location. This condition will persist untilcan get the Target's location until the URI expires.The extension definedThis basic mechanism may be reasonable inthis specification changes this behaviour by providing the End-Point the means to create, update, and terminate a context on the LCS to whichaspecific location URIlimited setis bound. Terminating the context therefore explicitly voids the location URI ending the abilityof applications, but is unacceptable in athird-party to locate the Target. In addition to context management constructs this document also provides a setbroader range ofguidelinesapplications. This position is highlighted in [I-D.ietf-geopriv-lbyr-requirements] which describes requirements for constraints relating tobe followed by designers of future context data extensions.location URIs. This specification provides support for these requirements in HELD. 2. Terminology The keyconventionswords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", andterminology used"OPTIONAL" in this document aredefinedto be interpreted asfollows:described in [RFC2119]. This document reuses the terms Target, as defined in [RFC3693]. This document uses the term LocationConfiguration Server, LCS,Information Server (LIS) as the node in the access networkprovidingthat provides location informationto an end-point.about a Target. This term is also used in [I-D.ietf-geopriv-l7-lcp-ps].This document uses the term End-Point to refer3. What is a Context? A Location URI points tothe device or host requestinga LIS that is able towhich contextual information stored onprovide theLCS applies.location of a specific Target. Thekey words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document areLIS is able tobe interpreted as described in [RFC2119]. 3. Detailed Description An End-Device wishingmap the URI tohavethe location of the Target inside its administrative domain. We call this mapping a "context". In the basic HELD specification the context is implicitly createdonwith theLCS includesrequest for a<createContext> elementlocation URI in the<locationRequest>. Information thatlocationRequest message. The Target has no control of theEnd-Point wants inmapping from the URI to the Target's location. This specification provides a degree of control to the Target, allowing it to specify rules to the LIS on how a context should map a URI to location information. A context expires when it reaches a certain age, at which time the mapping between the URI and the Target's location ceases. In the basic HELD specification the exiry time of the context isincluded insidedetermined by the<createContext> element. ExtensibilityLIS when the Target requests a location URI. By allowing the Target to specify and change the life time of a contextschemethe Target isprovidedable toallow additional elementscreate URIs for limited periods, or toaddedterminate URIs for which it longer wishes its location to be returned. This specification provides explicit support for this functionality. 4. Constraints Constraints restrict thecontext easily.ability of a Location Recipient to resolve a location URI to location information. Thegeneral idea is shown in Figure 1. <locationRequest xmlns="urn:ietf:params:xml:ns:geopriv:held"> <locationType>locationURI</locationType> <hcx:createContext hcx:xmlns="urn:ietf:params:xml:ns:geopriv:held:context" hcx:lifeTime="7200"> <ex1:extension-1 ex1:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex1"> <ex1:value>7200</ex1:value> </ex1:extension-1> <extension-2 xmlns="urn:ietf:params:xml:ns:geopriv:held:ex2"/> <extension-3 xmlns="urn:ietf:params:xml:ns:geopriv:held:ex3"/> . . . <extension-N xmlns="urn:ietf:params:xml:ns:geopriv:held:exN"/> </hcx:createContext> </locationRequest> Figure 1: createContext Usage An LCSconstraints are selected by the Target and they are provided to the LIS thatunderstandsmaintains them along with the context. A LIS, understanding thisnew element SHALL includespecification, receives constraints provided by the Target, and returns a<contextResponse> element inset of URIs influenced by thecorresponding heldRepsonse message. An LCS that does not understand this new element MUST ignoreconstraints. A single Target may want to place different contraints on different references and hence may have multiple contexts on theelement as per [I-D.ietf-geopriv-http-location-delivery].LIS. TheEnd- Pointconstraints describe what actions the LIS MUSTassume thattake when a URI associated with theLCS does not understandcontextrelated messages if it does notis accessed. This document describes three basic constraints that a Target can use in comination for the same context. Once set, these rules remain in force of the life of the context. 4.1. Limited Use URIs A limited use URI can only be accessed a fixed number of times to yield the location of the Target. Each time the URI is used to provide the location of the Target one usage is consumed. Once the limit is reached the URI no longer yields the location of the Target and the URI is deemed spent. By setting the usage limit to 1, the Target is able to create a one- time-URI permitting a Location Recipient to obtain the Target's location only once. Setting the usage limit to something higher than 1 creates functionality analogous to a<contextResponse> elementmetro-ticket, where a Location Recipient in possession of the URI can access the Target's location many more times, but not exceeding the imposed limit. Not setting a usage limit provides similar semantics to the URI in the<heldResponse> message whenbase HELD specification, enabling a Location Recipient to continually obtain the Target's location until the URI expires due to age. When an HTTP URI is assigned to a context, the limit is the number of times that the URI can be accessed before the LIS returns an error. In the case of SIP it is the number of NOTIFY messages that are sent prior to the LIS returning an error. Where a contextwas requested. Sincesupports both SIP and HTTP URIs it isimpossiblethe combination of URI accesses and NOTIFY messages that constitutes the usage value, each time the Target's location is provided constitutes a usage. 4.2. Snapshot URIs A snapshot URI points topredictthe location of the Target at a specific point inadvance which elementstime, andextensionsno matter how many times theLCSURI is accessed it willunderstand before sending them, a mechanismalways yield the same location. This is useful if, for example, theLCSTarget does not want totellbe tracked. In this specification theEnd-Pointlocation snapshot to whichelements were understood and useda snapshot URIs points isrequired by eachcaptured when the contextdata extension. Guidelines for definingis created on the LIS. 4.3. Location Type URIs A location type URI controls the form of location that can be accessed; This may be geodetic, civic, or both. 5. Protocol Details This specification introduces four new HELD messages, create contextdata extensions(<createContext>), update context (<updateContext>), context response (<contextResponse>), and context error (<contextError>). A LIS that does not understand this specification is expected to return a HELD _unsupportedMessage_ error code in a HELD error message. The specification assumes that the LIS was discovered as part of the general HELD LIS discovery process. All messages areprovidedsent using the application/held+xml MIME type as defined inSection 6. An LCS supporting[I-D.ietf-geopriv-http-location-delivery]. 5.1. Create Context Message The Target creates a context on the LIS using a create context message. The basic create context message supports thebehaviourconstraints described in Section 4 and consist of three attributes and one element described below: o "uses": an optional attribute instructing theprevious sectionLIS on how many times a URI mayrespond toyield thelocationRequestlocation ofFigure 1 withthe Target. This is aresponse similarpositive integer, and has a default value of _unlimited_. The LIS SHOULD support the Target specifying up toFigure 2. <heldResponse xmlns="urn:ietf:params:xml:ns:geopriv:held" code="200" message="OK"> <locationUriSet expires="2007-08-01T13:00:00"> <locationURI> https://ls.example.com:9768/357yc6s64ceyoiuy5ax3o </locationURI> <locationURI> sips:357yc6s64ceyoiuy5ax3o@ls.example.com:9769 </locationURI> </locationUriSet> <hcx:contextResponse hcx:xmlns="urn:ietf:params:xml:ns:geopriv:held:context" hcx:id="uhvuhdbnuiehudbnvcujevuijeijcvij"> <ex1:extension-1 ex1:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex1" ex1:response="OK"/> <ex2:extension-2 ex2:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex2" ex2:response="OK"/> <ex3:extension-3 ex3:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex3"> <ex3:datum-3>data</ex3:datum-3> <ex3:stuff>guff in here for extension</ex3:stuff> </ex3:extension-3> </hcx:contextRresponse> </heldResponse> Figure 2: LCS responseat least 100 uses. o "snapshot": an optional attribute instructing the LIS tocreateContext The End-Point can update information associatedtake a snapshot of the Target's location for use with the context. This acontext by sendingboolean value and has a default of _false_ meaning that a snapshot is not taken, and the Target's location is determined each time the URI is accessed. o "locationType": an<updateContext> element inoptional attribute instructing the LIS on the form of location that URI MUST provide. This is an enumeration and may have alocationRequest message, along withvalue of _geodetic_, _civic_, or _any_. If unspecified by thedataTarget the LIS will use a value of _any_. If the Target specifies a location type thatit wants changed in its context. Elements previously provided totheLCS but not includedLIS cannot provide, then the LIS MUST fail the context creation. o "lifeTime": is a mandatory element that defines the maximum period in seconds that the<updateContext> data set SHALL remain unchanged.LIS should keep the context for. TheEnd-PointLIS MAY create the context with a shorter life time than was requested, but the life time MUSTincludeNOT be longer than was requested. <hc:createContext xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" uses="10" snapshot="false" locationType="any"> <hc:lifeTime>7200</hc:lifeTime> </hc:createContext> Figure 1: createContext Example Figure 1 shows a create context message defining a context which: o may be accessed 10 times o will determine the"id" attribute that it received as partlocation of the<contextResponse> with any <updateContext>Target each time it is accessed o will return the location in either geodetic or civic form depending on the request tot he URI o will be valid for 2 hours from the time of context creation 5.2. Update Context Message A Target can change the life time of a context using an update context message. As stated in Section 4 the three attributes used in the context creation, "uses", "snapshot", and "locationType" cannot be changed once a context is created. Since the Target may have more than one context on the LIS, the Target needs toclearlyidentify thechangingcontext to be updated. It does this by including a context identifier that is provided to it by theLCS. ThisLIS when the context isimportant becausecreated. <hc:updateContext xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" hc:id="uhvuhdbnuiehudbnvcujevuijeijcvij3"> <lifeTime>3600</lifeTime> </hc:updateContext> Figure 2: updateContext Life Time Change Example When a Target includes a life time element insome circumstancesanEnd-Point may be behindupdate context message, the LIS needs to calculate afirewall or NAT sonew context expiry time. The LIS MUST do this by adding theLCS can't distinguishnew life time value to theEnd-Point creatingcurrent time on thecontext from other devices behindLIS. This mechanism means thesame NAT. The "id" makesTarget can terminate a context at any time. It does thisdistinction possible. <locationRequest xmlns="urn:ietf:params:xml:ns:geopriv:held"> <locationType>any</locationType> <hcx:updateContext hcx:xmlns="urn:ietf:params:xml:ns:geopriv:held:context" hcx:id="uhvuhdbnuiehudbnvcujevuijeijcvij"> <ex1:extension-1 ex1:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex1"> <ex1:value>3600</ex1:value> </ex1:extension-1> </hcx:updateContext> </locationRequest> Figure 3: updateContext Usage Inby updating theexample showncontext with a life time of 0, which results inFigure 3theEnd-Point is updatingLIS setting the contextcreated in Figure 1 so thatexpiry time to the present. The LIS MAY also terminate a context if the life time valueassociated with extensions-1 will beis set to3600 rather thenless than 10 seconds. <hc:updateContext xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" hc:id="uhvuhdbnuiehudbnvcujevuijeijcvij3"> <lifeTime>0</lifeTime> </lhc:updateContext> Figure 3: updateContext Termination Example 5.3. Context Response Message The LIS informs theprevious valueTarget about the outcome of7200.context operations through the context response message. The LIS MUST always send a context responsefrom the LCS is shownmessage to a Target inFigure 4. <heldResponse xmlns="urn:ietf:params:xml:ns:geopriv:held" code="200" message="OK"> <locationUriSet expires="2007-08-01T13:00:00"> <locationURI> https://ls.example.com:9768/357yc6s64ceyoiuy5ax3o </locationURI> <locationURI> sips:357yc6s64ceyoiuy5ax3o@ls.example.com:9769 </locationURI> </locationUriSet> <hcx:contextResponse hcx:xmlns="urn:ietf:params:xml:ns:geopriv:held:context" hcx:id="uhvuhdbnuiehudbnvcujevuijeijcvij"> <ex1:extension-1 ex1:xmlns="urn:ietf:params:xml:ns:geopriv:held:ex1" ex1:response="OK"/> </hcx:contextRresponse> </heldResponse> Figure 4: LCSresponse toupdateContexta create context or update context message when the outcome was successful. TheEnd-Point MUST includecontext response message contains alocationType of locationURI in"code" attribute indicating the performed operation, and thelocationRequest,otherlocationattributes and elements indicating the state of the context. The "code" attribute is an enumerated typeMAY also be present.and has one of the following values: o _created_: TheLCS SHALL returncontext was successfully created. o _destroyed_: The context was destroyed. o _updated_: The context was successfully updated. The following list details thesame location URI setother attributes are may be returned in a context response message. id: The identifier allocated toan <updateContext> asthe context by the LIS. This identifier is unique in the scope of the LIS. The Target MUST keep this secret and MUST included itdid for a <createContext>.in all update requests. TheLCS SHALLLIS MUST returnthe sameand "id"as was usedin all context response messages. uses: The number of times that therequest.context will yield the Target's location. TheEnd-PointLIS MAYincludereport either the"lifeTime" in an <updateContext> request if it wishesoriginal value, or the number of remaining uses. The LIS MUST report this value for all responses pertaining toaltera known and valid context. This value MAY be ommitted when indicating that a context has been destroyed. snapshot: The value of thelifetimesnapshot attribute in the context. The LIS MUST report this value for all responses pertaining to a known and valid context. This value MAY be ommitted when indicating that a context has been destroyed. locationType: The type of location information that can be acquired through URIs addressing the context.Any changeThe LIS MUST report this value for all responses pertaining tolifetime SHALLa known and valid context. This value MAY bereflected inomitted when indicating that a context has been destroyed. expiry: The time at which theexpirescontext will expire. After this time, all location URIs that reference this context no longer work. The LIS MUST report this value for all responses pertaining to a known context. This attribute MUST be provided even when a "code" value of _destroyed_ is included in thereturned <locationUriSet>. Ifcontext repsonse message. In addition to the"lifeTime" attribute isabove attributes, the LIS also provides a set of URIs that can used tozero or is negative thenaccess the Target's location with the surety that the contextSHALL expire immediately, and an empty <heldResponse> message SHALLconstraints will be applied. A URI set is returnedwithwhenever a"code"context is successfully created on the LIS, and this set remains unchanged for the lifetime of200. When athe context. A contextexpiresresponse message sent in reply to theLCS SHALL, immediately, delete all information associated withcreate context message in Figure 1 might look like Figure 4. <hc:contextResponse xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" code="created" id="uhvuhdbnuiehudbnvcujevuijeijcvij4" uses="10" snapshot="false" locationType="any" expires="2007-11-01T13:30:00"> <hc:locationUriSet> <hc:locationURI> https://lis.example.com:9768/357yc6s64ceyoiuy5ax3o4 </hc:locationURI> <hc:locationURI> sips:357yc6s64ceyoiuy5ax3o4@lis.example.com:9769 </hc:locationURI> </hc:locationUriSet> </hc:contextResponse> Figure 4: contextResponse Example 5.4. Context Error Messages When the LIS unable to perform the requested contextand void all location URIs associated withoperation it need to inform thecontext. An <updateContext> request containingTarget of this. It does this using a context error message. The context error message consists of a "errorCode" and an"id" that is not recognized byoptional "message" attribute. The code indicates what went wrong, theLCS, ormessage is human-readable text that may provide additional information on what occurred. The "errorCode" attribute isforanexpired context SHALL result inenumerated type and has one of theLCS not returning a <contextResponse> infollowing values: o _badMessage_: The LIS was unable to understand thesubsequent heldResponse. 4.content of the message. o _unknownContext_: The LIS was unable to find the context. o _failed_: The LIS was unable to perform the requested operation. A Target implementing this specification MUST accept a HELD error message as a valid response to a create context or update context message. <hc:contextError xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" code="failed" message="unable to update context"> </hc:contextError> Figure 5: contextError With Message Example 5.5. Location URI andidContext Identifier Generation Rules A primary aim of this specification is to providean End-Point with the abilitya Target a means tovoidcancel a location URIwhenso that itis associated with a context.can no longer be used to provide its location. To achieve this, a location URI generated as part of a context creation needs to be unique with in the scope of theLCS,LIS, andapplicableidentify onlytothat context. If theEnd-PointTarget destroys a context andthensubsequently creates a new one, URIs associated the new context MUST be different from those generated for the previous context. [I-D.ietf-geopriv-http-location-delivery] and [I-D.ietf-geopriv-lbyr-requirements] provide guideance on the creation and desired characteristcs of a location URI. The contextididentifier provided by theLCSLIS to theEnd-PointTarget in the<contextResponse>context response message MUST be uniqueper context,andSHOULDMUST be different from the identifier provided in anygeneratedlocation URI. This latter constraint ensures that possession of a location URI does not automatically provide access and control over the internals of the context. A contextididentifier is generated byan LCSa LIS to uniquely identify a context.The context id MUST NOT include any information that could be used to identify the Target or End-Point. Similarly, itIt MUST NOT be feasible for a third-party to easily determine a contextididentifier by knowing the identity of theTarget or End-Point.Target. This implies that internal correlation (using a hash-table or similar) is the only method that theLCSLIS can use to associate a context id with a particularEnd- Point. 5.Target. 6. XML Schema <?xml version="1.0"?> <xs:schema targetNamespace="urn:ietf:params:xml:ns:geopriv:held:context" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:heldCx="urn:ietf:params:xml:ns:geopriv:held:context" xmlns:xml="http://www.w3.org/XML/1998/namespace" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:simpleType name="locationType"> <xs:restriction base="xs:token"> <xs:enumeration value="any"/> <xs:enumeration value="civic"/> <xs:enumeration value="geodetic"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="codeType"> <xs:restriction base="xs:token"> <xs:enumeration value="created"/> <xs:enumeration value="updated"/> <xs:enumeration value="destroyed"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="errorCodeType"> <xs:restriction base="xs:token"> <xs:enumeration value="badMessage"/> <xs:enumeration value="unknownContext"/> <xs:enumeration value="failed"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="useType"> <xs:union> <xs:simpleType> <xs:restriction base="xs:token"> <xs;enumeration value="unlimited"/> </xs:restriction> </xs:simpleType> <xs:positiveInteger/> </xs:union> </xs:simpleType> <xs:complexType name="createContextMsg"> <xs:complexContent> <xs:restriction base="xs:anyType"> <xs:sequence> <xs:element name="lifeTime" type="xs:nonNegativeInteger " minOccurs="1" maxOccurs="1"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attributename="lifeTime" type="xs:integer" use="optional"/>name="uses" type="heldCx:useType" use="optional" default="unlimited"/> <xs:attribute name="snapshot" type="xs:boolean" use="optional" default="false"/> <xs:attribute name="locationType" type="heldCx:locationType" use="optional" default="any"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="uriSetType"> <xs:complexContent> <xs:sequence> <xs:element name="locationURI" type="xs:anyURI" maxOccurs="unbounded"/> </xs:sequence> </xs:complexContent> </xs:complexType> <xs:complexType name="contextResponseMsg"> <xs:complexContent> <xs:restriction base="xs:anyType"> <xs:sequence> <xs:element name="locationUriSet" type="heldCx:uriSetType" minOccurs="1" maxOccurs="1"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="id" type="xs:token" use="required"/> <xs:attribute name="expires" type="xs:dateTime" use="required"/> <xs:attribute name="uses" type="xs:positiveInteger" use="optional"/> <xs:attribute name="snapshot" type="xs:boolean" use="optional"/> <xs:attribute name="locationType" type="heldCx:locationType" use="optional"/> <xs:attribute name="code" type="heldCx:codeType" use="required"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="updateContextMsg"> <xs:complexContent> <xs:restrictionbase="xs:anyType">base="heldCx:"> <xs:sequence> <xs:element name="lifeTime" type="xs:nonNegativeInteger " minOccurs="0" maxOccurs="1"/> <xs:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="id" type="xs:token" use="required"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="contextErrorMsg"> <xs:complexContent> <xs:restriction base="xs:anyType"> <xs:sequence/> <xs:attributename="lifeTime" type="xs:integer"name="errorCode" type="heldCx:errorCodeType" use="required"/> <xs:attribute name="message" type="xs:token" use="optional"/> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:element name="createContext" type="heldCx:createContextMsg"/> <xs:element name="updateContext" type="heldCx:updateContextMsg"/> <xs:element name="contextResponse" type="heldCx:contextResponseMsg"/> <xs:element name="contextError" type="heldCx:contextErrorMsg"/> </xs:schema> Figure5: LCS response to updateContext 6. Guidelines For Defining6: ContextData Extensions A context contains specific information about an End-Point and is stored on the LCS. It is impossible to predetermine all information that an End-Point may want or need stored in a context so the context control mechanisms need to be flexible to allow easy extensibility. When defining context data extensions it is necessary to consider how they will be used; this includes not only how to provide the information from the End-Point to the LCS, but also acceptance and error indications from the LCS back to the End-Point. For example a context may be created with several extensions included, how does the LCS indicate that extensions 1 and 3 were successful but that extension 2 had a problem in its formatting? Guidelines for designing context extensions that provide functionality are described in this section. Two basic types of context data extension are envisioned. The first consist of data provided by the End-Point to be consumed by the LCS; for example information pertaining to PIDF-LO construction, usage- rules, and authorization policies. The second type of data consists of a two way exchange between the End-Device and the LCS; for example exchanging location determination capabilities. When defining a context data extension it is necessary to ensure that the LCS can provide an adequate response to the End-Point application indicating acceptance or rejection of the data provided. This may be an explicit OK or FAIL message within the extension namespace, or it may be an attribute associated with part of a larger data exchange. Either way it is mandatory for a context data extension to provide this functionality. When defining information to be included in a context data extension consideration should be given to how that data can be removed from the context. In some cases it may be necessary to void the context on the LCS in order to remove information, but this SHOULD be treated as a last resort and not used as the primary mechanism for removing data from the context.Management Schema 7. Security Considerations There are several security concerns associated with the details in this specification. The first is to do with the nature of the sensitivity of any data passed from theEnd-PointTarget to theLCSLIS for inclusion in a context. The second is the ability of theLCSLIS to contain the number of contexts that it will permit to exist for a givenEnd-PointTarget address. Finally, there is a threat of Targets performing DoS attacks on the LIS by trying to create large numbers of short-lived contexts that result in the LIS expending resources in message processing. HELD [I-D.ietf-geopriv-http-location-delivery] mandates the use of TLS for exchanges betweenan End-Pointa Target and theLCS.LIS. This is deemedsufficiently secureadequate to provide confidentiality tohideany contextual datafrom a would-be eavesdropper while the data isin transit. TheLCSLIS implementation and the operator of theLCSLIS need to take sufficient steps to ensure that active contextual data on theLCSLIS is not readily available to anyone other than theEnd-Point that owns the data.Target. TheEnd-PointTarget MUSTnotNOT provide any information to theLCSLIS that it does not want theLCSLIS to know or be able to use in some capacity associated with determination or providing of theEnd-Point'sTarget's location.The LCS SHALL not use any context information provided to it by an End-Point except to assist it with the determination and generation of location information associated with the End-Point.It is quite conceivable thatan LCSa LIS will be required to provide location toend hostsTargets residing behind a NAT; a DSL home router with 5 PCs attached is a good example this situation. In this case it is reasonable for each device to create its own context on theLCS,LIS, and for theLCSLIS to treat each context individually even though theLCSLIS cannot make any other distinction between the end hosts; that is, they share a common IP address/identity from theLCSLIS perspective.It may evenGiven the constraints that can bereasonable in some situations for a single deviceadded to a context and the way that a Target might wantmore than one context.to manage expiry separately, a Target may use multiple contexts as a way to isolate applications from each other. For instance, a Target can create a context for each application so that it can revoke access to its location information for each without affecting other applications' access. Thisenvironment howeverenvironment, however, opens theLCSLIS to a type of denial of service attack through an overloadonof contexts. It is RECOMMENDED that animplementorimplementer of this specification include mechanisms to restrict to the maximum number of contexts that can be created on theLCSLIS by an individualEnd-Point. It is RECOMMENDED that an LCS operator impose limitsTarget. Using short-term location URIs in a carefully controlled manner may obviate the need for individual location authorization policies oncontext creation such that it is restrictedthe LIS. This leads toa sustainable level.reduced LIS complexity and the amount of private information that the Target need share with the LIS. This specification provides the abilitytoforan End-Pointa Target tovoidcancel a location URI which extends theEnd-Point'sTarget's ability to enforceit rightsits entitlement to privacy. Using the mechanisms described in this memoan End-Pointa target can create URIs with short validityperiods,periods; this restricts how long a third-party is able to obtain the location of theEnd- PointTarget while still allowing theEnd-PointTarget the convenience of using a location reference.Using short-term location URIs in a carefully controlled manner may obviate the need for individual location authorization policies on the LCS. This leads to reduced LCS complexity and the amount of private information that the End-Point need share with the LCS.The generation of context identifiers by theLCSLIS is a critical component to supporting the functionality described in this memo. TheLCSLIS MUST follow the rules described in Section45.5 for generating context identifiers. 8. IANA Considerations This document registers the schema and associated namespace with IANA. 8.1. URN Sub-Namespace Registration for urn:ietf:params:xml:ns:geopriv:held:context This section registers a new XML namespace, "urn:ietf:params:xml:ns:geopriv:held:context", as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:ns:geopriv:held:context Registrant Contact: IETF, GEOPRIV working group, (geopriv@ietf.org), James Winterbottom (james.winterbottom@andrew.com). XML: BEGIN <?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>HELD Context Management Messages</title> </head> <body> <h1>Namespace for HELD Context Management Messages</h1> <h2>urn:ietf:params:xml:ns:geopriv:held:context</h2> [[NOTE TO IANA/RFC-EDITOR: Please update RFC URL and replace XXXX with the RFC number for this specification.]] <p>See <a href="[[RFC URL]]">RFCXXXX</a>.</p> </body> </html> END 8.2. XML Schema Registration This section registers an XML schema as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:schema:geopriv:held:context Registrant Contact: IETF, GEOPRIV working group, (geopriv@ietf.org), James Winterbottom (james.winterbottom@andrew.com). Schema: The XML for this schema can be found as the entirety of Figure56 of this document. 9. Acknowledgements Thanks to Adam Muhlbauer and Neil Justusson for their comments on the pre-version of this draft. Appendix A. Context Extensions A context contains specific information about a Target and is stored on the LIS. As with other protocols it is necessary to consider extensibility. When defining context data extensions it is necessary to consider how they will be used; this includes not only how to provide the information from the Target to the LIS, but also acceptance and error indications from the LIS back to the Target. For example, a context may be created with several extensions included, how does the LIS indicate that extensions 1 and 3 were successful but that extension 2 had a problem in its formatting? Guidelines for designing context extensions that provide functionality are described below. Two basic types of context data extension are envisioned. The first consist of data provided by the Target to be consumed by the LIS; for example information pertaining to PIDF-LO construction, usage-rules, and authorization policies. The second type of data consists of a two way exchange between the Target and the LIS; for example exchanging location determination capabilities. Extensibility to the context scheme is to allow additional elements to be added to the context easily. The general idea is shown in Figure 8. <hc:createContext xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context"> <lifeTime>7200</lifeTime> <ex1:extension-1 xmlns:ex1="urn:ietf:params:xml:ns:geopriv:held:ex1"> <ex1:value>7200</ex1:value> </ex1:extension-1> <extension-2 xmlns="urn:ietf:params:xml:ns:geopriv:held:ex2"/> <extension-3 xmlns="urn:ietf:params:xml:ns:geopriv:held:ex3"/> . . . <extension-N xmlns="urn:ietf:params:xml:ns:geopriv:held:exN"/> </hc:createContext> Figure 8: Create Context with Extensions When defining a context data extension it is necessary to ensure that the LIS can provide an adequate response to the Target indicating acceptance or rejection of the data provided. This may be an explicit OK or FAIL message within the extension namespace, it may be an attribute associated with part of a larger data exchange, or it may result in the LIS failing to create the context at all. Regardless, it is mandatory for a context data extension to provide an indication of success or failure. <hc:contextResponse xmlns:hc="urn:ietf:params:xml:ns:geopriv:held:context" code="created" id="uhvuhdbnuiehudbnvcujevuijeijcvij" uses="unlimited" snapshot="false" locType="any" expires="2007-08-01T13:00:00"> <locationUriSet> <locationURI> https://ls.example.com:9768/357yc6s64ceyoiuy5ax3o </locationURI> <locationURI> sips:357yc6s64ceyoiuy5ax3o@ls.example.com:9769 </locationURI> </locationUriSet> <ex1:extension-1 xmlns:ex1="urn:ietf:params:xml:ns:geopriv:held:ex1" ex1:response="OK"/> <ex2:extension-2 xmlns:ex2="urn:ietf:params:xml:ns:geopriv:held:ex2" ex2:response="OK"/> <ex3:extension-3 xmlns:ex3="urn:ietf:params:xml:ns:geopriv:held:ex3"> <datum-3>data</datum-3> <stuff>guff in here for extension</stuff> </ex3:extension-3> </hc:contextRresponse> Figure 9: LIS response to createContext When defining information to be included in a context data extension consideration should be given to how that data can be removed from the context. In some cases it may be necessary to void the context on the LIS in order to remove information, but this SHOULD be treated as a last resort and not used as the primary mechanism for removing data from the context. Appendix B. HELD Compliance to IETF Location Configuration Protocol Location Reference Requirements This section describes how HELD and this specification comply to the LCP location reference requirements stipulated in [I-D.ietf-geopriv-lbyr-requirements]. High-level requirements for a location configuration protocol. C1. "Location URI support - LCP: The configuration protocol MUST support a location reference in URI form." COMPLY. HELD only provides location references in URI form. C2. "Location URI expiration: The LCP MUST support the ability to specify to the server, the length of time that a location URI will be valid." COMPLY. HELD with the context management extensions described in this document provide the Target the ability to specify expiry times for location URIs. C3. "Location URI cancellation: The LCP MUST support the ability to request a cancellation of a specific location URI." COMPLY. HELD with the context management extensions described in this document provide the Target the ability to void location URIs when required. C4. "Random Generated: The location URI MUST be hard to guess, i.e., it MUST contain a cryptographically random component." COMPLY. The HELD specification and this document provide specific guidance on the security surrounding location URI generation. C5. "Identity Protection - LCP: The location URI MUST NOT contain any information that identifies the user, device or address of record within the URI form." COMPLY. The HELD specification and this document provide specific guidance on the anonymity of the Target with regards to the generation of location URIs. C6. "Reuse flag default: The LCP MUST support the default condition of a requested location URI being repeatedly reused." COMPLY. HELD with the context management extensions described in this document provide the Target the ability to specify how many times a location URI may yield the location of Target. C7. "One-time-use: The LCP MUST support the ability for the client to request a 'one-time-use' location URI (e.g., via a reuse flag setting)." COMPLY. HELD with the context management extensions described in this document provide the Target the ability to specify how many times a location URI may yield the location of Target. This value may be set to 1 to create a one-time URI. 10. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, "Geopriv Requirements", RFC 3693, February 2004. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [I-D.ietf-geopriv-http-location-delivery] Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, "HTTP Enabled Location Delivery (HELD)",draft-ietf-geopriv-http-location-delivery-00draft-ietf-geopriv-http-location-delivery-02 (work in progress),JuneSeptember 2007. [I-D.ietf-geopriv-l7-lcp-ps] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements",draft-ietf-geopriv-l7-lcp-ps-02draft-ietf-geopriv-l7-lcp-ps-05 (work in progress),AprilSeptember 2007.Author's Address[I-D.ietf-geopriv-lbyr-requirements] Marshall, R., "Requirements for a Location-by-Reference Mechanism", draft-ietf-geopriv-lbyr-requirements-00 (work in progress), September 2007. Authors' Addresses James Winterbottom Andrew Corporation PO Box U40 University of Wollongong, NSW 2500 AU Phone: +61 242 212938 Email: james.winterbottom@andrew.com URI: http://www.andrew.com/products/geometrix Hannes Tschofenig Nokia Siemens Networks Otto-Hahn-Ring 6 Munich, Bavaria 81739 Germany Phone: +49 89 636 40390 Email: Hannes.Tschofenig@nsn.com URI: http://www.tschofenig.com Martin Thomson Andrew Corporation PO Box U40 University of Wollongong, NSW 2500 AU Phone: +61 242 212915 Email: martin.thomson@andrew.com URI: http://www.andrew.com/products/geometrix Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).