A Location Dereference Protocol Using HTTP-Enabled Location Delivery (HELD)
draft-ietf-geopriv-deref-protocol-07

[Ballot comment]
Thanks for addressing the rest of my comments. A great improvement.

Section 4: I think a good deal of this section should be rewritten in a more subjunctive form. As far as I can tell, none of the information in this section is required for implementation, and much of it is not done. For example:

  In this model, possession - or knowledge - of the location URI is
  used to control access to location information.  A location URI is
  constructed such that it is hard to guess (see C8 of [RFC5808]) and
  the set of entities that it is disclosed to is limited.

I think more accurately this should say:

  In this model, possession - or knowledge - of the location URI can
  be used to control access to location information.  A location URI
  might be constructed such that it is hard to guess (see C8 of
  [RFC5808]) or the set of entities that it is disclosed to can be
  limited.

Yes, this is only stylistic, but I think it conveys the right message, that generally authorization is not done and not understood for the protocol; URIs are simply accepted and it is hoped that they are being used by only the entities you want to have them.

[Ballot discuss]
Updated for -05:

My original discuss was:

1) This is along the same lines as Stephen's #1.

s3.1: Just to make sure I understand Authorization by Possession could just as easily have been called Authorization by Obscure URI?  These seems like security through obscurity.

Also, shouldn't there be some kind of statement like at a minimum:

  The use of this model SHOULD involve the use of TLS?

Actually based on s4 shouldn't that be a MUST?

s4 contains the following:

  The Location Recipient establishes a connection to the LS, as
  described in [RFC2818].  The TLS ciphersuite TLS_NULL_WITH_NULL_NULL
  MUST NOT be used.  The LS MUST be authenticated to ensure that the
  correct server is contacted.

I read that as HTTPS MUST be used.  If that is how you intended it, can't you just say that instead?

s6 says s4 says it's strong RECOMMENDED, but I don't see that in s4.


I like the updated text and agree with Stephen.

[Ballot discuss]

Updated for -05:

My original discuss said:

"#1 The draft is (a little) inconsistent about the requirement to *use* TLS.
Section 1, end of 3rd para says this "requires use of TLS", but
elsewhere (e.g. section 4, 2nd para) you say that this defines how to
use "http:" URIs and the security considerations says only that TLS is
"strongly RECOMMENDED." I'd prefer it all to say that you MUST
use TLS always, but it at least needs to be consistent doesn't it?
This should be an easy fix, I guess."

The document is now consistent (thanks) with a SHOULD use
TLS. I'd still prefer a MUST use, but if you are going to stay with
SHOULD then I think, for this use, you really need to say something
about when its ok to not use TLS.

[Ballot comment]
Section 1: Lots of redundant text. Could use an edit. A single paragraph is probably sufficient. I also find the diagram not terribly useful in the intro.

Section 3: I actually found this discussion rather confusing and unnecessary. "Authorization by Posession" is often equivalent to no authorization at all. For certain resources that require no particular protection, there needn't be any obscuration by "hard to guess" URIs, and there needn't be a Rule Maker in existence at all. On the flip side, Authorization via Access Control needn't involve a policy document at all: regular HTTP authenthication could be used with a username and password, and access control can be handled entirely by the HTTP server, again without a Rule Maker. (Of course, in each case there is theoretically a "Rule Maker", but that is so theoretical as to make the entity of little use conceptually.) No matter the authorization and authentication used, Posession is still required, so I don't see that as a useful concept.

I would be happy if this section simply eliminated the concept of "Authorization by Posession" and simply talked about different authorization and authentication methods. I think it would also be fine to leave this entire discussion to the policy document. But at the very least, I think you should mention that Authorization by Posession does not require a Rule Maker or a policy or making URIs hard to guess, though those are options to make access to location information more controlled.

[Ballot discuss]
Sections 3.2/3.3: Only after a conversation with Robert have I understood that the beginning of section 3.3 is the main point of this document: This document defines a way for a third party to use HELD to obtain location by reference, and that the only authorization to acquire that location is "Authorization by Possession." This may be clear to those who have been intimately involved in the discussion all along, but it isn't clear from the document. I'd (strongly) suggest that somehow that first paragraph of 3.3 be moved up in the document, that section 3 and 4 of the document get swapped (since as far as I can tell nothing in 4 depends on 3), and that section 3 be appropriately labeled as "Informational Future Considerations for Authorization", which is all that it really is.

[Ballot comment]
Section 1: Lots of redundant text. Could use an edit. A single paragraph is probably sufficient. I also find the diagram not terribly useful in the intro.

Section 3: I actually found this discussion rather confusing and unnecessary. "Authorization by Posession" is often equivalent to no authorization at all. For certain resources that require no particular protection, there needn't be any obscuration by "hard to guess" URIs, and there needn't be a Rule Maker in existence at all. On the flip side, Authorization via Access Control needn't involve a policy document at all: regular HTTP authenthication could be used with a username and password, and access control can be handled entirely by the HTTP server, again without a Rule Maker. (Of course, in each case there is theoretically a "Rule Maker", but that is so theoretical as to make the entity of little use conceptually.) No matter the authorization and authentication used, Posession is still required, so I don't see that as a useful concept.

I would be happy if this section simply eliminated the concept of "Authorization by Posession" and simply talked about different authorization and authentication methods. I think it would also be fine to leave this entire discussion to the policy document. But at the very least, I think you should mention that Authorization by Posession does not require a Rule Maker or a policy or making URIs hard to guess, though those are options to make access to location information more controlled.

Sections 3.2/3.3: Only after a conversation with Robert have I understood that the beginning of section 3.3 is the main point of this document: This document defines a way for a third party to use HELD to obtain location by reference, and that the only authorization to acquire that location is "Authorization by Possession." This may be clear to those who have been intimately involved in the discussion all along, but it isn't clear from the document. I'd (strongly) suggest that somehow that first paragraph of 3.3 be moved up in the document, that section 3 and 4 of the document get swapped (since as far as I can tell nothing in 4 depends on 3), and that section 3 be appropriately labeled as "Informational Future Considerations for Authorization", which is all that it really is.

[Ballot comment]
Maybe I missed it or it is discussed in some other document, but I felt the document did not describe some basic properties of local references. For instance, if I ask for my location and then pass it on to someone else, is the resulting dereferenced location my location at the time of the request, or my current location? Devices can move...

[Ballot comment]
1) Figure 2: Shouldn't the two figures in the geo-priv drafts match?

2) s3.1: Isn't it c8 in RFC 5808:

  (see C9 of [RFC5808])

3) s3.1: Isn't this true only when you don't use S/MIME:

  Use of authorization by possession location URIs in a hop-by-hop
  protocol such as SIP [RFC3261] adds the possibility of on-path
  adversaries.

4) s3.2: strike the a:

  In contrast to authorization by possession, possession of a this
  form of location URI does not imply authorization.

5) s3.2: I think you need to work something about authorization by access control being based on an authentication mechanism.  You mention in s3 and then again in s3.3, but it seems like it needs to be included in s3.2.  I kept thinking .. because … after the first sentence. Maybe:

  Use of explicit access control provides a Rule Maker greater
  control over the behaviour of an LS because it determines access
  based on individual Location Recipients.

or something like that.

6) s3.3: In the first two paragraphs of s3.3, I think you're trying to say this:

  This document does not describe a specific authentication
  mechanism; therefore, the authorization by access control
  model is not an option.  Instead, this document uses the
  authorization by possession model.

The existing two paragraphs seemed little wordy.

[Ballot discuss]
1) This is along the same lines as Stephen's #1.

s3.1: Just to make sure I understand Authorization by Possession could just as easily have been called Authorization by Obscure URI?  These seems like security through obscurity.

Also, shouldn't there be some kind of statement like at a minimum:

  The use of this model SHOULD involve the use of TLS?

Actually based on s4 shouldn't that be a MUST?

s4 contains the following:

  The Location Recipient establishes a connection to the LS, as
  described in [RFC2818].  The TLS ciphersuite TLS_NULL_WITH_NULL_NULL
  MUST NOT be used.  The LS MUST be authenticated to ensure that the
  correct server is contacted.

I read that as HTTPS MUST be used.  If that is how you intended it, can't you just say that instead?

s6 says s4 says it's strong RECOMMENDED, but I don't see that in s4.

[Ballot comment]
Section 1: Lots of redundant text. Could use an edit. A single paragraph is probably sufficient. I also find the diagram not terribly useful in the intro.

Section 3: I actually found this discussion rather confusing and unnecessary. "Authorization by Posession" is often equivalent to no authorization at all. For certain resources that require no particular protection, there needn't be any obscuration by "hard to guess" URIs, and there needn't be a Rule Maker in existence at all. On the flip side, Authorization via Access Control needn't involve a policy document at all: regular HTTP authenthication could be used with a username and password, and access control can be handled entirely by the HTTP server, again without a Rule Maker. (Of course, in each case there is theoretically a "Rule Maker", but that is so theoretical as to make the entity of little use conceptually.) No matter the authorization and authentication used, Posession is still required, so I don't see that as a useful concept.

I would be happy if this section simply eliminated the concept of "Authorization by Posession" and simply talked about different authorization and authentication methods. I think it would also be fine to leave this entire discussion to the policy document. But at the very least, I think you should mention that Authorization by Posession does not require a Rule Maker or a policy or making URIs hard to guess, though those are options to make access to location information more controlled.

[Ballot discuss]
3.2/3.3: I cannot see how this protocol can be interoperable unless you commit to a particular policy mechanism and format, not just a "possible format" [3.2] or a mechanism "such as those described in [I-D.ietf-geopriv-policy]". It seems to me that ietf-geopriv-policy should be a normative reference in this document, not an informative one, and these two sections should be written to normatively reference it.

[Ballot comment]
The AppsDir review by Ted Hardie raised several minor issues, which deserve a response. The review can be found at http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03941.html

A number of terms are re-used from RFC 3693 and RFC 5808; it would be helpful to cite those specifications in Section 2.

Although Section 3 says that "no authentication framework is provided", it's not true that authentication cannot be performed (e.g., if HTTP is used to communicate with the LIS/LS then HTTP authentication can be used). The text here is not entirely consistent with the later text in Section 3.3 ("A Location Server MAY support an authentication mechanism that enables identity-based authorization policies to be used") and similar text in Section 4.

It would be appropriate to say something about leakage of location URIs (which could happen outside the TLS-protected channel between the Target and the Location Recipient -- URIs have a tendency to leak). RFC 5808 has some text about this, and perhaps you could simply point there.

[Ballot comment]
- I expected to see some mention of single-use URIs here. Is there
no use-case for those? It might help a bit given the
possession-is-authorizaiton model? (But it'd also conflict with other
use-cases maybe.)

- s3.1, maybe s/is constructed/MUST be constructed/ such
that it is hard to guess?

- what are the "other measures" mentioned in the 2nd last
para of 3.1?

[Ballot discuss]
#1 The draft is (a little) inconsistent about the requirement to *use* TLS.
Section 1, end of 3rd para says this "requires use of TLS", but
elsewhere (e.g. section 4, 2nd para) you say that this defines how to
use "http:" URIs and the security considerations says only that TLS is
"strongly RECOMMENDED." I'd prefer it all to say that you MUST
use TLS always, but it at least needs to be consistent doesn't it?
This should be an easy fix, I guess.

#2 What, if any, form(s) of TLS server auth are required to be used
when TLS is used? Would it be right to say a client MUST NOT not offer
anonymous ciphersuites in the client hello? i.e the TLS_*_anon_*
ciphersuites. (Just checking in case that hadn't been considered.
If it already was and there's a reason to allow anon ciphersuites
that's ok but would be worth explaining.)

State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (A Location Dereferencing Protocol Using HELD) to Proposed Standard


The IESG has received a request from the Geographic Location/Privacy WG
(geopriv) to consider the following document:
- 'A Location Dereferencing Protocol Using HELD'
  as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-10-25. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes how to use the Hypertext Transfer Protocol
  (HTTP) over Transport Layer Security (TLS) as a dereferencing
  protocol to resolve a reference to a Presence Information Data Format
  Location Object (PIDF-LO).  The document assumes that a Location
  Recipient possesses a URI that can be used in conjunction with the
  HELD protocol to request the location of the Target.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-geopriv-deref-protocol/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-geopriv-deref-protocol/


No IPR declarations have been submitted directly on this I-D.

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

The document shepherd for this document is Richard Barnes. I have personally reviewed this version of the document and believe that it is ready for publication.


(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

The document has had reviews from several working group participants and from an OGC participant. I do not have any concerns about the level of review.


(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

I do not believe that any particular further reviews are necessary.


(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

I have no concerns or issues.


(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

There is broad working group consensus behind this document, based on its overall coherence with the GEOPRIV and HELD designs.


(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

I am not aware of any threat of appeal.


(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

I have passed the document through the automated ID nit checker and found no errors. The document does not require any formal reviews.


(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

References are split into normative and informative. There are a couple of references that need to be updated, e.g., changing draft-ietf-geopriv-arch to RFC 6280. There is one normative downward reference, to RFC 2818.


(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC5226]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

This document makes no request of IANA.


(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

There is no formal language in this document.


(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

This document describes how to use the Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS) as a dereferencing protocol to resolve a reference to a Presence Information Data Format Location Object (PIDF-LO). The document assumes that a Location Recipient possesses a URI that can be used in conjunction with the HELD protocol to request the location of the Target.


Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?

This document describes a profile of the HELD protocol, which was the topic of extensive discussions about authorization and privacy during its development. Those discussions extended somewhat to this document as well, but have been resolved with appropriate discussion of possible authorization policies and their implications.


Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?

This document is a profile of HELD, which currently has multiple interoperable implementations. This document is a part of the NENA i3 specification for IP-based emergency calling in the US.