[Geopriv] Gen-ART review of draft-ietf-geopriv-policy-uri-04

The changes requested in the Gen-ART review of the -03 version have been made in the
-04 version of this draft.

Thanks,
--David

> -----Original Message-----
> From: Black, David
> Sent: Tuesday, November 22, 2011 5:51 PM
> To: rbarnes@bbn.com; martin.thomson@andrew.com; james.winterbottom@andrew.com;
> Hannes.Tschofenig@gmx.net; gen-art@ietf.org
> Cc: Black, David; Robert Sparks; geopriv@ietf.org
> Subject: Gen-ART review of draft-ietf-geopriv-policy-uri-03
>
> I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART,
> please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please wait for direction from your document shepherd
> or AD before posting a new version of the draft.
>
> Document: draft-ietf-geopriv-policy-uri-03
> Reviewer: David L. Black
> Review Date: November 22, 2011
> IESG Telechat date: December 1, 2011
>
> Summary: This draft is basically ready for publication, but has nits that
> should be fixed before publication.
>
> This draft specifies policy URIs for management of privacy policy for location
> information obtained and maintained by Location Configuration Protocols (LCPs).
> The draft is clear and well written.
>
> All of the topics raised by the GenART review of the -02 version are addressed
> in the -03 version, except that an unfortunate sentence structure has neutered
> one of the agreed-to resolutions (PUT and DELETE requests SHOULD always be
> rejected for http: URIs).
>
> The following changes should be made to correctly capture the intent (this is
> a normative change):
>
> Section 7.1:
> OLD
> If other means of protection are available, an "http:" URI MAY be used.
> NEW
> If other means of protection are available, an "http:" URI MAY be used,
> but location servers SHOULD reject all PUT and DELETE requests for policy
> URIs that use the "http:" URI scheme.
> END
>
> Section 7.2:
> OLD
> When neither application-layer or network-
> layer security is provided, location servers MUST reject requests
> using the PUT and DELETE methods, and SHOULD reject PUT and DELETE
> requests for policy URIs that use the "http:" URI scheme.
> NEW
> When neither application-layer or network-
> layer security is provided, location servers MUST reject requests
> using the PUT and DELETE methods.
> END
>
> idnits 2.12.12 did not find anything that needs attention.
>
> Thanks,
> --David
> ----------------------------------------------------
> David L. Black, Distinguished Engineer
> EMC Corporation, 176 South St., Hopkinton, MA  01748
> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> david.black@emc.com        Mobile: +1 (978) 394-7754
> ----------------------------------------------------

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] I-D Action: draft-ietf-geopriv-policy-uri-04.txt

The change to intended status requires a 2nd IETF last call, which has just been issued.
The draft has been moved to the Dec 15 telechat.

RjS

On Nov 28, 2011, at 10:53 AM, Richard L. Barnes wrote:

> This draft makes two corrections:
>
> 1. Changes the intended status to "Proposed Standard" in order to line up with the current milestone:
> Jun 2011 - Submit a policy control mechanism for location configuration as Proposed Standard
>
> 2. Fixes two residual Gen-ART comments that were missed in -03
>
>
>
>
>
> On Nov 28, 2011, at 11:49 AM, internet-drafts@ietf.org wrote:
>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Geographic Location/Privacy Working Group of the IETF.
>>
>> Title : Location Configuration Extensions for Policy Management
>> Author(s) : Richard Barnes
>> Martin Thomson
>> James Winterbottom
>> Hannes Tschofenig
>> Filename : draft-ietf-geopriv-policy-uri-04.txt
>> Pages : 18
>> Date : 2011-11-28
>>
>> Current location configuration protocols are capable of provisioning
>> an Internet host with a location URI that refers to the host's
>> location. These protocols lack a mechanism for the target host to
>> inspect or set the privacy rules that are applied to the URIs they
>> distribute. This document extends the current location configuration
>> protocols to provide hosts with a reference to the rules that are
>> applied to a URI, so that the host can view or set these rules.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt
>>
>> _______________________________________________
>> Geopriv mailing list
>> Geopriv@ietf.org
>> https://www.ietf.org/mailman/listinfo/geopriv
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Last Call: (Location Configuration Extensions for Policy Management) to Proposed Standard

The IESG has received a request from the Geographic Location/Privacy WG
(geopriv) to consider the following document:
- 'Location Configuration Extensions for Policy Management'
<draft-ietf-geopriv-policy-uri-04.txt> as a Proposed Standard

This is a second last call to verify a change in intended status from Informational to Proposed Standard.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-12-12. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract

Current location configuration protocols are capable of provisioning
an Internet host with a location URI that refers to the host's
location. These protocols lack a mechanism for the target host to
inspect or set the privacy rules that are applied to the URIs they
distribute. This document extends the current location configuration
protocols to provide hosts with a reference to the rules that are
applied to a URI, so that the host can view or set these rules.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-geopriv-policy-uri/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-geopriv-policy-uri/

No IPR declarations have been submitted directly on this I-D.

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] I-D Action: draft-ietf-geopriv-policy-uri-04.txt

This draft makes two corrections:

1. Changes the intended status to "Proposed Standard" in order to line up with the current milestone:
Jun 2011 - Submit a policy control mechanism for location configuration as Proposed Standard

2. Fixes two residual Gen-ART comments that were missed in -03

On Nov 28, 2011, at 11:49 AM, internet-drafts@ietf.org wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Geographic Location/Privacy Working Group of the IETF.
>
> Title : Location Configuration Extensions for Policy Management
> Author(s) : Richard Barnes
> Martin Thomson
> James Winterbottom
> Hannes Tschofenig
> Filename : draft-ietf-geopriv-policy-uri-04.txt
> Pages : 18
> Date : 2011-11-28
>
> Current location configuration protocols are capable of provisioning
> an Internet host with a location URI that refers to the host's
> location. These protocols lack a mechanism for the target host to
> inspect or set the privacy rules that are applied to the URIs they
> distribute. This document extends the current location configuration
> protocols to provide hosts with a reference to the rules that are
> applied to a URI, so that the host can view or set these rules.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] I-D Action: draft-ietf-geopriv-policy-uri-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Geographic Location/Privacy Working Group of the IETF.

Title : Location Configuration Extensions for Policy Management
Author(s) : Richard Barnes
Martin Thomson
James Winterbottom
Hannes Tschofenig
Filename : draft-ietf-geopriv-policy-uri-04.txt
Pages : 18
Date : 2011-11-28

Current location configuration protocols are capable of provisioning
an Internet host with a location URI that refers to the host's
location. These protocols lack a mechanism for the target host to
inspect or set the privacy rules that are applied to the URIs they
distribute. This document extends the current location configuration
protocols to provide hosts with a reference to the rules that are
applied to a URI, so that the host can view or set these rules.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-04.txt

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Gen-ART review of draft-ietf-geopriv-policy-uri-03

I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART,
please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please wait for direction from your document shepherd
or AD before posting a new version of the draft.

Document: draft-ietf-geopriv-policy-uri-03
Reviewer: David L. Black
Review Date: November 22, 2011
IESG Telechat date: December 1, 2011

Summary: This draft is basically ready for publication, but has nits that
should be fixed before publication.

This draft specifies policy URIs for management of privacy policy for location
information obtained and maintained by Location Configuration Protocols (LCPs).
The draft is clear and well written.

All of the topics raised by the GenART review of the -02 version are addressed
in the -03 version, except that an unfortunate sentence structure has neutered
one of the agreed-to resolutions (PUT and DELETE requests SHOULD always be
rejected for http: URIs).

The following changes should be made to correctly capture the intent (this is
a normative change):

Section 7.1:
OLD
If other means of protection are available, an "http:" URI MAY be used.
NEW
If other means of protection are available, an "http:" URI MAY be used,
but location servers SHOULD reject all PUT and DELETE requests for policy
URIs that use the "http:" URI scheme.
END

Section 7.2:
OLD
When neither application-layer or network-
layer security is provided, location servers MUST reject requests
using the PUT and DELETE methods, and SHOULD reject PUT and DELETE
requests for policy URIs that use the "http:" URI scheme.
NEW
When neither application-layer or network-
layer security is provided, location servers MUST reject requests
using the PUT and DELETE methods.
END

idnits 2.12.12 did not find anything that needs attention.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
david.black@emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] I-D Action: draft-ietf-geopriv-policy-uri-03.txt

This is a minor update to address concerns from SECDIR and Gen-ART reviews. Diff here:
<http://tools.ietf.org/rfcdiff?url2=draft-ietf-geopriv-policy-uri-03.txt>

On Nov 17, 2011, at 10:59 AM, internet-drafts@ietf.org wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Geographic Location/Privacy Working Group of the IETF.
>
> Title : Location Configuration Extensions for Policy Management
> Author(s) : Richard Barnes
> Martin Thomson
> James Winterbottom
> Hannes Tschofenig
> Filename : draft-ietf-geopriv-policy-uri-03.txt
> Pages : 18
> Date : 2011-11-16
>
> Current location configuration protocols are capable of provisioning
> an Internet host with a location URI that refers to the host's
> location. These protocols lack a mechanism for the target host to
> inspect or set the privacy rules that are applied to the URIs they
> distribute. This document extends the current location configuration
> protocols to provide hosts with a reference to the rules that are
> applied to a URI, so that the host can view or set these rules.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-03.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> This Internet-Draft can be retrieved at:
> ftp://ftp.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-03.txt
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] I-D Action: draft-ietf-geopriv-policy-uri-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Geographic Location/Privacy Working Group of the IETF.

Title : Location Configuration Extensions for Policy Management
Author(s) : Richard Barnes
Martin Thomson
James Winterbottom
Hannes Tschofenig
Filename : draft-ietf-geopriv-policy-uri-03.txt
Pages : 18
Date : 2011-11-16

Current location configuration protocols are capable of provisioning
an Internet host with a location URI that refers to the host's
location. These protocols lack a mechanism for the target host to
inspect or set the privacy rules that are applied to the URIs they
distribute. This document extends the current location configuration
protocols to provide hosts with a reference to the rules that are
applied to a URI, so that the host can view or set these rules.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-03.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-geopriv-policy-uri-03.txt

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Diff of changes to loc-filters to align with event-rate-control

Looks fine to me.
--Richard

On Nov 16, 2011, at 4:42 PM, Rosen, Brian wrote:

> 3.6. Rate Control
>
> [RFC6446] extends the SIP events framework by defining the following
> three Event header field parameters that allow a subscriber to set a
> minimum, a maximum, and an
> average rate adaptive minimum
> of event notifications
> generated by the notifier. This allows a subscriber to have overall
> control over the stream of notifications, for example to avoid being
> flooded. Two of the parameters, namely
> "min-interval" "min-rate"
> (which specifies a
> minimum notification
> time period between two
> notifications, in seconds)
> rate per second) and "max-interval" "max-rate"
> (which specifies
> a maximum notification
> time period between two notifications, in
> seconds)
> rate per second)
> are used by this document.
> Only the implementation of these two attributes is required from the
> attributes defined in [RFC6446]. Whenever the time since the most
> recent notification exceeds the value
> in corresponding to the "max-interval" "max-rate"
>
> parameter, the current state would be sent in its entirety, just like
> after a subscription refresh.
>
> A notifier is required to send a NOTIFY request immediately after
> creation of a subscription. If state is not available at that time,
> then the NOTIFY request may be sent with no content. A separate
> NOTIFY containing location is subsequently generated some time
> between
> the time included in "min-interval" "min-rate" and
> the time in "max-
> interval".
> "max-rate".
> An important use case for
> location-based applications focuses on the behavior of the initial
> NOTIFY message(s) and the information it returns, for example in case
> of emergency call routing. When an initial NOTIFY is transmitted, it
> might not include complete state.
>
> Subscriber Notifier
> |---SUBSCRIBE(1)--->| Create subscription
> (w/small (w/large
> value
> |<-------200--------| for
> min-interval min-rate and max-interval) max-rate)
>
> |<-----NOTIFY(2)----| Return initial notify with no state
> |--------200------->|
> |<-----NOTIFY(3)----| Return full state (between
> min-interval min-rate
>
> |--------200------->| and
> max-interval) max-rate)
>
> |---SUBSCRIBE(4)--->| Update subscription (to update
> |<-------200--------|
> min-interval min-rate and max-interval) max-rate)
>
>
> Figure 9: SUBSCRIBE/NOTIFY with Rate Control
>
> Figure 9 shows a SUBSCRIBE/NOTIFY exchange. The initial SUBSCRIBE
> message (1) has filters attached and contains a
> "max-interval" "max-rate"
> rate
> control parameter. In certain situations, it is important to obtain
> some amount of location information within a relatively short and
> pre-defined period of time, even if the obtained location information
> contains a high amount of uncertainty and location information with
> less uncertainty at a later point in time. An example is emergency
> call routing where an emergency services routing proxy may need to
> obtain location information suitable for routing rather quickly and
> subsequently a Public Safety Answering Point requests location
> information for dispatch.
>
> To obtain location information in a timely fashion using the
> SUBSCRIBE/NOTIFY mechanism, it is RECOMMENDED that the initial
> SUBSCRIBE contain a
> "max-interval" "max-rate"
> rate control parameter (with a
>
> small large
>
> value) that is in a later message updated to a more sensible value.
> This provides equivalent functionality to the 'responseTime'
> attribute in Section 6.1 of [RFC5985]. The
> "max-interval" "max-rate"
> for this first
> request is therefore much
> lower larger
> than thereafter. Updating the
>
> "max-interval"
> "max-
> rate"
> for the subscription can be performed in the 200 response (see
> message 3) to the NOTIFY that contains state. Depending on the value
> in the
> "max-interval" "max-rate"
> parameter, the Notifier may create a NOTIFY message
> (see message 2) immediately in response to the SUBSCRIBE that might
> be empty in case no location information is available at this point
> in time. The desired location information may then arrive in the
> subsequent NOTIFY message (see message 4).
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Diff of changes to loc-filters to align with event-rate-control

3.6.  Rate Control     [RFC6446] extends the SIP events framework by defining the following    three Event header field parameters that allow a subscriber to set a    minimum, a maximum, and an average rate adaptive minimum of event notifications    generated by the notifier.  This allows a subscriber to have overall    control over the stream of notifications, for example to avoid being    flooded.  Two of the parameters, namely "min-interval" "min-rate" (which specifies a    minimum notification time period between two    notifications, in seconds) rate per second) and "max-interval" "max-rate" (which specifies    a maximum notification time period between two notifications, in    seconds) rate per second) are used by this document.    Only the implementation of these two attributes is required from the    attributes defined in [RFC6446].  Whenever the time since the most    recent notification exceeds the value in corresponding to the "max-interval" "max-rate"    parameter, the current state would be sent in its entirety, just like    after a subscription refresh.     A notifier is required to send a NOTIFY request immediately after    creation of a subscription.  If state is not available at that time,    then the NOTIFY request may be sent with no content.  A separate    NOTIFY containing location is subsequently generated some time    between the time included in "min-interval" "min-rate" and the time in "max-    interval". "max-rate".  An important use case for    location-based applications focuses on the behavior of the initial    NOTIFY message(s) and the information it returns, for example in case    of emergency call routing.  When an initial NOTIFY is transmitted, it    might not include complete state.     Subscriber          Notifier        |---SUBSCRIBE(1)--->|     Create subscription (w/small (w/large value        |<-------200--------|         for min-interval min-rate and max-interval) max-rate)        |<-----NOTIFY(2)----|     Return initial notify with no state        |--------200------->|        |<-----NOTIFY(3)----|     Return full state (between min-interval min-rate        |--------200------->|         and max-interval) max-rate)        |---SUBSCRIBE(4)--->|     Update subscription (to update        |<-------200--------|         min-interval         min-rate and max-interval) max-rate)                 Figure 9: SUBSCRIBE/NOTIFY with Rate Control     Figure 9 shows a SUBSCRIBE/NOTIFY exchange.  The initial SUBSCRIBE    message (1) has filters attached and contains a "max-interval" "max-rate" rate    control parameter.  In certain situations, it is important to obtain    some amount of location information within a relatively short and    pre-defined period of time, even if the obtained location information    contains a high amount of uncertainty and location information with    less uncertainty at a later point in time.  An example is emergency    call routing where an emergency services routing proxy may need to    obtain location information suitable for routing rather quickly and    subsequently a Public Safety Answering Point requests location    information for dispatch.     To obtain location information in a timely fashion using the    SUBSCRIBE/NOTIFY mechanism, it is RECOMMENDED that the initial    SUBSCRIBE contain a "max-interval" "max-rate" rate control parameter (with a    small large    value) that is in a later message updated to a more sensible value.    This provides equivalent functionality to the 'responseTime'    attribute in Section 6.1 of [RFC5985].  The "max-interval" "max-rate" for this first    request is therefore much lower larger than thereafter.  Updating the    "max-interval" "max-    rate" for the subscription can be performed in the 200 response (see    message 3) to the NOTIFY that contains state.  Depending on the value    in the "max-interval" "max-rate" parameter, the Notifier may create a NOTIFY message    (see message 2) immediately in response to the SUBSCRIBE that might    be empty in case no location information is available at this point    in time.  The desired location information may then arrive in the    subsequent NOTIFY message (see message 4). 

Re: [Geopriv] PIDF-LO PURL and Relax NG URL not found

Andrea -

Let me check. We (the OGC) has been updating our schema repository
capability to utilize some new tools as well as to implement new OGC schema
policies.

Regards

Carl

-----Original Message-----
From: Andrea G. Forte
Sent: Monday, November 14, 2011 9:40 AM
To: geopriv@ietf.org
Subject: [Geopriv] PIDF-LO PURL and Relax NG URL not found

Dear all,

I just found out that the two URLs:
http://www.opengis.net/pidflo/1.0
http://relaxng.org/ns/compatibility/annotations/1.0

Do not work any longer. Does anyone know what has happened to these two
URLs and if they have been replaced by new ones, what the new ones are?

If this is not the right place to ask, can someone please point me in the
right direction?

Thank you all,

-- Andrea Forte

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] PIDF-LO PURL and Relax NG URL not found

Understood. I have the OGC schema guru checking into the issue. We just went
through a major schema repository update and alignment with ISO requirements
for joint standards documents. I will let you know as soon as the problem is
corrected.

Thanks

Carl

-----Original Message-----
From: Brian Rosen
Sent: Monday, November 14, 2011 6:27 PM
To: Carl Reed
Cc: Andrea G. Forte ; geopriv@ietf.org
Subject: Re: [Geopriv] PIDF-LO PURL and Relax NG URL not found

Carl

We need at least the first of these to be stable, because they are
referenced in stable documents.

Brian

On Nov 15, 2011, at 12:24 PM, Carl Reed wrote:

> Andrea -
>
> Let me check. We (the OGC) has been updating our schema repository
> capability to utilize some new tools as well as to implement new OGC
> schema policies.
>
> Regards
>
> Carl
>
>
> -----Original Message----- From: Andrea G. Forte
> Sent: Monday, November 14, 2011 9:40 AM
> To: geopriv@ietf.org
> Subject: [Geopriv] PIDF-LO PURL and Relax NG URL not found
>
> Dear all,
>
> I just found out that the two URLs:
> http://www.opengis.net/pidflo/1.0
> http://relaxng.org/ns/compatibility/annotations/1.0
>
> Do not work any longer. Does anyone know what has happened to these two
> URLs and if they have been replaced by new ones, what the new ones are?
>
> If this is not the right place to ask, can someone please point me in the
> right direction?
>
> Thank you all,
>
> -- Andrea Forte
>
>
>
>
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] PIDF-LO PURL and Relax NG URL not found

Carl

We need at least the first of these to be stable, because they are referenced in stable documents.

Brian

On Nov 15, 2011, at 12:24 PM, Carl Reed wrote:

> Andrea -
>
> Let me check. We (the OGC) has been updating our schema repository capability to utilize some new tools as well as to implement new OGC schema policies.
>
> Regards
>
> Carl
>
>
> -----Original Message----- From: Andrea G. Forte
> Sent: Monday, November 14, 2011 9:40 AM
> To: geopriv@ietf.org
> Subject: [Geopriv] PIDF-LO PURL and Relax NG URL not found
>
> Dear all,
>
> I just found out that the two URLs:
> http://www.opengis.net/pidflo/1.0
> http://relaxng.org/ns/compatibility/annotations/1.0
>
> Do not work any longer. Does anyone know what has happened to these two
> URLs and if they have been replaced by new ones, what the new ones are?
>
> If this is not the right place to ask, can someone please point me in the
> right direction?
>
> Thank you all,
>
> -- Andrea Forte
>
>
>
>
>
>
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv
> _______________________________________________
> Geopriv mailing list
> Geopriv@ietf.org
> https://www.ietf.org/mailman/listinfo/geopriv

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] PIDF-LO PURL and Relax NG URL not found

Dear all,

I just found out that the two URLs:
http://www.opengis.net/pidflo/1.0
http://relaxng.org/ns/compatibility/annotations/1.0

Do not work any longer. Does anyone know what has happened to these two
URLs and if they have been replaced by new ones, what the new ones are?

If this is not the right place to ask, can someone please point me in the
right direction?

Thank you all,

-- Andrea Forte

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Fwd: Head's up: Geolocation API Level 2 FPWD and LC

FYI

> ------- Forwarded message -------
> From: "Lars Erik Bolstad" <lbolstad@opera.com>
> ...
>
> The Geolocation WG intend to publish the Geolocation API Level 2
> specification as a First Public and Last Call working draft next week.
>
> We plan to set the deadline for comments to 31 December, so the LC
> period will last about 6 weeks.
>
> The working draft can be found here:
> http://www.w3.org/2008/geolocation/drafts/API/spec-source-v2.html
>
> We would be particularly interested in feedback from the following
> working groups and would appreciate if the chairs of these WGs could
> comment on our planned schedule:
>
> DAP, WebApps, I18N, TAG, HCG, WAI WCAG, SemWeb XG, POIWG.
>
> Thanks,
> Lars Erik Bolstad
>
>
> --
> Charles 'chaals' McCathieNevile Opera Software, Standards Group
> je parle français -- hablo español -- jeg kan litt norsk
> http://my.opera.com/chaals Try Opera: http://www.opera.com
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-ART review of draft-ietf-geopriv-policy-uri-02

That change looks fine to me!

Thanks,
--Richard

On Nov 8, 2011, at 11:33 PM, <david.black@emc.com> wrote:

> Hi Richard,
>
> I think we're close:
>
>> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location
>> configuration protocol, and in the requests that are used to inspect, change or delete the policy
>> resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the
>> use of the protocol to the local network, thus relying on lower-layer security mechanisms. When
>> neither application-layer or network-layer security is provided, location servers MUST reject requests
>> using the PUT and DELETE methods, and SHOULD reject PUT and DELETE requests for policy URIs that use
>> the "http:" URI scheme.
>
> This text looks good to me, except that the structure of the final sentence inadvertently neuters the final "SHOULD" requirement. Can we move that requirement into Section 7.1? The change in Section 7.2 would then be:
>
> OLD:
> "
> Confidentiality is required for its conveyance in the location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource.
> "
> NEW:
> "
> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the use of the protocol to the local network, thus relying on lower-layer security mechanisms. When neither application-layer or network-layer security is provided, location servers MUST reject requests using the PUT and DELETE methods.
> "
>
> This change in Section 7.1 would pick up the moved requirement:
>
> OLD
> If other means of protection are available, an "http:" URI MAY be used.
> NEW
> If other means of protection are available, an "http:" URI MAY be used, but
> location servers SHOULD reject all PUT and DELETE requests for policy URIs
> that use the "http:" URI scheme.
> END
>
> One of my concerns behind wanting this general "SHOULD" is that there's no assurance that an "http:" URI will stay confined to the local network that is being relied upon to secure it.
>
> Thanks,
> --David
>
>> -----Original Message-----
>> From: Richard Barnes [mailto:rbarnes@bbn.com]
>> Sent: Tuesday, November 08, 2011 9:43 PM
>> To: Black, David
>> Cc: martin.thomson@andrew.com; james.winterbottom@andrew.com; Hannes.Tschofenig@gmx.net; gen-
>> art@ietf.org; ietf@ietf.org; rjsparks@nostrum.com; geopriv@ietf.org
>> Subject: Re: Gen-ART review of draft-ietf-geopriv-policy-uri-02
>>
>> Hi David,
>>
>> The penalty for getting a quick response for the first time is that the second response takes longer
>> :) Inline.
>>
>>> - The additional text in section 3.1 stating that the policy URI is a shared
>>> secret with a forward reference to the security considerations section
>>> removes the surprise factor.
>>> - The additional text on URI unpredictability in section 7.2 recommending a
>>> combination of 32 bits of entropy with rate limiting provides concrete
>>> guidance to implementers.
>>
>> Thanks, we'll note those changes for the RFC editor (or for a new revision, if our AD prefers).
>>
>>
>>> That leaves the issue of confidentiality and integrity requirements in section 7.2:
>>>
>>>>> Alternatively, changing "required" to "REQUIRED" in the following sentence
>>>>> in Section 7.2 may suffice, although integrity is not mentioned in this
>>>>> sentence:
>>>>>
>>>>> Confidentiality is required for its conveyance in the
>>>>> location configuration protocol, and in the requests that are used
>>>>> to inspect, change or delete the policy resource.
>>>>
>>>> I like this phrasing. I'm not sure it's quite REQUIRED (following the "MUST implement / MAY use"
>>>> pattern of BCP 61), but I would go for a strong SHOULD. The underlying LCP protocols already
>>>> guarantee the "MUST implement". Suggested text:
>>>>
>>>> Section 7.2
>>>> OLD:
>>>> "
>>>> Confidentiality is required for its conveyance in the location configuration protocol, and in the
>>>> requests that are used to inspect, change or delete the policy resource.
>>>> "
>>>> NEW:
>>>> "
>>>> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a
>> location
>>>> configuration protocol, and in the requests that are used to inspect, change or delete the policy
>>>> resource.
>>>> "
>>>
>>> The reason for going beyond BCP 61 is that BCP 61 concerns protocols in general, but this
>>> is a specific case with additional security requirements because a policy URI is a shared
>>> secret. If a policy URI is sent without confidentiality, a likely result is that the
>>> policy URI is still shared, but is no longer sufficiently secret (oops).
>>>
>>> This is particularly dangerous if there are no additional authorization checks on the
>>> PUT or DELETE methods for the policy URI, but it's probably ok in some situations if only
>>> the GET method is allowed (e.g., policy creation and update are handled via some other means
>>> such as a secure web portal).
>>>
>>> For that reason, the proposed SHOULD requirement would be ok with me if a couple of things
>>> were added:
>>> (i) If an LCP sends a policy URI without confidentiality protection, then the
>>> LIS or LS MUST reject the PUT and DELETE methods for that URI.
>>> (ii) The PUT and DELETE methods SHOULD NOT be supported for policy URIs that
>>> use the "http:" URI scheme (in contrast to the "https:" URI scheme).
>>>
>>> For (i) it'd also be useful to note that the current LCPs never send a policy URI
>>> without confidentiality protection in connection with this (already stated in 7.1,
>>> but ought to be connected to (i) if that text winds up in a different section).
>>>
>>> For (ii), I'm not sure what is envisioned by the final sentence in section 7.1:
>>>
>>> If other means of protection are available, an "http:" URI MAY be used.
>>>
>>> What sorts of "other means of protection" were the underlying motivation? Those "other
>>> means of protection" would be the reason for (ii) being a "SHOULD" instead of a "MUST".
>>
>> I think the general countervailing idea here is that location servers are generally expected to be a
>> local network function (see, for example, RFC 5986). In this context, you benefit some from "other
>> protection" in that in order to capture information, an attacker has to be fairly close to the victim.
>>
>> There's a strong tie to DHCP security here. On one level, by analogy; DHCP, after all, provides no
>> confidentiality protection, which is acceptable largely because its use is so constrained. At another
>> level, though, we have to keep in mind that one of the goals of this document is to enable policy
>> URIs to be distributed through DHCP. So even if we place stronger controls on policy URIs, DHCP will
>> still be a "weaker link". Or, said the other way around, if we require stronger controls for policy
>> URIs (as in your text), then we might as well remove the DHCP transport from the document.
>>
>> Nonetheless, your two caveats look fine to me if we make some accommodation for this constrained case.
>> Proposed text:
>>
>> OLD:
>> "
>> Confidentiality is required for its conveyance in the location configuration protocol, and in the
>> requests that are used to inspect, change or delete the policy resource.
>> "
>> NEW:
>> "
>> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location
>> configuration protocol, and in the requests that are used to inspect, change or delete the policy
>> resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the
>> use of the protocol to the local network, thus relying on lower-layer security mechanisms. When
>> neither application-layer or network-layer security is provided, location servers MUST reject requests
>> using the PUT and DELETE methods, and SHOULD reject PUT and DELETE requests for policy URIs that use
>> the "http:" URI scheme.
>> "
>>
>> Thanks,
>> --Richard
>>
>>
>>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-ART review of draft-ietf-geopriv-policy-uri-02

Hi Richard,

I think we're close:

> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location
> configuration protocol, and in the requests that are used to inspect, change or delete the policy
> resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the
> use of the protocol to the local network, thus relying on lower-layer security mechanisms. When
> neither application-layer or network-layer security is provided, location servers MUST reject requests
> using the PUT and DELETE methods, and SHOULD reject PUT and DELETE requests for policy URIs that use
> the "http:" URI scheme.

This text looks good to me, except that the structure of the final sentence inadvertently neuters the final "SHOULD" requirement. Can we move that requirement into Section 7.1? The change in Section 7.2 would then be:

OLD:
"
Confidentiality is required for its conveyance in the location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource.
"
NEW:
"
Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the use of the protocol to the local network, thus relying on lower-layer security mechanisms. When neither application-layer or network-layer security is provided, location servers MUST reject requests using the PUT and DELETE methods.
"

This change in Section 7.1 would pick up the moved requirement:

OLD
If other means of protection are available, an "http:" URI MAY be used.
NEW
If other means of protection are available, an "http:" URI MAY be used, but
location servers SHOULD reject all PUT and DELETE requests for policy URIs
that use the "http:" URI scheme.
END

One of my concerns behind wanting this general "SHOULD" is that there's no assurance that an "http:" URI will stay confined to the local network that is being relied upon to secure it.

Thanks,
--David

> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Tuesday, November 08, 2011 9:43 PM
> To: Black, David
> Cc: martin.thomson@andrew.com; james.winterbottom@andrew.com; Hannes.Tschofenig@gmx.net; gen-
> art@ietf.org; ietf@ietf.org; rjsparks@nostrum.com; geopriv@ietf.org
> Subject: Re: Gen-ART review of draft-ietf-geopriv-policy-uri-02
>
> Hi David,
>
> The penalty for getting a quick response for the first time is that the second response takes longer
> :) Inline.
>
> > - The additional text in section 3.1 stating that the policy URI is a shared
> > secret with a forward reference to the security considerations section
> > removes the surprise factor.
> > - The additional text on URI unpredictability in section 7.2 recommending a
> > combination of 32 bits of entropy with rate limiting provides concrete
> > guidance to implementers.
>
> Thanks, we'll note those changes for the RFC editor (or for a new revision, if our AD prefers).
>
>
> > That leaves the issue of confidentiality and integrity requirements in section 7.2:
> >
> >>> Alternatively, changing "required" to "REQUIRED" in the following sentence
> >>> in Section 7.2 may suffice, although integrity is not mentioned in this
> >>> sentence:
> >>>
> >>> Confidentiality is required for its conveyance in the
> >>> location configuration protocol, and in the requests that are used
> >>> to inspect, change or delete the policy resource.
> >>
> >> I like this phrasing. I'm not sure it's quite REQUIRED (following the "MUST implement / MAY use"
> >> pattern of BCP 61), but I would go for a strong SHOULD. The underlying LCP protocols already
> >> guarantee the "MUST implement". Suggested text:
> >>
> >> Section 7.2
> >> OLD:
> >> "
> >> Confidentiality is required for its conveyance in the location configuration protocol, and in the
> >> requests that are used to inspect, change or delete the policy resource.
> >> "
> >> NEW:
> >> "
> >> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a
> location
> >> configuration protocol, and in the requests that are used to inspect, change or delete the policy
> >> resource.
> >> "
> >
> > The reason for going beyond BCP 61 is that BCP 61 concerns protocols in general, but this
> > is a specific case with additional security requirements because a policy URI is a shared
> > secret. If a policy URI is sent without confidentiality, a likely result is that the
> > policy URI is still shared, but is no longer sufficiently secret (oops).
> >
> > This is particularly dangerous if there are no additional authorization checks on the
> > PUT or DELETE methods for the policy URI, but it's probably ok in some situations if only
> > the GET method is allowed (e.g., policy creation and update are handled via some other means
> > such as a secure web portal).
> >
> > For that reason, the proposed SHOULD requirement would be ok with me if a couple of things
> > were added:
> > (i) If an LCP sends a policy URI without confidentiality protection, then the
> > LIS or LS MUST reject the PUT and DELETE methods for that URI.
> > (ii) The PUT and DELETE methods SHOULD NOT be supported for policy URIs that
> > use the "http:" URI scheme (in contrast to the "https:" URI scheme).
> >
> > For (i) it'd also be useful to note that the current LCPs never send a policy URI
> > without confidentiality protection in connection with this (already stated in 7.1,
> > but ought to be connected to (i) if that text winds up in a different section).
> >
> > For (ii), I'm not sure what is envisioned by the final sentence in section 7.1:
> >
> > If other means of protection are available, an "http:" URI MAY be used.
> >
> > What sorts of "other means of protection" were the underlying motivation? Those "other
> > means of protection" would be the reason for (ii) being a "SHOULD" instead of a "MUST".
>
> I think the general countervailing idea here is that location servers are generally expected to be a
> local network function (see, for example, RFC 5986). In this context, you benefit some from "other
> protection" in that in order to capture information, an attacker has to be fairly close to the victim.
>
> There's a strong tie to DHCP security here. On one level, by analogy; DHCP, after all, provides no
> confidentiality protection, which is acceptable largely because its use is so constrained. At another
> level, though, we have to keep in mind that one of the goals of this document is to enable policy
> URIs to be distributed through DHCP. So even if we place stronger controls on policy URIs, DHCP will
> still be a "weaker link". Or, said the other way around, if we require stronger controls for policy
> URIs (as in your text), then we might as well remove the DHCP transport from the document.
>
> Nonetheless, your two caveats look fine to me if we make some accommodation for this constrained case.
> Proposed text:
>
> OLD:
> "
> Confidentiality is required for its conveyance in the location configuration protocol, and in the
> requests that are used to inspect, change or delete the policy resource.
> "
> NEW:
> "
> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location
> configuration protocol, and in the requests that are used to inspect, change or delete the policy
> resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the
> use of the protocol to the local network, thus relying on lower-layer security mechanisms. When
> neither application-layer or network-layer security is provided, location servers MUST reject requests
> using the PUT and DELETE methods, and SHOULD reject PUT and DELETE requests for policy URIs that use
> the "http:" URI scheme.
> "
>
> Thanks,
> --Richard
>
>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-ART review of draft-ietf-geopriv-policy-uri-02

Hi David,

The penalty for getting a quick response for the first time is that the second response takes longer :) Inline.

> - The additional text in section 3.1 stating that the policy URI is a shared
> secret with a forward reference to the security considerations section
> removes the surprise factor.
> - The additional text on URI unpredictability in section 7.2 recommending a
> combination of 32 bits of entropy with rate limiting provides concrete
> guidance to implementers.

Thanks, we'll note those changes for the RFC editor (or for a new revision, if our AD prefers).

> That leaves the issue of confidentiality and integrity requirements in section 7.2:
>
>>> Alternatively, changing "required" to "REQUIRED" in the following sentence
>>> in Section 7.2 may suffice, although integrity is not mentioned in this
>>> sentence:
>>>
>>> Confidentiality is required for its conveyance in the
>>> location configuration protocol, and in the requests that are used
>>> to inspect, change or delete the policy resource.
>>
>> I like this phrasing. I'm not sure it's quite REQUIRED (following the "MUST implement / MAY use"
>> pattern of BCP 61), but I would go for a strong SHOULD. The underlying LCP protocols already
>> guarantee the "MUST implement". Suggested text:
>>
>> Section 7.2
>> OLD:
>> "
>> Confidentiality is required for its conveyance in the location configuration protocol, and in the
>> requests that are used to inspect, change or delete the policy resource.
>> "
>> NEW:
>> "
>> Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location
>> configuration protocol, and in the requests that are used to inspect, change or delete the policy
>> resource.
>> "
>
> The reason for going beyond BCP 61 is that BCP 61 concerns protocols in general, but this
> is a specific case with additional security requirements because a policy URI is a shared
> secret. If a policy URI is sent without confidentiality, a likely result is that the
> policy URI is still shared, but is no longer sufficiently secret (oops).
>
> This is particularly dangerous if there are no additional authorization checks on the
> PUT or DELETE methods for the policy URI, but it's probably ok in some situations if only
> the GET method is allowed (e.g., policy creation and update are handled via some other means
> such as a secure web portal).
>
> For that reason, the proposed SHOULD requirement would be ok with me if a couple of things
> were added:
> (i) If an LCP sends a policy URI without confidentiality protection, then the
> LIS or LS MUST reject the PUT and DELETE methods for that URI.
> (ii) The PUT and DELETE methods SHOULD NOT be supported for policy URIs that
> use the "http:" URI scheme (in contrast to the "https:" URI scheme).
>
> For (i) it'd also be useful to note that the current LCPs never send a policy URI
> without confidentiality protection in connection with this (already stated in 7.1,
> but ought to be connected to (i) if that text winds up in a different section).
>
> For (ii), I'm not sure what is envisioned by the final sentence in section 7.1:
>
> If other means of protection are available, an "http:" URI MAY be used.
>
> What sorts of "other means of protection" were the underlying motivation? Those "other
> means of protection" would be the reason for (ii) being a "SHOULD" instead of a "MUST".

I think the general countervailing idea here is that location servers are generally expected to be a local network function (see, for example, RFC 5986). In this context, you benefit some from "other protection" in that in order to capture information, an attacker has to be fairly close to the victim.

There's a strong tie to DHCP security here. On one level, by analogy; DHCP, after all, provides no confidentiality protection, which is acceptable largely because its use is so constrained. At another level, though, we have to keep in mind that one of the goals of this document is to enable policy URIs to be distributed through DHCP. So even if we place stronger controls on policy URIs, DHCP will still be a "weaker link". Or, said the other way around, if we require stronger controls for policy URIs (as in your text), then we might as well remove the DHCP transport from the document.

Nonetheless, your two caveats look fine to me if we make some accommodation for this constrained case. Proposed text:

OLD:
"
Confidentiality is required for its conveyance in the location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource.
"
NEW:
"
Confidentiality and integrity protections SHOULD be used when policy URIs are conveyed in a location configuration protocol, and in the requests that are used to inspect, change or delete the policy resource. Note that in some protocols (such as DHCP), these protections may arise from limiting the use of the protocol to the local network, thus relying on lower-layer security mechanisms. When neither application-layer or network-layer security is provided, location servers MUST reject requests using the PUT and DELETE methods, and SHOULD reject PUT and DELETE requests for policy URIs that use the "http:" URI scheme.
"

Thanks,
--Richard

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] Agenda

The agenda does not have draft names in it so the scripts to print all the drafts and make tar balls are not working. Be sort of nice if that got fixed ...

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-art last call review : draft-ietf-geopriv-deref-protocol-03

I'll add that as an RFC editor note and more this into IESG evaluation.

Thanks!

RjS

On Nov 2, 2011, at 5:18 PM, Thomson, Martin wrote:

> On 2011-11-03 at 08:15:01, Robert Sparks wrote:
>> (Including the geopriv list on this reply).
>>
>> Martin - there's one change you made that I think you need to adjust.
>> In response to Elwyn's suggestion about Appendix A, Req 9 below,
>> you've added some 2119 text to that appendix which isn't right. Is
>> there a place you can say what you want to say in the body of the document?
>
> Yeah, and that was stupid of me.
>
> The security considerations already contains a statement to this effect:
>
> Location URIs MUST only be disclosed to authorized Location
> Recipients.
>
> As for the 2119 language, a reference to the above statement should do:
>
> OLD:
> In order to comply with these rules, a Location Recipient
> MUST NOT redistribute a location URI without express
> permission. Depending on the access control model, the
> location URI might be secret (see Section 3.3 of
> [RFC5808]).
> NEW:
> For location URIs that are use possession as a component of
> authorization, the protecting the secrecy of the URI is
> necessary in order to comply with this requirement (see
> Section 6).
>
> --Martin

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

[Geopriv] IETF 82 agenda

Dear GEOPRIV,

The agenda for the GEOPRIV meeting at IETF 82 has been posted:
<http://tools.ietf.org/wg/geopriv/agenda>

Please reply in this thread if you have any agenda bashes.

--Richard
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-art last call review : draft-ietf-geopriv-deref-protocol-03

On 2011-11-03 at 08:15:01, Robert Sparks wrote:
> (Including the geopriv list on this reply).
>
> Martin - there's one change you made that I think you need to adjust.
> In response to Elwyn's suggestion about Appendix A, Req 9 below,
> you've added some 2119 text to that appendix which isn't right. Is
> there a place you can say what you want to say in the body of the document?

Yeah, and that was stupid of me.

The security considerations already contains a statement to this effect:

Location URIs MUST only be disclosed to authorized Location
Recipients.

As for the 2119 language, a reference to the above statement should do:

OLD:
In order to comply with these rules, a Location Recipient
MUST NOT redistribute a location URI without express
permission. Depending on the access control model, the
location URI might be secret (see Section 3.3 of
[RFC5808]).
NEW:
For location URIs that are use possession as a component of
authorization, the protecting the secrecy of the URI is
necessary in order to comply with this requirement (see
Section 6).

--Martin
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv

Re: [Geopriv] Gen-art last call review : draft-ietf-geopriv-deref-protocol-03

(Including the geopriv list on this reply).

Martin - there's one change you made that I think you need to adjust.
In response to Elwyn's suggestion about Appendix A, Req 9 below, you've
added some 2119 text to that appendix which isn't right. Is there a place you
can say what you want to say in the body of the document?

RjS

On Oct 30, 2011, at 8:33 PM, Thomson, Martin wrote:

> Hi Elwyn,
>
> Thanks for going through this in detail.
>
> I see that you've found a few holes in the appendix. I've attempted to correct those. More detail on that below.
>
> I've posted -04 with the changes.
> <http://tools.ietf.org/html/draft-ietf-geopriv-deref-protocol-04>
>
> On 2011-10-24 at 01:11:50, Elwyn Davies wrote:
>> Appendix A: Compliance statement for Req 4: The Compliance statement
>> states that use of HTTPS from Location Recipient to LS is mandated. I
>> cannot find any MUST statement to this effect in the main body of the
>> document.
> [...]
>> Appendix A: Compliance statement for Req 4: Use of the HTTP over TLS
>> PKI infrastructure, would I suppose be implicit if the previous
>> comment were fixed. However, it might be good to make this explicit.
>
> The MUST doesn't exist. There was discussion about mandatory TLS that ended with the text in the body, but the appendix was missed in the edit. The conclusion was that we wouldn't prevent use of http:, but the risks needed to made clear. I hope that this was achieved.
>
> I've added a little note that should make this clearer:
> Though discouraged, using unsecured http: URIs is permitted.
> Using unsecured HTTP is likely to result in non-compliance
> with this requirement.
>
>> Appendix A: Compliance statement for Req 9: Again, the body of the
>> specification is silent on what a Location Reciepient may or may not
>> do with a Location URL. Clearly any constraints are not enforceable
>> within the context of the HELD protocol but it is probably desirable
>> to note the policy of non-propagation implied by Req 9.
>
> That's a good idea.
>
>> Appendix B: Compliance statement for Req C3: Compliance for Auth by
>> Possession seems somewhat dubious. Derogation due to the requirement
>> for expiry is discussed in the body of the document.
>
> The idea that there are two distinct models for authorization is a little bit misleading. A URI that is authorized by possession can still be cancelled using the mechanism described in the policy-uri draft.
>
> An implementation that doesn't support cancellation is not going to be compliant, but that's not a fault in the specification.
>
>> Appendix B: Compliance statement for Req C8: The explicit requirement
>> for a minimum of 128 bits of randomness does not appear in the body of
>> the document. Since the requirements doc is informational, this needs
>> to be made explicit in the main body of the doc.
>
> ADDED:
> The amount of randomness is not specifically identified since it depends on a number of factors that change over time, such as the number of valid location URIs, the validity period of those URIs and the rate that guesses can be made.
>
>> Appendix C: Compliance statement for Req D5: See comments above on
>> App A, Req 4. May be a contradiction here: App A appears to require a
>> MUST; this compliance implies a RECOMMENDS and possibility of http.
>> Needs sorting out.
>
> Sorted out as described above.
>
>> Abstract: Acronym HELD needs to be expanded here (currently expanded
>> in s1).
>
> Fixed.
>
>> s1, Figure 1: (PIcky nit): The infomation carried by the two
>> xxxRequest messages is technically a request for xxx rather than the
>> actual object.
>
> Good point; added "for " to each parenthetical.
>
>> s3.2, para 2: s/before before/before/
>>
>> s5, Figure 5: (Picky nit): The indentation is slightly inconsistent
>> <geopriv> element only indented one space.
>
> You are too observant. Unfortunately, indenting more causes the longer lines to be too wide.
>
>> Appendix A, Req 12 bullet (b): s/about the identity about the
>> Target/about the identity of the Target/
>
> Done.
>
>

_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv