summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6280.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6280.txt')
-rw-r--r--doc/rfc/rfc6280.txt2299
1 files changed, 2299 insertions, 0 deletions
diff --git a/doc/rfc/rfc6280.txt b/doc/rfc/rfc6280.txt
new file mode 100644
index 0000000..67328fc
--- /dev/null
+++ b/doc/rfc/rfc6280.txt
@@ -0,0 +1,2299 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) R. Barnes
+Request for Comments: 6280 M. Lepinski
+BCP: 160 BBN Technologies
+Updates: 3693, 3694 A. Cooper
+Category: Best Current Practice J. Morris
+ISSN: 2070-1721 Center for Democracy & Technology
+ H. Tschofenig
+ Nokia Siemens Networks
+ H. Schulzrinne
+ Columbia University
+ July 2011
+
+
+ An Architecture for Location and Location Privacy
+ in Internet Applications
+
+Abstract
+
+ Location-based services (such as navigation applications, emergency
+ services, and management of equipment in the field) need geographic
+ location information about Internet hosts, their users, and other
+ related entities. These applications need to securely gather and
+ transfer location information for location services, and at the same
+ time protect the privacy of the individuals involved. This document
+ describes an architecture for privacy-preserving location-based
+ services in the Internet, focusing on authorization, security, and
+ privacy requirements for the data formats and protocols used by these
+ services.
+
+Status of This Memo
+
+ This memo documents an Internet Best Current Practice.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ BCPs is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6280.
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 1]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+Copyright Notice
+
+ Copyright (c) 2011 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 2]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Binding Rules to Data ......................................4
+ 1.2. Location-Specific Privacy Risks ............................5
+ 1.3. Privacy Paradigms ..........................................6
+ 2. Terminology Conventions .........................................7
+ 3. Overview of the Architecture ....................................7
+ 3.1. Basic Geopriv Scenario .....................................8
+ 3.2. Roles and Data Formats ....................................10
+ 4. The Location Life Cycle ........................................12
+ 4.1. Positioning ...............................................13
+ 4.1.1. Determination Mechanisms and Protocols .............14
+ 4.1.2. Privacy Considerations for Positioning .............16
+ 4.1.3. Security Considerations for Positioning ............16
+ 4.2. Location Distribution .....................................17
+ 4.2.1. Privacy Rules ......................................17
+ 4.2.2. Location Configuration .............................19
+ 4.2.3. Location References ................................20
+ 4.2.4. Privacy Considerations for Distribution ............21
+ 4.2.5. Security Considerations for Distribution ...........23
+ 4.3. Location Use ..............................................24
+ 4.3.1. Privacy Considerations for Use .....................25
+ 4.3.2. Security Considerations for Use ....................25
+ 5. Security Considerations ........................................25
+ 6. Example Scenarios ..............................................28
+ 6.1. Minimal Scenario ..........................................28
+ 6.2. Location-Based Web Services ...............................29
+ 6.3. Emergency Calling .........................................31
+ 6.4. Combination of Services ...................................32
+ 7. Glossary .......................................................35
+ 8. Acknowledgements ...............................................38
+ 9. References .....................................................38
+ 9.1. Normative References ......................................38
+ 9.2. Informative References ....................................38
+
+1. Introduction
+
+ Location-based services (applications that require information about
+ the geographic location of an individual or device) are becoming
+ increasingly common on the Internet. Navigation and direction
+ services, emergency services, friend finders, management of equipment
+ in the field, and many other applications require geographic location
+ information about Internet hosts, their users, and other related
+ entities. As the accuracy of location information improves and the
+ expense of calculating and obtaining it declines, the distribution
+ and use of location information in Internet-based services will
+ likely become increasingly pervasive. Ensuring that location
+
+
+
+Barnes, et al. Best Current Practice [Page 3]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ information is transmitted and accessed in a secure and privacy-
+ protective way is essential to the future success of these services,
+ as well as the minimization of the privacy harms that could flow from
+ their wide deployment and use.
+
+ Standards for communicating location information over the Internet
+ have an important role to play in providing a technical basis for
+ privacy and security protection. This document describes a
+ standardized privacy- and security-focused architecture for location-
+ based services in the Internet: the Geopriv architecture. The
+ central component of the Geopriv architecture is the location object,
+ which is used to convey both location information about an individual
+ or device and user-specified privacy rules governing that location
+ information. As location information moves through its life cycle --
+ positioning, distribution, and use by its ultimate recipient(s) --
+ Geopriv provides mechanisms to secure the integrity and
+ confidentiality of location objects and to ensure that location
+ information is only transmitted in compliance with the user's privacy
+ rules.
+
+ The goals of this document are two-fold: First, the architecture
+ described revises and expands on the basic Geopriv Requirements [2]
+ [3], in order to clarify how these privacy concerns and the Geopriv
+ architecture apply to use cases that have arisen since the
+ publication of those documents. Second, this document provides a
+ general introduction to Geopriv and Internet location-based services,
+ and is useful as a good first document for readers new to Geopriv.
+
+1.1. Binding Rules to Data
+
+ A central feature of the Geopriv architecture is that location
+ information is always bound to privacy rules to ensure that entities
+ that receive location information are informed of how they may use
+ it. These rules can convey simple directives ("do not share my
+ location with others"), or more robust preferences ("allow my spouse
+ to know my exact location all of the time, but only allow my boss to
+ know it during work hours"). By creating a structure to convey the
+ user's preferences along with location information, the likelihood
+ that those preferences will be honored necessarily increases. In
+ particular, no recipient of the location information can disavow
+ knowledge of users' preferences for how their location may be used.
+ The binding of privacy rules to location information can convey
+ users' desire for and expectations of privacy, which in turn helps to
+ bolster social and legal systems' protection of those expectations.
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 4]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Binding of usage rules to sensitive information is a common way of
+ protecting information. Several emerging schemes for expressing
+ copyright information provide for rules to be transmitted together
+ with copyrighted works. The Creative Commons [28] model is the most
+ prominent example, allowing an owner of a work to set four types of
+ rules ("Attribution", "Noncommercial", "No Derivative Works", and
+ "ShareAlike") governing the subsequent use of the work. After the
+ author sets these rules, the rules are conveyed together with the
+ work itself, so that every recipient is aware of the copyright terms.
+
+ Classification systems for controlling sensitive documents within an
+ organization are another example. In these systems, when a document
+ is created, it is marked with a classification such as "SECRET" or
+ "PROPRIETARY". Each recipient of the document knows from this
+ marking that the document should only be shared with other people who
+ are authorized to access documents with that marking. Classification
+ markings can also convey other sorts of rules, such as a
+ specification for how long the marking is valid (a declassification
+ date). The United States Department of Defense guidelines for
+ classification [4] provide one example.
+
+1.2. Location-Specific Privacy Risks
+
+ While location-based services raise some privacy concerns that are
+ common to all forms of personal information, many of them are
+ heightened, and others are uniquely applicable in the context of
+ location information.
+
+ Location information is frequently generated on or by mobile devices.
+ Because individuals often carry their mobile devices with them,
+ location data may be collected everywhere and at any time, often
+ without user interaction, and it may potentially describe both what a
+ person is doing and where he or she is doing it. For example,
+ location data can reveal the fact that an individual was at a
+ particular medical clinic at a particular time. The ubiquity of
+ location information may also increase the risks of stalking and
+ domestic violence if perpetrators are able to use (or abuse)
+ location-based services to gain access to location information about
+ their victims.
+
+ Location information is also of particular interest to governments
+ and law enforcers around the world. The existence of detailed
+ records of individuals' movements should not automatically facilitate
+ the ability for governments to track their citizens, but in some
+ jurisdictions, laws dictating what government agents must do to
+ obtain location data are either non-existent or out of date.
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 5]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+1.3. Privacy Paradigms
+
+ Traditionally, the extent to which data about individuals enjoys
+ privacy protections on the Internet has largely been decided by the
+ recipients of the data. Internet users may or may not be aware of
+ the privacy practices of the entities with whom they share data.
+ Even if they are aware, they have generally been limited to making a
+ binary choice between sharing data with a particular entity or not
+ sharing it. Internet users have not historically been granted the
+ opportunity to express their own privacy preferences to the
+ recipients of their data and to have those preferences honored.
+
+ This paradigm is problematic because the interests of data recipients
+ are often not aligned with the interests of data subjects. While
+ both parties may agree that data should be collected, used,
+ disclosed, and retained as necessary to deliver a particular service
+ to the data subject, they may not agree about how the data should
+ otherwise be used. For example, an Internet user may gladly provide
+ his email address on a Web site to receive a newsletter, but he may
+ not want the Web site to share his email address with marketers,
+ whereas the Web site may profit from such sharing. Neither providing
+ the address for both purposes nor deciding not to provide it is an
+ optimal option from the Internet user's perspective.
+
+ The Geopriv model departs from this paradigm for privacy protection.
+ As explained above, location information can be uniquely sensitive.
+ And as location-based services emerge and proliferate, they
+ increasingly require standardized protocols for communicating
+ location information between services and entities. Recognizing both
+ of these dynamics, Geopriv gives data subjects the ability to express
+ their choices with respect to their own location information, rather
+ than allowing the recipients of the information to define how it will
+ be used. The combination of heightened privacy risk and the need for
+ standardization compelled the Geopriv designers to shift away from
+ the prevailing Internet privacy model, instead empowering users to
+ express their privacy preferences about the use of their location
+ information.
+
+ Geopriv does not, by itself, provide technical means through which it
+ can be guaranteed that users' location privacy rules will be honored
+ by recipients. The privacy protections in the Geopriv architecture
+ are largely provided by virtue of the fact that recipients of
+ location information are informed of relevant privacy rules, and are
+ expected to only use location information in accordance with those
+ rules. The distributed nature of the architecture inherently limits
+ the degree to which compliance can be guaranteed and verified by
+ technical means. Section 5 describes how some security mechanisms
+ can address this to a limited extent.
+
+
+
+Barnes, et al. Best Current Practice [Page 6]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ By binding privacy rules to location information, however, Geopriv
+ provides valuable information about users' privacy preferences, so
+ that non-technical forces such as legal contracts, governmental
+ consumer protection authorities, and marketplace feedback can better
+ enforce those privacy preferences. If a commercial recipient of
+ location information, for example, violates the location rules bound
+ to the information, the recipient can in a growing number of
+ countries be charged with violating consumer or data protection laws.
+ In the absence of a binding of rules with location information,
+ consumer protection authorities would be less able to protect
+ individuals whose location information has been abused.
+
+2. Terminology Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [1].
+
+ Throughout the remainder of this document, capitalized terms defined
+ in Section 7 refer to Geopriv-specific roles and formats; the same
+ terms used in all lowercase refer generically to those terms.
+
+3. Overview of the Architecture
+
+ This section provides an overview of the Geopriv architecture for the
+ secure and private distribution of location information on the
+ Internet. We describe the three phases of the "location life cycle"
+ -- positioning, distribution, and use -- and discuss how the
+ components of the architecture fit within each phase. The next
+ section provides additional detail about how each phase can be
+ achieved in a private and secure manner.
+
+ The risks discussed in the previous section all arise from
+ unauthorized disclosure or usage of location information. Thus, the
+ Geopriv architecture has two fundamental privacy goals:
+
+ 1. Ensure that location information is distributed only to
+ authorized entities, and
+
+ 2. Provide information to those entities about how they are
+ authorized to use the location information.
+
+ If these two goals are met, all parties that receive location
+ information will also receive directives about how they can use that
+ information. Privacy-preserving entities will only engage in
+ authorized uses, and entities that violate privacy will do so
+ knowingly, since they have been informed of what is authorized (and
+ thus, implicitly, of what is not).
+
+
+
+Barnes, et al. Best Current Practice [Page 7]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Privacy rules and their distribution are thus the central technical
+ components of the privacy system, since they inform location
+ recipients about how they are authorized to use that information.
+ The two goals in the preceding paragraph are enabled by two classes
+ of rules:
+
+ 1. Access control rules: Rules that describe which entities may
+ receive location information and in what form
+
+ 2. Usage rules: Rules that describe what uses of location
+ information are authorized
+
+ Within this framework for privacy, security mechanisms provide
+ support for the application of privacy rules. For example,
+ authentication mechanisms validate the identities of entities
+ requesting a location (so that authorization and access-control
+ policies can be applied), and confidentiality mechanisms protect
+ location information en route between privacy-preserving entities.
+ Security mechanisms can also provide assurances that are outside the
+ purview of privacy by, for example, assuring location recipients that
+ location information has been faithfully transmitted to them by its
+ creator.
+
+3.1. Basic Geopriv Scenario
+
+ As location information is transmitted among Internet hosts, it goes
+ through a "location life cycle": first, the location is computed
+ based on some external information (positioning), and then it is
+ transmitted from one host to another (distribution) until finally it
+ is used by a recipient (use).
+
+ For example, suppose Alice is using a mobile device, she learns of
+ her location from a wireless location service, and she wishes to
+ share her location privately with her friends by way of a presence
+ service. Alice clearly needs to provide the presence server with her
+ location and rules about which friends can be provided with her
+ location. To enable Alice's friends to preserve her privacy, they
+ need to be provided with privacy rules. Alice may tell some of her
+ friends the rules directly, or she can have the presence server
+ provide the rules to her friends when it provides them with her
+ location. In this way, every friend who receives Alice's location is
+ authorized by Alice to receive it, and every friend who receives it
+ knows the rules. Good friends will obey the rules. If a bad friend
+ breaks them and Alice finds out, the bad friend cannot claim that he
+ was unaware of the rules.
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 8]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Some of Alice's friends will be interested in using Alice's location
+ only for their own purposes, for example, to meet up with her or plot
+ her location over time. The usage rules that they receive direct
+ them as to what they can or cannot do (for example, Alice might not
+ want them keeping her location for more than, say, two weeks).
+
+ Consider one friend, Bob, who wants to send Alice's location to some
+ of his friends. To operate in a privacy-protective way, Bob needs
+ not only usage rules for himself, but also access control rules that
+ describe who he can send information to and rules to give to the
+ recipients. If the rules he received from the presence server
+ authorize him to give Alice's location to others, he may do so;
+ otherwise, he will require additional rules from Alice before he is
+ authorized to distribute her location. If recipients who receive
+ Alice's location from Bob want to distribute the location information
+ further, they must go through the same process as Bob.
+
+ The whole example is illustrated in the following figure:
+
+ +----------+
+ | Wireless |
+ | Location |
+ | Service | Retrieve
+ +----------+ Access Control Rules
+ | +--------------------------------+
+ | | +--------------------------+ |
+ Location | | Access | |
+ | | | Control Rules v |
+ | | | +-----+
+ | | | | Bob |
+ | | | |+---+|--> ...
+ | | | +----->||PC ||
+ ........... v | | ++---++
+ | +------+| +----------+ |
+ | |Mobile|+--Location->| Presence |--Location-->| +----------+
+ | |Phone || | Server | |---->| Friend-1 |
+ | +------++---Rules--->| |---Rules---->| +----------+
+ | Alice | +----------+ |
+ | O | |
+ | /|\ | | +----------+
+ | / \ | +---->| Friend-2 |
+ `---------' +----------+
+
+ Figure 1: Basic Geopriv Scenario
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 9]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+3.2. Roles and Data Formats
+
+ The above example illustrates the six basic roles in the Geopriv
+ architecture:
+
+ Target: An individual or other entity whose location is sought in
+ the Geopriv architecture. In many cases, the Target will be the
+ human user of a Device, but it can also be an object such as a
+ vehicle or shipping container to which a Device is attached. In
+ some instances, the Target will be the Device itself. The Target
+ is the entity whose privacy Geopriv seeks to protect. Alice is
+ the Target in Figure 1.
+
+ Device: The physical device, such as a mobile phone, PC, or
+ embedded micro-controller, whose location is tracked as a proxy
+ for the location of a Target. Alice's mobile phone is the Device
+ in Figure 1.
+
+ Rule Maker (RM): Performs the role of creating rules governing
+ access to location information for a Target. In some cases, the
+ Target performs the Rule Maker role (as is the case with Alice),
+ and in other cases they are separate. For example, a parent may
+ serve as the Rule Maker when the Target is his child, or a
+ corporate security officer may serve as the Rule Maker for devices
+ owned by the corporation but used by employees. The Rule Maker is
+ also not necessarily the owner of the Device. For example, a
+ corporation may provide a Device to an employee but permit the
+ employee to serve as the Rule Maker and set her own privacy rules.
+
+ Location Generator (LG): Performs the roles of initially
+ determining or gathering the location of the Device and providing
+ it to Location Servers. Location Generators may be any sort of
+ software or hardware used to obtain the Device's location.
+ Examples include Global Positioning System (GPS) chips and
+ cellular networks. A Device may even perform the Location
+ Generator role for itself; Devices capable of unassisted
+ satellite-based positioning and Devices that accept manually
+ entered location information are two examples. The wireless
+ location service plays the Location Generator role in Figure 1.
+
+ Location Server (LS): Performs the roles of receiving location
+ information and rules, applying the rules to the location
+ information to determine what other entities, if any, can receive
+ location information, and providing the location to Location
+ Recipients. Location Servers receive location information from
+ Location Generators and rules from Rule Makers, and then apply the
+ rules to the location information. Location Servers may not
+ necessarily be "servers" in the colloquial sense of hosts in
+
+
+
+Barnes, et al. Best Current Practice [Page 10]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ remote data centers servicing requests. Rather, a Location Server
+ can be any software or hardware component that distributes
+ location information. Examples include a server in an access
+ network, a presence server, or a Web browser or other software
+ running on a Device. The above example includes three Location
+ Servers: Alice's mobile phone, the presence service, and Bob's PC.
+
+ Location Recipient (LR): Performs the role of receiving location
+ information. A Location Recipient may ask for a location
+ explicitly (by sending a query to a Location Server), or it may
+ receive a location asynchronously. The presence service, Bob,
+ Friend-1, and Friend-2 are Location Recipients in Figure 1.
+
+ In general, these roles may or may not be performed by physically
+ separate entities, as demonstrated by the entities in Figure 1, many
+ of which perform multiple roles. It is not uncommon for the same
+ entity to perform both the Location Generator and Location Server
+ roles, or both the Location Recipient and Location Server roles. A
+ single entity may take on multiple roles simply by virtue of its own
+ capabilities and the permissions provided to it.
+
+ Although in the above example there is only a single Location
+ Generator and a single Rule Maker, in some cases a Location Server
+ may receive Location Objects from multiple Location Generators or
+ Rules from multiple Rule Makers. Likewise, a single Location
+ Generator may publish location information to multiple Location
+ Servers, and a single Location Recipient may receive Location Objects
+ from multiple Location Servers.
+
+ There is a close relationship between a Target and its Device. The
+ term "Device" is used when discussing protocol interactions, whereas
+ the term "Target" is used when discussing generically the person or
+ object being located and its privacy. While in the example above
+ there is a one-to-one relationship between the Target and the Device,
+ Geopriv can also be used to convey location information about a
+ device that is not directly linked to a single individual or object,
+ such as a Device shared by multiple individuals.
+
+ Two data formats are necessary within this architecture:
+
+ Location Object (LO): An object used to convey location information
+ together with Privacy Rules. Geopriv supports both geodetic
+ location data (latitude, longitude, altitude, etc.) and civic
+ location data (street, city, state, etc.). Either or both types
+ of location information may be present in a single LO (see the
+ considerations in [5] for LOs containing multiple locations).
+ Location Objects typically include some sort of identifier of the
+ Target.
+
+
+
+Barnes, et al. Best Current Practice [Page 11]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Privacy Rule: A directive that regulates an entity's activities
+ with respect to location information, including the collection,
+ use, disclosure, and retention of the location information.
+ Privacy Rules describe which entities may obtain location
+ information in what form (access control rules) and how location
+ information may be used by an entity (usage rules).
+
+ The whole example, using Geopriv roles and formats, is illustrated in
+ the following figure:
+
+ +----+
+ | LG |
+ +----+
+ ^
+ |
+ Positioning
+ Data
+ |
+ | +------------Privacy Rules------------------>+----+
+ | | +---->| LR |--> ...
+ | | | | LS |
+ v | | +----+
+ +-------+ |
+ |Target | +----+ | +----+
+ |Device |--------------->| LR |---------------+---->| LR |
+ | RM | LO | LS | LO | +----+
+ | LS | +----+ |
+ +-------+ |
+ | +----+
+ +---->| LR |
+ +----+
+
+ Figure 2: Basic Geopriv Scenario
+
+4. The Location Life Cycle
+
+ The previous section gave an example of how an individual's location
+ can be distributed through the Internet. In general, the location
+ life cycle breaks down into three phases:
+
+ 1. Positioning: A Location Generator determines the Device's
+ location.
+
+ 2. Distribution: Location Servers send location information to
+ Location Recipients, which may in turn act as Location Servers
+ and further distribute the location to other Location Recipients,
+ possibly several times.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 12]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ 3. Use: A Location Recipient receives the location and uses it.
+
+ Each of these phases involves a different set of Geopriv roles, and
+ each has a different set of privacy and security implications. The
+ Geopriv roles are mapped onto the location life cycle in the figure
+ below.
+
+ +----------+
+ | Rule |+
+ | Maker(s)||
+ Positioning | ||
+ Data +----------+|
+ | +----------+
+ | | Rules
+ | |
+ | |
+ V V
+ +----------+ +----------+ +----------+
+ |Location | Location | Location |+ LO |Location |
+ |Generator |--------------->| Server(s)||-------------->|Recipient |
+ | | | || | |
+ +----------+ +----------+| +----------+
+ +----------+
+ <-------------------------><---------------------------><----------->
+ Positioning Distribution Use
+
+ Figure 3: Location Life Cycle
+
+4.1. Positioning
+
+ Positioning is the process by which the physical location of the
+ Device is computed, based on some observations about the Device's
+ situation in the physical world. (This process goes by several other
+ names, including Location Determination or Sighting.) The input to
+ the positioning process is some information about the Device, and the
+ outcome is that the LG knows the location of the Device.
+
+ In this section, we give a brief taxonomy of current positioning
+ systems, their requirements for protocol support, and the privacy and
+ security requirements for positioning.
+
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 13]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+4.1.1. Determination Mechanisms and Protocols
+
+ While the specific positioning mechanisms that can be applied for a
+ given Device are strongly dependent on the physical situation and
+ capabilities of the Device, these mechanisms generally fall into the
+ three categories described in detail below:
+
+ o Device-based
+
+ o Network-based
+
+ o Network-assisted
+
+ As suggested by the above names, a positioning scheme can rely on the
+ Device, an Internet-accessible resource (not necessarily a network
+ operator), or a combination of the two. For a given scheme, the
+ nature of this reliance will dictate the protocol mechanisms needed
+ to support it.
+
+ With Device-based positioning mechanisms, the Device is capable of
+ determining its location by itself. This is the case for a manually
+ entered location or for (unassisted) satellite-based positioning
+ using a Global Navigation Satellite System (GNSS). In these cases,
+ the Device acts as its own LG, and there are no protocols required to
+ support positioning beyond those that transmit the positioning data
+ from the satellite to the user.
+
+ In network-based positioning schemes, an external LG (an Internet
+ host other than the Device) has access to sufficient information
+ about the Device, through out-of-band channels, to establish the
+ position of the Device. The most common examples of this type of LG
+ are entities that have a physical relationship to the Device (such as
+ ISPs). In wired networks, wiremap-based location is a network-based
+ technique; in wireless networks, timing and signal-strength-based
+ techniques that use measurements from base stations are considered to
+ be network-based. Large-scale IP-to-geo databases (for example,
+ those based on WHOIS data or latency measurements) are also
+ considered to be network-based positioning mechanisms.
+
+ For network-based positioning as for Device-based, no protocols for
+ communication between the Device and the LG are strictly necessary to
+ support positioning, since positioning information is collected
+ outside of the location distribution system (at lower layers of the
+ network stack, for example). This does not rule out the use of other
+ Internet protocols (like the Simple Network Management Protocol
+ (SNMP)) to collect inputs to the positioning process. Rather, since
+ these inputs can only be used by certain LGs to determine location,
+ they are not controlled as private information. Network-based
+
+
+
+Barnes, et al. Best Current Practice [Page 14]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ positioning often provides location information to protocols by which
+ the network informs a Device of its own location. These are known as
+ Location Configuration Protocols; see Section 4.2.2 for further
+ discussion.
+
+ Network-assisted systems account for the greatest number and
+ diversity of positioning schemes. In these systems, the work of
+ positioning is divided between the Device and an external LG via
+ some communication (possibly over the Internet), typically in one of
+ two ways:
+
+ o The Device provides measurements to the LG, or
+
+ o The LG provides assistance data to the Device.
+
+ "Measurements" are understood to be observations about the Device's
+ environment, ranging from wireless signal strengths to the Media
+ Access Control (MAC) address of a first-hop router. "Assistance" is
+ the complement to measurement, namely the positioning information
+ that enables the computation of location based on measurements. A
+ set of wireless base station locations (or wireless calibration
+ information) would be an assistance datum, as would be a table that
+ maps routers to buildings in a corporate campus.
+
+ For example, wireless and wired networks can serve as the basis for
+ network-assisted positioning. In several current 802.11 positioning
+ systems, the Device sends measurements (e.g., MAC addresses and
+ signal strengths) to an LG, and the LG returns a location to the
+ client. In wired networks, the Device can send its MAC address to
+ the LG, which can query the MAC-layer infrastructure to determine the
+ switch and port to which that MAC address is connected, then query a
+ wire map to determine the location at which the wire connected to
+ that port terminates.
+
+ As an aside, the common phrase "assisted GPS" ("assisted GNSS" more
+ broadly) actually encompasses techniques that transmit both
+ measurements and assistance data. Systems in which the Device
+ provides the LG with GNSS measurements are measurement-based, while
+ those in which the assistance server provides ephemeris or almanac
+ data are assistance-based in the above terminology. (Those familiar
+ with GNSS positioning will note that there are of course cases in
+ which both of these interactions occur within a single location
+ determination protocol, so the categories are not mutually
+ exclusive.)
+
+ Naturally, the exchange of measurement or positioning data between
+ the Device and the LG requires a protocol over which the information
+ is carried. The structure of this protocol will depend on which of
+
+
+
+Barnes, et al. Best Current Practice [Page 15]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ the two patterns a network-assisted scheme follows. Conversely, the
+ structure of the protocol will determine which of the two parties
+ (the Device, the LG, or both) is aware of the Device's location at
+ the end of the protocol interaction.
+
+4.1.2. Privacy Considerations for Positioning
+
+ Positioning is the first point at which location may be associated
+ with a particular Device and may be associated with the Target's
+ identity. Local identifiers, unlinked pseudonyms, or private
+ identifiers that are not linked to the real identity of the Target
+ should be used as forms of identity whenever possible. This provides
+ privacy protection by disassociating the location from the Target's
+ identity before it is distributed.
+
+ At the conclusion of the positioning process, the entity acting as
+ the LG has the Device's location. If the Device is performing the LG
+ role, then both the Device and LG have it. If the entity acting as
+ the LG also performs the role of LS, the privacy considerations in
+ Section 4.2.4 apply.
+
+ In some deployment scenarios, positioning functions and distribution
+ functions may need to be provided by separate entities, in which case
+ the LG and LS roles will not be performed by the same entity. In
+ this situation, the LG acts as a "dumb", non-privacy-aware
+ positioning resource, and the LS provides the privacy logic necessary
+ to support distribution (possibly with multiple LSes using the same
+ LG). In order to allow the privacy-unaware LG to distribute location
+ information to these LSes while maintaining privacy, the relationship
+ between the LG and its set of LSes MUST be tightly constrained
+ (effectively "hard-wired"). That is, the LG MUST only provide
+ location information to a small fixed set of LSes, and each of these
+ LSes MUST comply with the requirements of Section 4.2.4.
+
+4.1.3. Security Considerations for Positioning
+
+ Manipulation of the positioning process can expose location
+ information through two mechanisms:
+
+ 1) A third party could guess or derive measurements about a specific
+ device and use them to get the location of that Device. To mitigate
+ this risk, the LG SHOULD be able to authenticate and authorize
+ devices providing measurements and, if possible, verify that the
+ presented measurements are likely to be the actual physical values
+ measured by that client. These security procedures rely on the type
+ of positioning being done, and may not be technically feasible in all
+ cases.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 16]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ 2) By eavesdropping, a third party may be able to obtain measurements
+ sent by the Device itself that indicate the rough position of the
+ Device. To mitigate this risk, protocols used for positioning MUST
+ provide confidentiality and integrity protections in order to prevent
+ observation and modification of transmitted positioning data while en
+ route between the Target and the LG.
+
+ If an LG or a Target chooses to act as an LS, it inherits the
+ security requirements for an LS, described in Section 4.2.5.
+
+4.2. Location Distribution
+
+ When an entity receives location information (from an LG or an LS)
+ and redistributes it to other entities, it acts as an LS. Location
+ Distribution is the process by which one or more LSes provide LOs to
+ LRs in a privacy-preserving manner.
+
+ The role of an LS is thus two-fold: First, it must collect location
+ information and Rules that control access to that information. Rules
+ can be communicated within an LO, within a protocol that carries LOs,
+ or through a separate protocol that carries Rules. Second, the LS
+ must process requests for location information and apply the Rules to
+ these requests in order to determine whether it is authorized to
+ fulfill them by returning location information.
+
+ An LS thus has at least two types of interactions with other hosts,
+ namely receiving and sending LOs. An LS may optionally implement a
+ third interaction, allowing Rule Makers to provision it with Rules.
+ The distinction between these two cases is important in practice,
+ because it determines whether the LS has a direct relationship with a
+ Rule Maker: An LS that accepts Rules directly from a Rule Maker has
+ such a relationship, while an LS that acquires all its Rules through
+ LOs does not.
+
+4.2.1. Privacy Rules
+
+ Privacy Rules are the central mechanism in Geopriv for maintaining a
+ Target's privacy, because they provide a recipient of an LO (an LS or
+ LR) with information on how the LO may be used.
+
+ Throughout the Geopriv architecture, Privacy Rules are communicated
+ in rules languages with a defined syntax and semantics. For example,
+ the Common Policy rules language has been defined [6] to provide a
+ framework for broad-based rule specifications. Geopriv Policy [7]
+ defines a language for creating location-specific rules. The XML
+ Configuration Access Protocol (XCAP) [8] can be used as a protocol to
+ install rules in both of these formats.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 17]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Privacy Rules follow a default-deny pattern: an empty set of Rules
+ implies that all requests for location information should be denied,
+ except requests made by the Target itself. Each Rule adds to the
+ set, granting a specific permission. Adding a Rule can only augment
+ privacy protections because all Rules are positive grants of
+ permission.
+
+ The following are examples of Privacy Rules governing location
+ distribution:
+
+ o Retransmit location information when requested from example.com.
+
+ o Retransmit only city and country.
+
+ o Retransmit location information with no less than a 100-meter
+ radius of uncertainty.
+
+ o Retransmit location information only for the next two weeks.
+
+ LSes enforce Privacy Rules in two ways: by denying requests for
+ location information, or by transforming the location information
+ before retransmitting it.
+
+ LSes may also receive Rules governing location retention, such as
+ "Retain location only for 48 hours". Such Rules are simply
+ directives about how long the Target's location information can be
+ retained.
+
+ Privacy Rules can govern the behavior of both LSes and LRs. Rules
+ that direct LSes about how to treat a Target's location information
+ are known as Local Rules. Local Rules are used internally by the LS
+ to handle requests from LRs. They are not distributed to LRs.
+
+ Forwarded Rules, on the other hand, travel inside LOs and direct LSes
+ and LRs about how to handle the location information they receive.
+ Because the Rules themselves may reveal potentially sensitive
+ information about the Target, only the minimal subset of Forwarded
+ Rules necessary to handle the LO is distributed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 18]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ An example can illustrate the interaction between Local Rules and
+ Forwarded Rules. Suppose Alice provides the following Local Rules to
+ an LS:
+
+ o The LS may retransmit Alice's precise location to Bob, who in turn
+ is permitted to retain the location information for one month.
+
+ o The LS may retransmit Alice's city, state, and country to Steve,
+ who in turn is permitted to retain the location information for
+ one hour.
+
+ o The LS may retransmit Alice's country to a photo-sharing Web site,
+ which in turn is permitted to retain the location information for
+ one year and retransmit it to any requesters.
+
+ When Steve asks for Alice's location, the LS can transmit to Steve
+ the limited location information (city, state, and country) along
+ with Forwarded Rules instructing Steve to (a) not further retransmit
+ Alice's location information, and (b) only retain the location
+ information for one hour. By only sending these specifically
+ applicable Forwarded Rules to Steve (as opposed to the full set of
+ Local Rules), the LS is protecting Alice's privacy by not disclosing
+ to Steve that (for example) Alice allows Bob to obtain more precise
+ location information than Alice allows Steve to receive.
+
+ Geopriv is designed to be usable even by devices with constrained
+ processing capabilities. To ensure that Forwarded Rules can be
+ processed on constrained devices, LOs are required to carry only a
+ limited set of Forwarded Rules, with an option to reference a more
+ robust set of external Rules. The limited Rule set covers two
+ privacy aspects: how long the Target's location may be retained
+ ("Retention"), and whether or not the Target's location may be
+ retransmitted ("Retransmission"). An LO may contain a pointer to
+ more robust Rules, such as those shown in the set of four Rules at
+ the beginning of this section.
+
+4.2.2. Location Configuration
+
+ Some entities performing the LG role are designed only to provide
+ Targets with their own locations, as opposed to distributing a
+ Target's location to others. The process of providing a Target with
+ its own location is known within Geopriv as Location Configuration.
+ The term "Location Information Server" (LIS) is often used to
+ describe the entity that performs this function. However, a LIS may
+ also perform other functions, such as providing a Target's location
+ to other entities.
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 19]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ A Location Configuration Protocol (LCP) [9] is one mechanism that can
+ be used by a Device to discover its own location from a LIS. LCPs
+ provide functions in the way they obtain, transport, and deliver
+ location requests and responses between a LIS and a Device such that
+ the LIS can trust that the location requests and responses handled
+ via the LCP are in fact from/to the Target. Several LCPs have been
+ developed within Geopriv [10] [11] [12] [13].
+
+ A LIS whose sole purpose is to perform Location Configuration need
+ only follow a simple privacy-preserving policy: transmit a Target's
+ location only to the Target itself. This is known as the "LCP
+ policy".
+
+ Importantly, if an LS is also serving in the role of LG and it has
+ not been provisioned with Privacy Rules for a particular Target, it
+ MUST follow the LCP policy, whether it is a LIS or not. In the
+ positioning phase, an entity serving the roles of both LG and LS that
+ has not received Privacy Rules must follow this policy. The same is
+ true for any LS in the distribution phase.
+
+4.2.3. Location References
+
+ The location distribution process occurs through a series of
+ transmissions of LOs: transmissions of location "by value". Location
+ "by value" can be expressed in terms of geodetic location data
+ (latitude, longitude, altitude, etc.) and civic location data
+ (street, city, state, etc.).
+
+ A location can also be distributed "by reference", where a reference
+ is represented by a URI that can be dereferenced to obtain the LO.
+ This document summarizes the properties of location-by-reference that
+ are discussed at length in [14].
+
+ Distribution of location-by-reference (distribution of location URIs)
+ offers several benefits. Location URIs are a more compact way of
+ transmitting location information, since URIs are usually smaller
+ than LOs. A recipient of location information can make multiple
+ requests to a URI over time to receive updated location information
+ if the URI is configured to provide a fresh location rather than a
+ single "snapshot".
+
+ From a positioning perspective, location-by-reference can offer the
+ additional benefit of "just in time" positioning. If a location is
+ distributed by reference, an entity acting as a combined LG/LS only
+ needs to perform positioning operations when a recipient dereferences
+ a previously distributed URI.
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 20]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ From a privacy perspective, distributing a location as a URI instead
+ of as an LO can help protect privacy by forcing each recipient of the
+ location to request location information from the referenced LS,
+ which can then apply access controls individually to each recipient.
+ But the benefit provided here is contingent on the LS applying access
+ controls. If the LS does not apply an access control policy to
+ requests for a location URI (in other words, if it enforces the
+ "possession model" defined in [14]), then transmitting a location URI
+ presents the same privacy risks as transmitting the LO itself.
+ Moreover, the use of location URIs without access controls can
+ introduce additional privacy risks: If URIs are predictable, an
+ attacker to whom the URI has not been sent may be able to guess the
+ URI and use it to obtain the referenced LO. To mitigate this,
+ location URIs without access controls need to be constructed so that
+ they contain a random component with sufficient entropy to make
+ guessing infeasible.
+
+4.2.4. Privacy Considerations for Distribution
+
+ Location information MUST be accompanied by Rules throughout the
+ distribution process. Otherwise, a recipient will not know what uses
+ are authorized, and will not be able to use the LO. Consequently,
+ LOs MUST be able to express Rules that convey appropriate
+ authorizations.
+
+ An LS MUST only accept Rules from authorized Rule Makers. For an LS
+ that receives Rules exclusively in LOs and has no direct relationship
+ with a Rule Maker, this requirement is met by applying the Rules
+ provided in an LO to the distribution of that LO. For an LS with a
+ direct relationship to a Rule Maker, this requirement means that the
+ LS MUST be configurable with an RM authorization policy. An LS
+ SHOULD define a prescribed set of RMs that may provide Rules for a
+ given Target or LO. For example, an LS may only allow the Target to
+ set Rules for itself, or it might allow an RM to set Rules for
+ several Targets (e.g., a parent for children, or a corporate security
+ officer for employees).
+
+ No matter how Rules are provided to an LS, for each LO it receives,
+ it MUST combine all Rules that apply to the LO into a Rule set that
+ defines which transmissions are authorized, and it MUST transmit
+ location information only in ways that are authorized by these Rules.
+
+ An LS that receives Rules exclusively through LOs MUST examine the
+ Rules that accompany a given LO in order to determine how the LS may
+ use the LO. If any Rules are included by reference, the LS SHOULD
+ attempt to download them. If the LO includes no Rules that allow the
+ LS to transmit the LO to another entity, then the LS MUST NOT
+ transmit the LO. If the LO contains no Rules at all -- for example,
+
+
+
+Barnes, et al. Best Current Practice [Page 21]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ if it is in a format with no Rules syntax -- then the LS MUST delete
+ it. Emergency services provide an exception in that Rules can be
+ implicit; see [15]). If the LO included Rules by reference, but
+ these Rules were not obtained for any reason, the LS MUST NOT
+ transmit the LO and MUST adhere to the provided value in the
+ retention-expires field.
+
+ An LS that receives Rules both directly from one or more Rule Makers
+ and through LOs MUST combine the Rules in a given LO with Rules it
+ has received from the RMs. The strategy the LS uses to combine these
+ sets of Rules is a matter for local policy, depending on the relative
+ priority that the LS grants to each source of Rules. Some example
+ policies are:
+
+ Union: A transmission of location information is authorized if it
+ is authorized by either a rule in the LO or an RM-provided rule.
+
+ Intersection: A transmission of location information is authorized
+ if it is authorized by both a rule in the LO and an RM-provided
+ rule.
+
+ RM Override: A transmission of location information is authorized
+ if it is authorized by an RM-provided rule, regardless of the LO
+ Rules.
+
+ LO Override: A transmission of location information is authorized
+ if it is authorized by an LO-provided rule, regardless of the RM
+ Rules.
+
+ The default combination policy for an LS that receives multiple rule
+ sets is to combine them according to procedures in Section 10 of
+ RFC 4745 [6]. Privacy rules always grant access; i.e., the default
+ is to deny access, and rules specify conditions under which access is
+ allowed. Thus, when an LS is provided more than one policy document
+ that applies to a given LO, it has been instructed to provide access
+ when any of the rules apply. That is, the "Union" policy is the
+ default policy for an LS with multiple sources of policy. An LS MAY
+ choose to apply a more restrictive policy by ignoring some of the
+ grants of permission in the privacy rules provided. The
+ "Intersection" policy and both "Override" policies listed above are
+ of this latter character.
+
+ Protocols that are used for managing rules should allow an RM to
+ retrieve from the LS the set of rules that will ultimately be
+ applied. For example, in the basic HTTP-based protocol defined in
+ [16], an RM can use a GET request to retrieve the policy being
+ applied by the LS and a PUT request to specify new rules.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 22]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Different policies may be applicable in different scenarios. In
+ cases where an external RM is more trusted than the source of the LO,
+ the "RM Override" policy may be suitable (for example, if the
+ external RM is the Target and the LO is provided by a third party).
+ Conversely, the "LO Override" policy is better suited to cases where
+ the LO provider is more trusted than the RM, for example, if the RM
+ is the user of a mobile device LS and the LO contains Rules from the
+ RM's parents or corporate security office. The "Intersection" policy
+ takes the strictest view of the permission grants, giving equal
+ weight to all RMs (including the LO creator).
+
+ Each of these policies will also have different privacy consequences.
+ Following the "Intersection" policy ensures that the most privacy-
+ protective subset of all RMs' rules will be followed. The "Union"
+ policy and both "Override" policies may defy the expectations of any
+ RM (including, potentially, the Target) whose policy is not followed.
+ For example, if a Target acting as an RM sets Rules and those Rules
+ are overridden by the application of a more permissive LO Override
+ policy that has been set by the Target's parent or employer acting as
+ an RM, the retransmission or retention of the Target's data may come
+ as a surprise to the Target. For this reason, it is RECOMMENDED that
+ LSes provide a way for RMs to be able to find out which policy will
+ be applied to the distribution of a given LO.
+
+4.2.5. Security Considerations for Distribution
+
+ An LS's decisions about how to transmit a location are based on the
+ identities of entities requesting information and other aspects of
+ requests for a location. In order to ensure that these decisions are
+ made properly, the LS needs assurance of the reliability of
+ information on the identities of the entities with which the LS
+ interacts (including LRs, LSes, and RMs) and other information in the
+ request.
+
+ Protocols to convey LOs and protocols to convey Rules MUST provide
+ information on the identity of the recipient of location information
+ and the identity of the RM, respectively. In order to ensure the
+ validity of this information, these protocols MUST allow for mutual
+ authentication of both parties, and MUST provide integrity protection
+ for protocol messages. These security features ensure that the LG
+ has sufficient information (and sufficiently reliable information) to
+ make privacy decisions.
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 23]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ As they travel through the Internet, LOs necessarily pass through a
+ sequence of intermediaries, ranging from layer-2 switches to IP
+ routers to application-layer proxies and gateways. The ability of an
+ LS to protect privacy by making access control decisions is reduced
+ if these intermediaries have access to an LO as it travels between
+ privacy-preserving entities.
+
+ Ideally, LOs SHOULD be transmitted with confidentiality protection
+ end-to-end between an LS that transmits location information and the
+ LR that receives it. In some cases, the protocol conveying an LO
+ provides confidentiality protection as a built-in security solution
+ for its signaling (and potentially its data traffic). In this case,
+ carrying an unprotected LO within such an encrypted channel is
+ sufficient. Many protocols, however, are offering communication
+ modes where messages are either unprotected or protected on a hop-by-
+ hop basis (for example, between intermediaries in a store-and-forward
+ protocol). In such a case, it is RECOMMENDED that the protocol allow
+ for the use of encrypted LOs, or for the transmission of a reference
+ to a location in place of an LO [14].
+
+4.3. Location Use
+
+ The primary privacy requirement of an LR is to constrain its usage of
+ location information to the set of uses authorized by the Rules in an
+ LO. If an LR only uses an LO in ways that have minimal privacy
+ impact -- specifically, if it does not transmit the LO to any other
+ entity, and does not retain the LO for longer than is required to
+ complete its interaction with the LS -- then no further action is
+ necessary for the LR to comply with Geopriv requirements.
+
+ As an example of this simplest case, if an LR (a) receives a
+ location, (b) immediately provides to the Target information or a
+ service based on the location, (c) does not retain the information,
+ and (d) does not retransmit the location to any other entity, then
+ the LR will comply with any set of Rules that are permissible under
+ Geopriv. Thus, a service that, for example, only provides directions
+ to the closest bookstore in response to an input of a location, and
+ promptly then discards the input location, will be in compliance with
+ any Geopriv Rule set.
+
+ LRs that make other uses of an LO (e.g., those that store LOs or send
+ them to other service providers to obtain location-based services)
+ MUST meet the requirements below to assure that these uses are
+ authorized.
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 24]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+4.3.1. Privacy Considerations for Use
+
+ The principal privacy requirement for LRs is to follow usage rules.
+ Any LR that wants to retransmit or retain the LO is REQUIRED to
+ examine the rules included with that LO. Any usage the LR makes of
+ the LO MUST be explicitly authorized by these Rules. Since Rules are
+ positive grants of permission, any action not explicitly authorized
+ is denied by default.
+
+4.3.2. Security Considerations for Use
+
+ Since the LR role does not involve transmission of location
+ information, there are no protocol security considerations required
+ to support privacy, other than ensuring that data does not leak
+ unintentionally due to security breaches.
+
+ Aside from privacy, LRs often require some assurance that an LO is
+ reliable (assurance of the integrity, authenticity, and validity of
+ an LO), since LRs use LOs in order to deliver location-based
+ services. Threats against this reliability, and corresponding
+ mitigations, are discussed in "Security Considerations" below.
+
+5. Security Considerations
+
+ Security considerations related to the privacy of LOs are discussed
+ throughout this document. In this section, we summarize those
+ concerns and consider security risks not related to privacy.
+
+ The life cycle of an LO often consists of a series of location
+ transmissions. Protocols that carry location information can provide
+ strong assurances, but only for a single segment of the LO's life
+ cycle. In particular, a protocol can provide integrity protection
+ and confidentiality for the data exchanged, and mutual authentication
+ of the parties involved in the protocol, by using a secure transport
+ such as IPSec [17] or Transport Layer Security (TLS) [18].
+
+ Additionally, if (1) the protocol provides mutual authentication for
+ every segment, and (2) every entity in the location distribution
+ chain exchanges information only with entities with whom it has a
+ trust relationship, entities can transitively obtain assurances
+ regarding the origin and ultimate destination of the LO. Of course,
+ direct assurances are always preferred over assurances requiring
+ transitive trust, since they require fewer assumptions.
+
+ Using protocol mechanisms alone, the entities can receive assurances
+ only about a single hop in the distribution chain. For example,
+ suppose that an LR receives location information from an LS over an
+ integrity- and confidentiality-protected channel. The LR knows that
+
+
+
+Barnes, et al. Best Current Practice [Page 25]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ the transmitted LO has not been modified or observed en route.
+ However, the assurances provided by the protocol do not guarantee
+ that the transmitted LO was not corrupted before it was sent to the
+ LS (by a previous LS, for example). Likewise, the LR can verify that
+ the LO was transmitted by the LS, but cannot verify the origin of the
+ LO if it did not originate with the LS.
+
+ Security mechanisms in protocols are thus unable to provide direct
+ assurances over multiple transmissions of an LO. However, the
+ transmission of a location "by reference" can be used to effectively
+ turn multi-hop paths into single-hop paths. If the multiple
+ transmissions of an LO are replaced by multiple transmissions of a
+ URI (a multi-hop dissemination channel), the LO need only traverse a
+ single hop, namely the dereference transaction between the LR and the
+ dereference server. The requirements for securing a location passed
+ by reference [14] are applicable in this case.
+
+ The major threats to the security of LOs can be grouped into two
+ categories. First, threats against the integrity and authenticity of
+ LOs can expose entities that rely on LOs. Second, threats against
+ the confidentiality of LOs can allow unauthorized access to location
+ information.
+
+ An LO contains four essential types of information: identifiers for
+ the described Target, location information, timestamps, and Rules.
+ By grouping values of these various types together within a single
+ structure, an LO encodes a set of bindings among them. That is, the
+ LO asserts that the identified Target was present at the given
+ location at the given time and that the given Rules express the
+ Target's desired policy at that time for the distribution of his
+ location. Below, we provide a description of the assurances required
+ by each party involved in the location distribution in order to
+ mitigate the possible attacks on these bindings.
+
+ Rule Maker: The Rule Maker is responsible for creating the Target's
+ Privacy Rules and for uploading them to the LSes. The primary
+ assurance required by the Rule Maker is that the Target's Privacy
+ Rules are correctly associated with the Target's identity when
+ they are conveyed to each LS that handles the LO. Ensuring the
+ integrity of the Privacy Rules distributed to the LSes prevents
+ rule-tampering attacks. In many circumstances, the privacy policy
+ of the Target may itself be sensitive information; in these cases,
+ the Rule Maker also requires the assurance that the binding
+ between the Target's identity and the Target's Privacy Rules are
+ not deducible by anyone other than an authorized LS.
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 26]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Location Server: The Location Server is responsible for enforcing
+ the Target's Privacy Rules. The first assurance required by the
+ LS is that the binding between the Target's Privacy Rules and the
+ Target's identity is authentic. Authenticating and authorizing
+ the Rule Maker who creates, updates, and deletes the Privacy Rules
+ prevents rule-tampering attacks. The LS has to ensure that the
+ authorization policies are not exposed to third parties, if so
+ desired by the Rule Maker and when the rules themselves are
+ privacy-sensitive.
+
+ Location Recipient: The Location Recipient is the consumer of the
+ LO. The LR thus requires assurances about the authenticity of the
+ bindings between the Target's location, the Target's identity, and
+ the time. Ensuring the authenticity of these bindings helps to
+ prevent various attacks, such as falsifying the location,
+ modifying the timestamp, faking the identity, and replaying LOs.
+
+ Location Generator: The primary assurance required by the Location
+ Generator is that the LS to which the LO is initially published is
+ one that is trusted to enforce the Target's Privacy Rules.
+ Authenticating the trusted LS mitigates the risk of server
+ impersonation attacks. Additionally, the LG is responsible for
+ the location determination process, which is also sensible from a
+ security perspective because wrong input provided by external
+ entities can lead to undesirable disclosure or access to location
+ information.
+
+ Assurances as to the integrity and confidentiality of a Location
+ Object can be provided directly through the LO format. RFC 4119 [19]
+ provides a description for the usage of Secure/Multipurpose Internet
+ Mail Extensions (S/MIME) to integrity and confidentiality protection.
+ Although such direct, end-to-end assurances are desirable, and these
+ mechanisms should be used whenever possible, there are many
+ deployment scenarios where directly securing an LO is impractical.
+ For example, in some deployment scenarios a direct trust relationship
+ may not exist between the creator of the Location Object and the
+ recipient. Additionally, in a scenario where many recipients are
+ authorized to receive a given LO, the creator of the LO cannot
+ guarantee end-to-end confidentiality without knowing precisely which
+ recipient will receive the LO. Many of these cases can, however, be
+ addressed by the usage of a location-by-reference mechanism, possibly
+ combined with an LO.
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 27]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+6. Example Scenarios
+
+ This section contains a set of examples of how the Geopriv
+ architecture can be deployed in practice. These examples are meant
+ to illustrate key points of the architecture, rather than to form an
+ exhaustive set of use cases.
+
+ For convenience and clarity in these examples, we assume that the
+ Privacy Rules that an LO carries are equivalent to those in a
+ Presence Information Data Format Location Object (PIDF-LO) [19] --
+ namely, that the principal Rules that can be set are limits on the
+ retransmission and retention of the LO. While these two Rules are
+ the most well-known and important examples, the specific types of
+ Rules an LS or LR must consider will in general depend on the types
+ of LOs it processes.
+
+6.1. Minimal Scenario
+
+ One of the simplest scenarios in the Geopriv architecture is when a
+ Device determines its own location and uses that LO to request a
+ service (e.g., by including the LO in an HTTP POST request [20] or
+ SIP INVITE message [21]), and the server delivers that service
+ immediately (e.g., in a 200 OK response in HTTP or SIP), without
+ retaining or retransmitting the Device's location. The Device acts
+ as an LG by using a Device-based positioning algorithm (e.g., manual
+ entry) and as an LS by interpreting the rule and transmitting the LO.
+ The Target acts as a Rule Maker by specifying that the location
+ should be sent to the server. The server acts as an LR by receiving
+ and using the LO.
+
+ In this case, the privacy of location information is maintained in
+ two steps: The first step is that the location is only transmitted as
+ directed by the single Rule Maker, namely the Target. The second
+ step is simply the fact that the server, as LR, does not do anything
+ that creates a privacy risk -- it does not retain or retransmit the
+ location. Because the server limits its behavior in this way, it
+ does not need to read the Rules in the LO, even though they were
+ provided -- no Rule would prevent it from using the location in this
+ safe manner.
+
+ The following outline summarizes this scenario:
+
+ o Positioning: Device-based, Device=LG
+
+ o Distribution hop 1: HTTP User Agent (UA) --> Ephemeral Web
+ service, privacy via user indication
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 28]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ o Use: Ephemeral Web service delivers response without retaining or
+ retransmitting location
+
+ o Key point:
+
+ * LRs that do not behave in ways that risk privacy are Geopriv-
+ compliant by default. No further action is necessary.
+
+6.2. Location-Based Web Services
+
+ Many location-based services are delivered over the Web, using
+ Javascript code to orchestrate a series of HTTP requests for
+ location-specific information. To support these applications,
+ browser extensions have been developed that support Device-based
+ positioning (manual entry and Global Positioning System (GPS)) and
+ network-assisted positioning (via Assisted GPS (AGPS), and
+ multilateration with 802.11 and cellular signals), exposing a
+ location to Web pages through Javascript APIs.
+
+ In this scenario, we consider a Target that uses a browser with a
+ network-assisted positioning extension. When the Target uses this
+ browser to request location-based services from a Web page, the
+ browser prompts the user to grant the page permission to access the
+ user's location. If the user grants permission, the browser
+ extension sends 802.11 signal strength measurements to a positioning
+ server, which then returns the position of the host. The extension
+ constructs an LO with this location and Rules set by the user, then
+ passes the LO to the page through its Javascript API. The page then
+ obtains location-relevant information using an XMLHttpRequest [22] to
+ a server in the same domain as the page and renders this information
+ to the user.
+
+ At first blush, this scenario seems much more complicated than the
+ minimal scenario above. However, most of the privacy considerations
+ are actually the same.
+
+ The positioning phase in this scenario begins when the browser
+ extension contacts the positioning server. The positioning server
+ acts as an LG.
+
+ The distribution phase actually occurs entirely within the Target
+ host. This phase begins when the positioning server, now acting as
+ an LS, follows the LCP policy by providing the location only to the
+ Target. The next hop in distribution occurs when the browser
+ extension (an entity under the control of the Target) passes an LO to
+ the Web page (an entity under the control of its author). In this
+ phase, the browser extension acts as an LS, with the Target as the
+ sole Rule Maker; the user interface for rule-making is effectively a
+
+
+
+Barnes, et al. Best Current Practice [Page 29]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ protocol for conveying Rules, and the extension's API effectively
+ defines a way to communicate LOs and an LO format. The Web site acts
+ as an LR when the Web page accepts the LO.
+
+ The use phase encompasses the Web site's use of the LO. In this
+ context, the phrase "Web site" encompasses not only the Web page, but
+ also the dedicated supporting logic behind it. Considering the
+ entire Web site as a recipient, rather than a single page, it becomes
+ clear that sending the LO in an XMLHttpRequest to a back-end server
+ is like passing it to a separate component of the LR, as opposed to
+ retransmitting it to another entity. Thus, even in this case, where
+ location-relevant information is obtained from a back-end server, the
+ LR does not retain or retransmit the location, so its behavior is
+ "privacy-safe" -- it doesn't need to interpret the Rules in the LO.
+
+ However, consider a variation on this scenario where the Web page
+ requests additional information (a map, for instance) from a third-
+ party site. In this case, since location information is being
+ transmitted to a third party, the Web site (either in the Web page or
+ in a back-end server) would need to verify that this transmission is
+ allowed by the LO's Privacy Rules. Similarly, if the site wanted to
+ log the user's location information, then it would need to examine
+ the LO to determine how long this information can be retained. In
+ such a case, if the LR needs to do something that is not allowed by
+ the Rules, it may have to deny service to the user, while hopefully
+ providing a message with the reason. Nonetheless, if the Rules
+ permit retention or retransmission, even if this retransmission is
+ limited by access control rules, then the LR may do so to the extent
+ the Rules allow.
+
+ The following outline summarizes this scenario:
+
+ o Positioning: Network-assisted, positioning server=LG
+
+ o Rule installation: RM (=Target) gives permission to sites and sets
+ LO Rules
+
+ o Distribution hop 1: positioning server=LS --> Target, privacy via
+ LCP policy
+
+ o Distribution hop 2: Browser=LS --> Web site=LR, privacy via user
+ confirmation
+
+ o Use: Back-end server delivers location-relevant information
+ without further retransmission, then deletes location; privacy via
+ safe behavior
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 30]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ o Key points:
+
+ * Privacy in this scenario is provided by a combination of
+ explicit user direction and Rules in an LO.
+
+ * Distribution can occur within a host, between components that
+ do not trust each other.
+
+ * Some transmissions of the location are actually internal to
+ an LR.
+
+ * LRs that do things that might be constrained by Rules need to
+ verify that these actions are allowed for a particular LO.
+
+6.3. Emergency Calling
+
+ Support for emergency calls by Voice-over-IP devices is a critical
+ use case for location information about Internet hosts. The details
+ of the Internet architecture for emergency calling are described in
+ [23] [24]. In this architecture, there are three critical steps in
+ the placement of an emergency call, each involving location
+ information:
+
+ 1. Determine the location of the caller.
+
+ 2. Determine the proper Public Safety Answering Point (PSAP) for the
+ caller's location.
+
+ 3. Send a SIP INVITE message, including the caller's location, to
+ the PSAP.
+
+ The first step in an emergency call is to determine the location of
+ the caller. This step is the positioning phase of the location life
+ cycle. The location is determined by whatever means are available to
+ the caller's device, or to the network, if this step is being done by
+ a proxy. The entity doing the positioning, whether the caller or a
+ proxy, acts as an LS, preserving the privacy of location information
+ by only including it in emergency calls.
+
+ The second step in an emergency call encompasses location
+ distribution and use. The entity that is routing the emergency call
+ sends location information through the Location-to-Service
+ Translation (LoST) Protocol [15] to a mapping server. In this role,
+ the routing entity acts as an LS and the LoST server acts as an LR.
+ The LO format within LoST does not allow Rules to be sent along with
+ the location, but because LoST is an application-specific protocol,
+ the sending of the location within a LoST message authorizes the LoST
+ server to use the location to complete the protocol, namely to route
+
+
+
+Barnes, et al. Best Current Practice [Page 31]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ the message as necessary through the LoST mapping architecture [25].
+ That is, the LoST server is authorized to complete the LoST protocol,
+ but to do nothing else.
+
+ The third step in an emergency call is again a combination of
+ distribution and use. The caller, or another entity that inserts the
+ caller's location, acts as an LS, and the PSAP acts as an LR. In
+ this specific example, the caller's location is transmitted either as
+ a PIDF-LO or as a reference that returns a PIDF-LO, or both; in the
+ latter case, the reference should be appropriately protected so that
+ only the PSAP has access. In any case, the receipt of an LO implies
+ that the PSAP should obey the Rules in those LOs in order to preserve
+ privacy. Depending on the regulatory environment, the PSAP may have
+ the option to ignore those constraints in order to respond to an
+ emergency, or it may be bound to respect these Rules in spite of the
+ emergency situation.
+
+ The following outline summarizes this scenario:
+
+ o Positioning: Any
+
+ o Distribution/use hop 1: Target=LS --> LoST infrastructure (no
+ Rules), privacy via authorization implicit in protocol
+
+ o Distribution/use hop 2: Target=LS --> PSAP, privacy via Rules
+ in LO
+
+ o Use: PSAP uses location to deliver emergency services
+
+ o Key points:
+
+ * Privacy in this scenario is provided by a combination of
+ explicit user direction, implicit authorization particular to a
+ protocol, and Rules in an LO.
+
+ * LRs may be constrained to respect or ignore Privacy Rules by
+ local regulation.
+
+6.4. Combination of Services
+
+ In modern Internet applications, users frequently receive information
+ via one channel and broadcast it via another. In this sense, both
+ users and channels (e.g., Web services) become LSes. Here we
+ consider a more complex example that illustrates this pattern across
+ multiple logical hops.
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 32]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Suppose Alice as the Target subscribes to a wireless ISP that
+ determines her location using a network-based positioning technique,
+ e.g., via the location of the base station serving the Target, and
+ provides that information directly to a location-enhanced presence
+ provider. This presence provider might use SIP, the Extensible
+ Messaging and Presence Protocol (XMPP) [26], or another protocol).
+ The location-enhanced presence provider allows Alice to specify Rules
+ for how this location is distributed: which friends should receive
+ Alice's location and what Rules they should get with it. Alice uses
+ a few other location-enhanced services as well, so she sends Rules
+ that allow her location to be shared with those services, and that
+ allow those services to retain and retransmit her location.
+
+ Bob is one of Alice's friends, and he receives her location via this
+ location-enhanced presence service. Noting that she's at their
+ favorite coffee shop, Bob wants to upload a photo of the two of them
+ at the coffee shop to a photo-sharing site, along with an LO that
+ marks the location. Bob checks the Rules in Alice's LO and verifies
+ that the photo-sharing site is one of the services that Alice
+ authorized. Seeing that Alice has authorized him to give the LO to
+ the photo-sharing site, he attaches it to the photo and uploads it.
+
+ Once the geo-tagged photo is uploaded, the photo-sharing site reads
+ the Rules in the LO and verifies that the site is authorized to store
+ the photo and to share it with others. Since Alice has allowed the
+ site to retransmit and retain without any constraints, the site
+ fulfills Bob's request to make the geo-tagged photo publicly
+ accessible.
+
+ Eve, another user of the photo-sharing site, downloads the photo of
+ Alice and Bob at the coffee shop and receives Alice's LO along with
+ it. Eve posts the photo and location to her public page on a social
+ networking site without checking the Rules, even though the LO
+ doesn't allow Eve to send the location anywhere else. The social
+ networking site, however, observes that no retransmission or
+ retention are allowed, both of which it needs for a public posting,
+ and rejects the upload.
+
+ In terms of the location life cycle, this scenario consists of a
+ positioning step, followed by four distribution hops and use.
+ Positioning is the simplest step: An LG in Alice's ISP monitors her
+ location and transmits it to the presence service, maintaining
+ privacy by only transmitting the location information to a single
+ entity to which Alice has delegated privacy responsibilities.
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 33]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ The first distribution hop occurs when the presence server sends the
+ location to Bob. In this transaction, the presence server acts as an
+ LS, Alice acts as an RM, and Bob acts as an LR. The privacy of this
+ transaction is assured by the fact that Alice has installed Rules on
+ the presence server that dictate who it may allow to access her
+ location. The second distribution hop is when Bob uploads the LO to
+ the photo-sharing site. Here Bob acts as an LS, preserving the
+ privacy of location information by verifying that the Rules in the LO
+ allow him to upload it. The third distribution hop is when the
+ photo-sharing site sends the LO to Eve, likewise following the Rules
+ -- but a different set of Rules than for Bob, since an LO can specify
+ different Rule sets for different LSes.
+
+ Eve is the fourth LS in the chain, and fails to comply with Geopriv
+ by not checking the Rules in the LO prior to uploading the LO to the
+ social networking site. The site, however, is a responsible LR -- it
+ checks the Rules in the LO, sees that they don't allow it to use the
+ location as it needs to, and discards the LO.
+
+ The following outline summarizes this scenario:
+
+ o Positioning: Network-based, LG in network, privacy via exclusive
+ relationship with presence service
+
+ o Distribution/use hop 1: Presence server --> Bob, privacy via
+ Alice's access control rules
+
+ o Distribution/use hop 2: Bob --> photo-sharing site, privacy via
+ Rules for Bob in LO
+
+ o Distribution/use hop 3: Photo-sharing site --> Eve, privacy via
+ Rules for site in LO
+
+ o Distribution/use hop 4: Eve --> Social networking site, violates
+ privacy by retransmitting
+
+ o Use: Social networking site, privacy via checking Rules and
+ discarding
+
+ o Key points:
+
+ * Privacy can be preserved through multiple hops.
+
+ * An LO can specify different Rules for different entities.
+
+ * An LS can still disobey the Rules, but even then, the
+ architecture still works in some cases.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 34]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+7. Glossary
+
+ Various security-related terms not defined here are to be understood
+ in the sense defined in RFC 4949 [27].
+
+ $ Access Control Rule
+
+ A rule that describes which entities may receive location
+ information and in what form.
+
+ $ civic location
+
+ The geographic position of an entity in terms of a postal address
+ or civic landmark. Examples of such data are room number, street
+ number, street name, city, postal code, county, state, and
+ country.
+
+ $ Device
+
+ The physical device, such as a mobile phone, PC, or embedded
+ micro-controller, whose location is tracked as a proxy for the
+ location of a Target.
+
+ $ geodetic location
+
+ The geographic position of an entity in a particular coordinate
+ system, for example, a latitude-longitude pair.
+
+ $ Local Rule
+
+ A Privacy Rule that directs a Location Server about how to treat a
+ Target's location information. Local Rules are used internally by
+ a Location Server to handle requests from Location Recipients.
+ They are not distributed to Location Recipients.
+
+ $ Location Generator (LG)
+
+ Performs the role of initially determining or gathering the
+ location of a Target. Location Generators may be any sort of
+ software or hardware used to obtain a Target's location. Examples
+ include GPS chips and cellular networks.
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 35]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ $ Location Information Server (LIS)
+
+ An entity responsible for providing devices within an access
+ network with information about their own locations. A Location
+ Information Server uses knowledge of the access network and its
+ physical topology to generate and distribute location information
+ to devices.
+
+ $ Location Object (LO)
+
+ A data unit that conveys location information together with
+ Privacy Rules within the Geopriv architecture. A Location Object
+ may convey geodetic location data (latitude, longitude, altitude),
+ civic location data (street, city, state, etc.), or both.
+
+ $ Location Recipient (LR)
+
+ An ultimate end-point entity to which a Location Object is
+ distributed. Location Recipients request location information
+ about a particular Target from a Location Server. If allowed by
+ the appropriate Privacy Rules, a Location Recipient will receive
+ Location Objects describing the Target's location from the
+ Location Server.
+
+ $ Location Server (LS)
+
+ An entity that receives Location Objects from Location Generators,
+ Privacy Rules from Rule Makers, and location requests from
+ Location Recipients. A Location Server applies the appropriate
+ Privacy Rules to a Location Object received from a Location
+ Generator and may disclose the Location Object, in compliance with
+ the Rules, to Location Recipients.
+
+ Location Servers may not necessarily be "servers" in the
+ colloquial sense of hosts in remote data centers servicing
+ requests. Rather, a Location Server can be any software or
+ hardware component that receives and distributes location
+ information. Examples include a positioning server (with a
+ location interface) in an access network, a presence server, or
+ a Web browser or other software running on a Target's device.
+
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 36]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ $ Privacy Rule
+
+ A directive that regulates an entity's activities with respect to
+ a Target's location information, including the collection, use,
+ disclosure, and retention of the location information. Privacy
+ Rules describe how location information may be used by an entity,
+ the level of detail with which location information may be
+ described to an entity, and the conditions under which location
+ information may be disclosed to an entity. Privacy Rules are
+ communicated from Rule Makers to Location Servers and conveyed in
+ Location Objects throughout the Geopriv architecture.
+
+ $ Rule
+
+ See Privacy Rule.
+
+ $ Rule Maker (RM)
+
+ An individual or entity that is authorized to set Privacy Rules
+ for a Target. In some cases, a Rule Maker and a Target will be
+ the same individual or entity, and in other cases they will be
+ separate. For example, a parent may serve as the Rule Maker when
+ the Target is his child. The Rule Maker is also not necessarily
+ the owner of a Target device. For example, a corporation may own
+ a device that it provides to an employee but permit the employee
+ to serve as the Rule Maker and set her own Privacy Rules. Rule
+ Makers provide the Privacy Rules associated with a Target to
+ Location Servers.
+
+ $ Forwarded Rule
+
+ A Privacy Rule that travels inside a Location Object. Forwarded
+ Rules direct Location Recipients about how to handle the location
+ information they receive. Because the Forwarded Rules themselves
+ may reveal potentially sensitive information about a Target, only
+ the minimal subset of Forwarded Rules necessary for a Location
+ Recipient to handle a Location Object is distributed to the
+ Location Recipient.
+
+ $ Target
+
+ An individual or other entity whose location is sought in the
+ Geopriv architecture. In many cases, the Target will be the human
+ user of a Device, or it may be an object such as a vehicle or
+ shipping container to which a Device is attached. In some
+ instances, the Target will be the Device itself. The Target is
+ the entity whose privacy Geopriv seeks to protect.
+
+
+
+
+Barnes, et al. Best Current Practice [Page 37]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ $ Usage Rule
+
+ A rule that describes what uses of location information are
+ authorized.
+
+8. Acknowledgements
+
+ Section 5 is largely based on the security investigations conducted
+ as part of the Geopriv Layer-7 Location Configuration Protocol design
+ team, which produced [9]. We would like to thank all the members of
+ the design team.
+
+ We would also like to thank Marc Linsner and Martin Thomson for their
+ contributions regarding terminology and LCPs.
+
+9. References
+
+9.1. Normative References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+9.2. Informative References
+
+ [2] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J.
+ Polk, "Geopriv Requirements", RFC 3693, February 2004.
+
+ [3] Danley, M., Mulligan, D., Morris, J., and J. Peterson, "Threat
+ Analysis of the Geopriv Protocol", RFC 3694, February 2004.
+
+ [4] U.S. Department of Defense, "National Industrial Security
+ Program Operating Manual", DoD 5220-22M, January 1995.
+
+ [5] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV
+ Presence Information Data Format Location Object (PIDF-LO)
+ Usage Clarification, Considerations, and Recommendations",
+ RFC 5491, March 2009.
+
+ [6] Schulzrinne, H., Tschofenig, H., Morris, J., Cuellar, J., Polk,
+ J., and J. Rosenberg, "Common Policy: A Document Format for
+ Expressing Privacy Preferences", RFC 4745, February 2007.
+
+ [7] Schulzrinne, H., Ed., Tschofenig, H., Ed., Morris, J., Cuellar,
+ J., and J. Polk, "Geolocation Policy: A Document Format for
+ Expressing Privacy Preferences for Location Information", Work
+ in Progress, March 2011.
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 38]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ [8] Rosenberg, J., "The Extensible Markup Language (XML)
+ Configuration Access Protocol (XCAP)", RFC 4825, May 2007.
+
+ [9] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location
+ Configuration Protocol: Problem Statement and Requirements",
+ RFC 5687, March 2010.
+
+ [10] Polk, J., Schnizlein, J., and M. Linsner, "Dynamic Host
+ Configuration Protocol Option for Coordinate-based Location
+ Configuration Information", RFC 3825, July 2004.
+
+ [11] Schulzrinne, H., "Dynamic Host Configuration Protocol (DHCPv4
+ and DHCPv6) Option for Civic Addresses Configuration
+ Information", RFC 4776, November 2006.
+
+ [12] Polk, J., "Dynamic Host Configuration Protocol (DHCP) IPv4 and
+ IPv6 Option for a Location Uniform Resource Identifier (URI)",
+ Work in Progress, February 2011.
+
+ [13] Barnes, M., Ed., "HTTP-Enabled Location Delivery (HELD)",
+ RFC 5985, September 2010.
+
+ [14] Marshall, R., Ed., "Requirements for a Location-by-Reference
+ Mechanism", RFC 5808, May 2010.
+
+ [15] Hardie, T., Newton, A., Schulzrinne, H., and H. Tschofenig,
+ "LoST: A Location-to-Service Translation Protocol", RFC 5222,
+ August 2008.
+
+ [16] Barnes, R., Thomson, M., Winterbottom, J., and H. Tschofenig,
+ "Location Configuration Extensions for Policy Management", Work
+ in Progress, June 2011.
+
+ [17] Kent, S. and K. Seo, "Security Architecture for the Internet
+ Protocol", RFC 4301, December 2005.
+
+ [18] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
+ Protocol Version 1.2", RFC 5246, August 2008.
+
+ [19] Peterson, J., "A Presence-based GEOPRIV Location Object
+ Format", RFC 4119, December 2005.
+
+ [20] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
+ Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol --
+ HTTP/1.1", RFC 2616, June 1999.
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 39]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ [21] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
+ Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
+ Session Initiation Protocol", RFC 3261, June 2002.
+
+ [22] World Wide Web Consortium, "The XMLHttpRequest Object", W3C
+ document http://www.w3.org/TR/XMLHttpRequest/, August 2010.
+
+ [23] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework
+ for Emergency Calling Using Internet Multimedia", Work
+ in Progress, October 2010.
+
+ [24] Rosen, B. and J. Polk, "Best Current Practice for
+ Communications Services in support of Emergency Calling", Work
+ in Progress, March 2011.
+
+ [25] Schulzrinne, H., "Location-to-URL Mapping Architecture and
+ Framework", RFC 5582, September 2009.
+
+ [26] Saint-Andre, P., "Extensible Messaging and Presence Protocol
+ (XMPP): Core", RFC 6120, March 2011.
+
+ [27] Shirey, R., "Internet Security Glossary, Version 2", FYI 36,
+ RFC 4949, August 2007.
+
+ [28] <http://creativecommons.org/>
+
+Authors' Addresses
+
+ Richard Barnes
+ BBN Technologies
+ 9861 Broken Land Pkwy, Suite 400
+ Columbia, MD 21046
+ USA
+
+ Phone: +1 410 290 6169
+ EMail: rbarnes@bbn.com
+
+
+ Matt Lepinski
+ BBN Technologies
+ 10 Moulton St.
+ Cambridge, MA 02138
+ USA
+
+ Phone: +1 617 873 5939
+ EMail: mlepinski@bbn.com
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 40]
+
+RFC 6280 Internet Location Architecture July 2011
+
+
+ Alissa Cooper
+ Center for Democracy & Technology
+ 1634 I Street NW, Suite 1100
+ Washington, DC
+ USA
+
+ EMail: acooper@cdt.org
+
+
+ John Morris
+ Center for Democracy & Technology
+ 1634 I Street NW, Suite 1100
+ Washington, DC
+ USA
+
+ EMail: jmorris@cdt.org
+
+
+ Hannes Tschofenig
+ Nokia Siemens Networks
+ Linnoitustie 6
+ Espoo 02600
+ Finland
+
+ Phone: +358 (50) 4871445
+ EMail: Hannes.Tschofenig@gmx.net
+ URI: http://www.tschofenig.priv.at
+
+
+ Henning Schulzrinne
+ Columbia University
+ Department of Computer Science
+ 450 Computer Science Building
+ New York, NY 10027
+ US
+
+ Phone: +1 212 939 7004
+ EMail: hgs@cs.columbia.edu
+ URI: http://www.cs.columbia.edu
+
+
+
+
+
+
+
+
+
+
+
+
+Barnes, et al. Best Current Practice [Page 41]
+