GEOPRIV H. Schulzrinne, Ed. Internet-Draft Columbia University Intended status: Standards Track H. Tschofenig, Ed. Expires: August 13, 2009 Nokia Siemens Networks J. Morris CDT J. Cuellar Siemens J. Polk Cisco February 9, 2009 Geolocation Policy: A Document Format for Expressing Privacy Preferences for Location Information draft-ietf-geopriv-policy-20.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 13, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Schulzrinne, et al. Expires August 13, 2009 [Page 1] Internet-Draft Geolocation Policy February 2009 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Schulzrinne, et al. Expires August 13, 2009 [Page 2] Internet-Draft Geolocation Policy February 2009 Abstract This document defines an authorization policy language for controlling access to location information. It extends the Common Policy authorization framework to provide location-specific access control. More specifically, this document defines condition elements specific to location information in order to restrict access based on the current location of the Target. Furthermore, it offers location- specific transformation elements to reduce the granularity of the returned location information. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Generic Processing . . . . . . . . . . . . . . . . . . . . . . 9 3.1. Structure of Geolocation Authorization Documents . . . . . 9 3.2. Rule Transport . . . . . . . . . . . . . . . . . . . . . . 9 4. Location-specific Conditions . . . . . . . . . . . . . . . . . 10 4.1. Geodetic Location Condition Profile . . . . . . . . . . . 10 4.2. Civic Location Condition Profile . . . . . . . . . . . . . 11 5. Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Transformations . . . . . . . . . . . . . . . . . . . . . . . 13 6.1. Set Retransmission-Allowed . . . . . . . . . . . . . . . . 13 6.2. Set Retention-Expiry . . . . . . . . . . . . . . . . . . . 13 6.3. Set Note-Well . . . . . . . . . . . . . . . . . . . . . . 13 6.4. Keep Ruleset Reference . . . . . . . . . . . . . . . . . . 14 6.5. Provide Location . . . . . . . . . . . . . . . . . . . . . 14 6.5.1. Civic Location Profile . . . . . . . . . . . . . . . . 15 6.5.2. Geodetic Location Profile . . . . . . . . . . . . . . 16 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.1. Rule Example with Civic Location Condition . . . . . . . . 17 7.2. Rule Example with Geodetic Location Condition . . . . . . 18 7.3. Rule Example with Civic and Geodetic Location Condition . 18 7.4. Rule Example with Location-based Transformations . . . . . 19 8. XML Schema for Basic Location Profiles . . . . . . . . . . . . 21 9. XML Schema for Geolocation Policy . . . . . . . . . . . . . . 22 10. XCAP Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 24 10.1. Application Unique ID . . . . . . . . . . . . . . . . . . 24 10.2. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 24 10.3. Default Namespace . . . . . . . . . . . . . . . . . . . . 24 10.4. MIME Type . . . . . . . . . . . . . . . . . . . . . . . . 24 10.5. Validation Constraints . . . . . . . . . . . . . . . . . . 24 10.6. Data Semantics . . . . . . . . . . . . . . . . . . . . . . 24 10.7. Naming Conventions . . . . . . . . . . . . . . . . . . . . 24 10.8. Resource Interdependencies . . . . . . . . . . . . . . . . 25 10.9. Authorization Policies . . . . . . . . . . . . . . . . . . 25 Schulzrinne, et al. Expires August 13, 2009 [Page 3] Internet-Draft Geolocation Policy February 2009 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 11.1. Geolocation Policy XML Schema Registration . . . . . . . . 26 11.2. Geolocation Policy Namespace Registration . . . . . . . . 26 11.3. Geolocation Policy Location Profile Registry . . . . . . . 27 11.4. Basic Location Profile XML Schema Registration . . . . . . 27 11.5. Basic Location Profile Namespace Registration . . . . . . 28 11.6. XCAP Application Usage ID . . . . . . . . . . . . . . . . 28 12. Internationalization Considerations . . . . . . . . . . . . . 30 13. Security Considerations . . . . . . . . . . . . . . . . . . . 31 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33 14.1. Normative References . . . . . . . . . . . . . . . . . . . 33 14.2. Informative References . . . . . . . . . . . . . . . . . . 33 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 36 Schulzrinne, et al. Expires August 13, 2009 [Page 4] Internet-Draft Geolocation Policy February 2009 1. Introduction Location information needs to be protected against unauthorized access to preserve the privacy of humans. In RFC 3693 [RFC3693], a protocol-independent model for access to geographic information is defined. The model includes a Location Generator (LG) that determines location information, a Location Server (LS) that authorizes access to location information, a Location Recipient (LR) that requests and receives location information, and a Rule Maker (RM) that writes authorization policies. An authorization policy is a set of rules that regulates an entity's activities with respect to privacy-sensitive information, such as location information. The data object containing location information in the context of this document is referred to as a Location Object (LO). The basic rule set defined in the Presence Information Data Format Location Object (PIDF-LO) [RFC4119] can restrict how long the Location Recipient is allowed to retain the information, and it can prohibit further distribution. It also contains a reference to an enhanced rule set and a human readable privacy policy. The basic rule set, however, does not allow to control access to location information based on specific Location Recipients. This document describes an enhanced rule set that provides richer constraints on the distribution of LOs. The rule set allows the entity that uses the rules defined in this document to restrict the retention and to enforce access restrictions on location data, including prohibiting any dissemination to particular individuals, during particular times or when the Target is located in a specific region. The RM can also stipulate that only certain parts of the Location Object are to be distributed to recipients or that the resolution of parts of the Location Object is reduced. The typical sequence of operations is as follows. A Location Server receives a query for location information for a particular Target, via the using protocol [RFC3693]. The using protocol provides the identity of the requestor, either at the time of the query or when subscribing to the location information. The authenticated identity of the Location Recipient, together with other information provided by the using protocol or generally available to the server, is then used for searching through the rule set. If more than one rule matches the condition element, then the combined permission is evaluated according to the description in Section 10 of [RFC4745]. The result of the rule evalation is applied to the location information, yielding a possibly modified Location Object that is delivered to the Location Recipient. Schulzrinne, et al. Expires August 13, 2009 [Page 5] Internet-Draft Geolocation Policy February 2009 This document does not describe the protocol used to convey location information from the Location Server to the Location Recipient (i.e., the using protocol; see RFC 3693 [RFC3693]). This document extends the Common Policy framework defined in [RFC4745]. That document provides an abstract framework for expressing authorization rules. As specified there, each such rule consists of conditions, actions and transformations. Conditions determine under which circumstances the entity executing the rules, for example a Location Server, is permitted to apply actions and transformations. Transformations regulate in a location information context how a Location Server modifies the information elements that are returned to the requestor, for example, by reducing the granularity of returned location information. The XML schema defined in Section 9 extends the Common Policy schema by introducing new child elements to the condition and transformation elements. This document does not define child elements for the action part of a rule. Schulzrinne, et al. Expires August 13, 2009 [Page 6] Internet-Draft Geolocation Policy February 2009 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document reuses the terminology of RFC 3693 [RFC3693], such as Location Server (LS), Location Recipient (LR), Rule Maker (RM), Target, Location Generator (LG) and Location Object (LO). This document uses the following terminology: Presentity or Target: RFC 3693 [RFC3693] uses the term Target to identify the object or person of which location information is required. The presence model described in RFC 2778 [RFC2778] uses the term presentity to describe the entity that provides presence information to a presence service. A Presentity in a presence system is a Target in a location information system. Watcher or Location Recipient: The receiver of location information is the Location Recipient (LR) in the terminology of RFC 3693 [RFC3693]. A watcher in a presence system, i.e., an entity that requests presence information about a presentity, is a Location Recipient in a location information system. Authorization policy: An authorization policy is given by a rule set. A rule set contains an unordered list of (policy) rules. Each rule has a condition, an action and a transformation component. Permission: The term permission refers to the action and transformation components of a rule. The term 'using protocol' is defined in [RFC3693] and refers to the protocol that is used to request access to and to return privacy sensitive data items. In this document we use the term Location Servers as the entities that evaluate the geolocation authorization policies. The Schulzrinne, et al. Expires August 13, 2009 [Page 7] Internet-Draft Geolocation Policy February 2009 geolocation privacy architecture is, as motivated in RFC 4079 [RFC4079], aligned with the presence architecture and a Presence Server is therefore an entity that distributes location information along with other presence-specific XML data elements. Schulzrinne, et al. Expires August 13, 2009 [Page 8] Internet-Draft Geolocation Policy February 2009 3. Generic Processing 3.1. Structure of Geolocation Authorization Documents A geolocation authorization document is an XML document, formatted according to the schema defined in [RFC4745]. Geolocation authorization documents inherit the MIME type of common policy documents, application/auth-policy+xml. As described in [RFC4745], this document is composed of rules which contain three parts - conditions, actions, and transformations. Each action or transformation, which is also called a permission, has the property of being a positive grant of information to the Location Recipient. As a result, there is a well-defined mechanism for combining actions and transformations obtained from several sources. This mechanism is privacy safe, since the lack of any action or transformation can only result in less information being presented to a Location Recipient. 3.2. Rule Transport There are two ways how the authorization rules described in this document may be conveyed between different parties: o RFC 4119 [RFC4119] allows enhanced authorization policies to be referenced via a Uniform Resource Locator (URL) in the 'ruleset- reference' element. The ruleset-reference' element is part of the basic rules that always travel with the Location Object. o Authorization policies might, for example, also be stored at a Location Server / Presence Server. The Rule Maker therefore needs to use a protocol to create, modify and delete the authorization policies defined in this document. Such a protocol is available with the Extensible Markup Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. Schulzrinne, et al. Expires August 13, 2009 [Page 9] Internet-Draft Geolocation Policy February 2009 4. Location-specific Conditions This section describes the location-specific conditions of a rule. The element contains zero, one or an unbounded number of child element(s). Providing more than one element may not be useful since all child elements of the element must evaluate to TRUE in order for the element to be TRUE. The element MUST contain at least one child element. The element evaluates to TRUE if any of its child elements is TRUE, i.e., a logical OR. The element has three attributes, namely 'profile', 'xml: lang' and 'label'. The 'profile' attribute allows to indicate the location profile that is included as child elements in the element and each profile needs to describe under what conditions each element evaluates to TRUE. This document defines two location profiles, one civic and one geodetic location profile, see Section 4.1 and Section 4.2. The 'label' attribute allows a human readable description to be added to each lt;location> element. The 'xml:lang' attribute contains a language tag providing further information for rendering of the content of the 'label' attribute. The and the elements provide extension points. If an extension is not understood by the entity evaluating the rules then this rule evaluates to FALSE. 4.1. Geodetic Location Condition Profile The geodetic location profile is identified by the token 'geodetic- condition'. Rule Makers use this profile by placing a GML [GML] element within the element (as described in Section 5.2.3 of [I-D.ietf-geopriv-pdif-lo-profile]). The element containing the information for the geodetic location profile evaluates to TRUE if the current location of the Target is within the described location. Note that the Target's actual location might be represented by any of the location shapes described in [I-D.ietf-geopriv-pdif-lo-profile]. If the geodetic location of the Target is unknown then the element containing the information for the geodetic location profile evaluates to FALSE. Implementations are REQUIRED to support the following coordinate reference system based on WGS 84 [NIMA.TR8350.2-3e] based on the European Petroleum Survey Group (EPSG) Geodetic Parameter Dataset (as formalized by the Open Geospatial Consortium (OGC)): Schulzrinne, et al. Expires August 13, 2009 [Page 10] Internet-Draft Geolocation Policy February 2009 2D: WGS 84 (latitude, longitude), as identified by the URN "urn:ogc:def:crs:EPSG::4326". This is a two dimensional CRS. A CRS MUST be specified using the above URN notation only, implementations do not need to support user-defined CRSs. Implementations MUST specify the CRS using the "srsName" attribute on the outermost geometry element. The CRS MUST NOT be changed for any sub-elements. The "srsDimension" attribute MUST be omitted, since the number of dimensions in these CRSs is known. 4.2. Civic Location Condition Profile The civic location profile is identified by the token 'civic- condition'. Rule Makers use this profile by placing a element, defined in [RFC5139], within the element. All child elements of element that carry civicAddress elements MUST evaluate to TRUE (i.e., logical AND) in order for the element to evaluate to TRUE. For each child element, the value of that element is compared to the value of the same element in the Target's civic location. The child element evaluates to TRUE if the two values are identical based on a bit-by-bit comparison. If the civic location of the Target is unknown, then the element containing the information for the civic location profile evaluates to FALSE. This case may occur, for example, if location information has been removed by earlier transmitters of location information or if only the geodetic location is known. In general, it is RECOMMENDED behavior for a LS not to apply a translation from geodetic location to civic location (i.e., geocode the location). Schulzrinne, et al. Expires August 13, 2009 [Page 11] Internet-Draft Geolocation Policy February 2009 5. Actions This document does not define location-specific actions. Schulzrinne, et al. Expires August 13, 2009 [Page 12] Internet-Draft Geolocation Policy February 2009 6. Transformations This document defines several elements that allow Rule Makers to specify transformations that o reduce the accuracy of the returned location information, and o set the basic authorization policies carried inside the PIDF-LO. 6.1. Set Retransmission-Allowed This element asks the LS to change or set the value of the element in the PIDF-LO. The data type of the element is a boolean. If the value of the element is set to TRUE then the element in the PIDF-LO MUST be set to TRUE. If the value of the element is set to FALSE, then the element in the PIDF-LO MUST be set to FALSE. If the element is absent then the value of the element in the PIDF-LO MUST be kept unchanged or, if the PIDF-LO is created for the first time, then the value MUST be set to FALSE. 6.2. Set Retention-Expiry This transformation asks the LS to change or set the value of the element in the PIDF-LO. The data type of the element is an integer. The value provided with the element indicates seconds and these seconds are added to the current date. If the element is absent then the value of the element in the PIDF-LO is kept unchanged or, if the PIDF-LO is created for the first time, then the value MUST be set to the current date. 6.3. Set Note-Well This transformation asks the LS to change or set the value of the element in the PIDF-LO. The data type of the element is a string. The value provided with the element contains a privacy statement as a human readable text string and an 'xml:lang' Schulzrinne, et al. Expires August 13, 2009 [Page 13] Internet-Draft Geolocation Policy February 2009 attribute denotes the language of the human readable text. If the element is absent, then the value of the element in the PIDF-LO is kept unchanged or, if the PIDF-LO is created for the first time, then no content is provided for the element. 6.4. Keep Ruleset Reference This transformation allows to influence whether the element in the PIDF-LO carries the extended authorization rules defined in [RFC4745]. The data type of the element is Boolean. If the value of the element is set to TRUE, then the element in the PIDF-LO is kept unchanged when included. If the value of the element is set to FALSE, then the element in the PIDF-LO MUST NOT contain a reference to an external rule set. The reference to the ruleset is removed and no rules are carried as MIME bodies (in case of CID URIs). If the element is absent, then the value of the element in the PIDF-LO is kept unchanged when available or, if the PIDF-LO is created for the first time then the element MUST NOT be included. 6.5. Provide Location The element contains child elements of a specific location profile that controls the granularity of returned location information. This document defines two location profiles, namely: o If the element has a child element then civic location information is disclosed as described in Section 6.5.1, subject to availability. o If the element has a child element then geodetic location information is disclosed as described in Section 6.5.2, subject to availability. The element MUST contain the 'profile' attribute if it contains child elements and the 'profile' attribute MUST match with the contained child elements. Schulzrinne, et al. Expires August 13, 2009 [Page 14] Internet-Draft Geolocation Policy February 2009 If the element has no child elements then civic, as well as, geodetic location information is disclosed without reducing its granularity, subject to availability. In this case the profile attribute MUST NOT be included. 6.5.1. Civic Location Profile This profile uses the token 'civic-transformation'. This profile allows civic location transformations to be specified by means of the element that restricts the level of civic location information the LS is permitted to disclose. The symbols of these levels are: 'country', 'region', 'city', 'building', 'full'. Each level is given by a set of civic location data items such as and , ..., , as defined in [RFC5139]. Each level includes all elements included by the lower levels. The 'country' level includes only the element; the 'region' level adds the element; the 'city' level adds the and elements; the 'building' level and the 'full' level add further civic location data as shown below. full {, , , , , , , , , , , , , , , , , ,,,, , , , , , , , , } | | building {, , , , , , , , , , , , , , , , , } | | city {, , , } | | region {, } | | country {} | | none Schulzrinne, et al. Expires August 13, 2009 [Page 15] Internet-Draft Geolocation Policy February 2009 {} The default value is "none". The schema of the element is defined in Section 8. 6.5.2. Geodetic Location Profile This profile uses the token 'geodetic-transformation' and refers only to the Coordinate Reference System (CRS) WGS 84 (urn:ogc:def:crs:EPSG::4326, 2D). This profile allows geodetic location transformations to be specified by means of the element that may restrict the returned geodetic location information based on the value provided in the 'radius' attribute. The value of the 'radius' attribute expresses the radius in meters. The schema of the element is defined in Section 8. For each rule in the policy specification containing a element, the LS chooses a circle with a radius F given by the 'radius' attribute of the element. The center of the circle is chosen randomly, under the constraint that the circle MUST contain the Target's location, which may be a point or another location shape. In response to queries matching this rule, the LS MUST return a shape containing this circle; while the returned shape may change from one query to another, the chosen circle remains constant as long as the Target's location (whether a point or a region) remains completely within the circle. An LS may, for example, store the location of the center or compute it based on a hash function that includes the target's identity. If the Target's location moves within the chosen circle, the LS MAY choose a new random center point, but when the Target's location moves outside the chosen circle, the LS MUST choose a new random center point. The above-described procedure aims to satisfy the following design goals: 1. The circle returned must contain the actual location of the Target. 2. In general, no point in the circle must be more likely than others to contain the Target. 3. Repeated queries must not reveal the likely location of the Target. Schulzrinne, et al. Expires August 13, 2009 [Page 16] Internet-Draft Geolocation Policy February 2009 7. Examples This section provides a few examples for authorization rules using the extensions defined in this document. 7.1. Rule Example with Civic Location Condition This example illustrates a single rule that employs the civic location condition. It matches if the current location of the Target equal the content of the child elements of the element. Requests match only if the Target is at a civic location with country set to 'Germany', state (A1) set to 'Bavaria', city (A3) set to 'Munich', city division (A4) set to 'Perlach', street name (A6) set to 'Otto-Hahn-Ring' and house number (HNO) set to '6'. No actions and transformation child elements are provided in this rule example. The actions and transformation could include presence specific information when the Geolocation Policy framework is applied to the Presence Policy framework (see [RFC5025]). DE Bavaria Munich Perlach Otto-Hahn-Ring 6 Schulzrinne, et al. Expires August 13, 2009 [Page 17] Internet-Draft Geolocation Policy February 2009 7.2. Rule Example with Geodetic Location Condition This example illustrates a rule that employs the geodetic location condition. The rule matches if the current location of the Target is inside the area specified by the polygon. The polygon uses the EPSG 4326 coordinate reference system. No altitude is included in this example. -33.8570029378 151.2150070761 1500 7.3. Rule Example with Civic and Geodetic Location Condition This example illustrates a rule that employs a mixed civic and geodetic location condition. Depending on the available type of location information, namely civic or geodetic location information, one of the location elements may match. Schulzrinne, et al. Expires August 13, 2009 [Page 18] Internet-Draft Geolocation Policy February 2009 DE Bavaria Munich Perlach Otto-Hahn-Ring 6 -34.410649 150.87651 1500 7.4. Rule Example with Location-based Transformations This example shows the transformations specified in this document. The element indicates that the available civic location information is reduced to building level granularity. If geodetic location information is requested then a granularity reduction is provided as well. Schulzrinne, et al. Expires August 13, 2009 [Page 19] Internet-Draft Geolocation Policy February 2009 false 86400 My privacy policy goes in here. false building The following rule describes the short-hand notation for making the current location of the Target available to Location Recipients without granularity reduction. Schulzrinne, et al. Expires August 13, 2009 [Page 20] Internet-Draft Geolocation Policy February 2009 8. XML Schema for Basic Location Profiles This section defines the location profiles used as child elements of the transformation element. Schulzrinne, et al. Expires August 13, 2009 [Page 21] Internet-Draft Geolocation Policy February 2009 9. XML Schema for Geolocation Policy This section presents the XML schema that defines the Geolocation Policy schema described in this document. The Geolocation Policy schema extends the Common Policy schema (see [RFC4745]). Schulzrinne, et al. Expires August 13, 2009 [Page 22] Internet-Draft Geolocation Policy February 2009 Schulzrinne, et al. Expires August 13, 2009 [Page 23] Internet-Draft Geolocation Policy February 2009 10. XCAP Usage The following section defines the details necessary for clients to manipulate geolocation privacy documents from a server using XCAP. If used as part of a presence system, it uses the same AUID as those rules. See [RFC5025] for a description of the XCAP usage in context with presence authorization rules. 10.1. Application Unique ID XCAP requires application usages to define a unique application usage ID (AUID) in either the IETF tree or a vendor tree. This specification defines the "geolocation-policy" AUID within the IETF tree, via the IANA registration in Section 11. 10.2. XML Schema XCAP requires application usages to define a schema for their documents. The schema for geolocation authorization documents is described in Section 9. 10.3. Default Namespace XCAP requires application usages to define the default namespace for their documents. The default namespace is urn:ietf:params:xml:ns:geolocation-policy. 10.4. MIME Type XCAP requires application usages to defined the MIME type for documents they carry. Geolocation privacy authorization documents inherit the MIME type of common policy documents, application/ auth-policy+xml. 10.5. Validation Constraints This specification does not define additional constraints. 10.6. Data Semantics This document discusses the semantics of a geolocation privacy authorization. 10.7. Naming Conventions When a Location Server receives a request to access location information of some user foo, it will look for all documents within http://[xcaproot]/geolocation-policy/users/foo, and use all documents Schulzrinne, et al. Expires August 13, 2009 [Page 24] Internet-Draft Geolocation Policy February 2009 found beneath that point to guide authorization policy. 10.8. Resource Interdependencies This application usage does not define additional resource interdependencies. 10.9. Authorization Policies This application usage does not modify the default XCAP authorization policy, which is that only a user can read, write or modify his/her own documents. A server can allow privileged users to modify documents that they do not own, but the establishment and indication of such policies is outside the scope of this document. Schulzrinne, et al. Expires August 13, 2009 [Page 25] Internet-Draft Geolocation Policy February 2009 11. IANA Considerations There are several IANA considerations associated with this specification. 11.1. Geolocation Policy XML Schema Registration URI: urn:ietf:params:xml:schema:geolocation-policy Registrant Contact: IETF Geopriv Working Group, Hannes Tschofenig (hannes.tschofenig@nsn.com). XML: The XML schema to be registered is contained in Section 9. Its first line is and its last line is 11.2. Geolocation Policy Namespace Registration URI: urn:ietf:params:xml:ns:geolocation-policy Registrant Contact: IETF Geopriv Working Group, Hannes Tschofenig (hannes.tschofenig@nsn.com). XML: Schulzrinne, et al. Expires August 13, 2009 [Page 26] Internet-Draft Geolocation Policy February 2009 BEGIN Geolocation Policy Namespace

Namespace for Geolocation Authorization Policies

urn:ietf:params:xml:schema:geolocation-policy

See RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please replace XXXX with the RFC number of this specification.].

END 11.3. Geolocation Policy Location Profile Registry This document seeks to create a registry of location profile names for the Geolocation Policy framework. Profile names are XML tokens. This registry will operate in accordance with RFC 2434 [RFC2434], Standards Action. This document defines the following profile names: geodetic-condition: Defined in Section 4.1. civic-condition: Defined in Section 4.2. geodetic-transformation: Defined in Section 6.5.2. civic-transformation: Defined in Section 6.5.1. 11.4. Basic Location Profile XML Schema Registration URI: urn:ietf:params:xml:schema:basic-location-profiles Registrant Contact: IETF Geopriv Working Group, Hannes Tschofenig (hannes.tschofenig@nsn.com). Schulzrinne, et al. Expires August 13, 2009 [Page 27] Internet-Draft Geolocation Policy February 2009 XML: The XML schema to be registered is contained in Section 8. Its first line is and its last line is 11.5. Basic Location Profile Namespace Registration URI: urn:ietf:params:xml:ns:basic-location-profiles Registrant Contact: IETF Geopriv Working Group, Hannes Tschofenig (hannes.tschofenig@nsn.com). XML: BEGIN Basic Location Profile Namespace

Namespace for Basic Location Profile

urn:ietf:params:xml:schema:basic-location-profiles

See RFCXXXX [NOTE TO IANA/RFC-EDITOR: Please replace XXXX with the RFC number of this specification.].

END 11.6. XCAP Application Usage ID This section registers an XCAP Application Usage ID (AUID) according to the IANA procedures defined in [RFC4825]. Name of the AUID: geolocation-policy Description: Geolocation privacy rules are documents that describe the permissions that a Target has granted to Location Recipients that Schulzrinne, et al. Expires August 13, 2009 [Page 28] Internet-Draft Geolocation Policy February 2009 access information about his/her geographic location. Schulzrinne, et al. Expires August 13, 2009 [Page 29] Internet-Draft Geolocation Policy February 2009 12. Internationalization Considerations The policies described in this document are mostly meant for machine- to-machine communications; as such, many of its elements are tokens not meant for direct human consumption. If these tokens are presented to the end user, some localization may need to occur. The policies are, however, supposed to be created with the help of humans and some of the elements and attributes are subject to internationalization considerations. The content of the