Internet Engineering Task Force (IETF) H. Schulzrinne, Ed. Request for Comments: 6772 Columbia University Category: Standards Track H. Tschofenig, Ed. ISSN: 2070-1721 Nokia Siemens Networks J. Cuellar Siemens J. Polk Cisco J. Morris M. Thomson Microsoft January 2013 Geolocation Policy: A Document Format for Expressing Privacy Preferences for Location Information Abstract This document defines an authorization policy language for controlling access to location information. It extends the Common Policy authorization framework to provide location-specific access control. More specifically, this document defines condition elements specific to location information in order to restrict access to data based on the current location of the Target. Furthermore, this document defines two algorithms for reducing the granularity of returned location information. The first algorithm is defined for usage with civic location information, whereas the other one applies to geodetic location information. Both algorithms come with limitations. There are circumstances where the amount of location obfuscation provided is less than what is desired. These algorithms might not be appropriate for all application domains. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6772. Schulzrinne, et al. Standards Track [Page 1] RFC 6772 Geolocation Policy January 2013 Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Schulzrinne, et al. Standards Track [Page 2] RFC 6772 Geolocation Policy January 2013 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Generic Processing . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Structure of Geolocation Authorization Documents . . . . . 7 3.2. Rule Transport . . . . . . . . . . . . . . . . . . . . . . 7 4. Location-Specific Conditions . . . . . . . . . . . . . . . . . 7 4.1. Geodetic Location Condition Profile . . . . . . . . . . . 8 4.2. Civic Location Condition Profile . . . . . . . . . . . . . 9 5. Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Transformations . . . . . . . . . . . . . . . . . . . . . . . 9 6.1. Set Retransmission-Allowed . . . . . . . . . . . . . . . . 9 6.2. Set Retention-Expiry . . . . . . . . . . . . . . . . . . . 10 6.3. Set Note-Well . . . . . . . . . . . . . . . . . . . . . . 10 6.4. Keep Ruleset Reference . . . . . . . . . . . . . . . . . . 10 6.5. Provide Location . . . . . . . . . . . . . . . . . . . . . 11 6.5.1. Civic Location Profile . . . . . . . . . . . . . . . . 12 6.5.2. Geodetic Location Profile . . . . . . . . . . . . . . 13 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7.1. Rule Example with Civic Location Condition . . . . . . . . 15 7.2. Rule Example with Geodetic Location Condition . . . . . . 16 7.3. Rule Example with Civic and Geodetic Location Condition . 17 7.4. Rule Example with Location-Based Transformations . . . . . 18 7.5. Location Obfuscation Example . . . . . . . . . . . . . . . 19 8. XML Schema for Basic Location Profiles . . . . . . . . . . . . 23 9. XML Schema for Geolocation Policy . . . . . . . . . . . . . . 24 10. XCAP Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 25 10.1. Application Unique ID . . . . . . . . . . . . . . . . . . 26 10.2. XML Schema . . . . . . . . . . . . . . . . . . . . . . . . 26 10.3. Default Namespace . . . . . . . . . . . . . . . . . . . . 26 10.4. MIME Media Type . . . . . . . . . . . . . . . . . . . . . 26 10.5. Validation Constraints . . . . . . . . . . . . . . . . . . 26 10.6. Data Semantics . . . . . . . . . . . . . . . . . . . . . . 26 10.7. Naming Conventions . . . . . . . . . . . . . . . . . . . . 26 10.8. Resource Interdependencies . . . . . . . . . . . . . . . . 26 10.9. Authorization Policies . . . . . . . . . . . . . . . . . . 27 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 11.1. Geolocation Policy XML Schema Registration . . . . . . . . 27 11.2. Geolocation Policy Namespace Registration . . . . . . . . 27 11.3. Geolocation Policy Location Profile Registry . . . . . . . 28 11.4. Basic Location Profile XML Schema Registration . . . . . . 28 11.5. Basic Location Profile Namespace Registration . . . . . . 29 11.6. XCAP Application Usage ID . . . . . . . . . . . . . . . . 29 12. Internationalization Considerations . . . . . . . . . . . . . 30 13. Security Considerations . . . . . . . . . . . . . . . . . . . 30 13.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 30 13.2. Obfuscation . . . . . . . . . . . . . . . . . . . . . . . 31 Schulzrinne, et al. Standards Track [Page 3] RFC 6772 Geolocation Policy January 2013 13.3. Algorithm Limitations . . . . . . . . . . . . . . . . . . 32 13.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 33 13.5. Limitations of Obscuring Locations . . . . . . . . . . . . 33 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 14.1. Normative References . . . . . . . . . . . . . . . . . . . 35 14.2. Informative References . . . . . . . . . . . . . . . . . . 35 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 38 Appendix B. Pseudocode . . . . . . . . . . . . . . . . . . . . . 39 1. Introduction Location information needs to be protected against unauthorized access to preserve the privacy of humans. In RFC 6280 [RFC6280], a protocol-independent model for access to geographic information is defined. The model includes a Location Generator (LG) that determines location information, a Location Server (LS) that authorizes access to location information, a Location Recipient (LR) that requests and receives location information, and a Rule Maker (RM) that writes authorization policies. An authorization policy is a set of rules that regulates an entity's activities with respect to privacy-sensitive information, such as location information. The data object containing location information in the context of this document is referred to as a Location Object (LO). The basic rule set defined in the Presence Information Data Format Location Object (PIDF-LO) [RFC4119] can restrict how long the Location Recipient is allowed to retain the information, and it can prohibit further distribution. It also contains a reference to an enhanced rule set and a human-readable privacy policy. The basic rule set does not protect access to location information. It only conveys the user's privacy preferences. This document describes an enhanced rule set that provides richer constraints on the distribution of LOs. The enhanced rule set allows the entity that uses the rules defined in this document to restrict the retention and to enforce access restrictions on location data, including prohibiting any dissemination to particular individuals, during particular times or when the Target is located in a specific region. The RM can also stipulate that only certain parts of the Location Object are to be distributed to recipients or that the resolution is reduced for parts of the Location Object. In the typical sequence of operations, a Location Server receives a query for location information for a particular Target. The authenticated identity of the Location Recipient, together with other information provided with the request or generally available to the server, is then used for searching through the rule set. If more than one rule matches the condition element, then the combined Schulzrinne, et al. Standards Track [Page 4] RFC 6772 Geolocation Policy January 2013 permission is evaluated according to the description in Section 10 of [RFC4745]. The result of the rule evaluation is applied to the location information, yielding a possibly modified Location Object that is delivered to the Location Recipient. This document does not describe the protocol used to convey location information from the Location Server to the Location Recipient. This document extends the Common Policy framework defined in [RFC4745]. That document provides an abstract framework for expressing authorization rules. As specified there, each such rule consists of conditions, actions, and transformations. Conditions determine under which circumstances the entity executing the rules, such as a Location Server, is permitted to apply actions and transformations. In a location information context, transformations regulate how a Location Server modifies the information elements that are returned to the requestor by, for example, reducing the granularity of returned location information. This document defines two algorithms for reducing the granularity of returned location information. The first algorithm is defined for usage with civic location information (see Section 6.5.1) while the other one applies to geodetic location information (see Section 6.5.2). Both algorithms come with limitations, i.e., they provide location obfuscation under certain conditions and may therefore not be appropriate for all application domains. These limitations are documented within the Security Consideration section (see Section 13). The geodetic transformation algorithm in Section 6.5.2 mitigates privacy risks for both stationary and moving Targets. However, moving Targets will reveal additional information to an adversary. To cover applications that have more sophisticated privacy requirements, additional algorithms may need to be defined. This document foresees extensions in the form of new algorithms and therefore defines a registry (see Section 11.3). The XML schema defined in Section 9 extends the Common Policy schema by introducing new child elements to the condition and transformation elements. This document does not define child elements for the action part of a rule. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Schulzrinne, et al. Standards Track [Page 5] RFC 6772 Geolocation Policy January 2013 This document reuses the terminology of RFC 6280 [RFC6280], such as Location Server (LS), Location Recipient (LR), Rule Maker (RM), Target, Location Generator (LG), and Location Object (LO). This document uses the following terminology: Presentity or Target: RFC 6280 [RFC6280] uses the term "Target" to identify the object or person of which location information is required. The presence model described in RFC 2778 [RFC2778] uses the term "presentity" to describe the entity that provides presence information to a presence service. A presentity in a presence system is a Target in a location information system. Watcher or Location Recipient: The receiver of location information is the Location Recipient (LR) in the terminology of RFC 6280 [RFC6280]. A watcher in a presence system, i.e., an entity that requests presence information about a presentity, is a Location Recipient in a location information system. Authorization policy: An authorization policy is given by a rule set. A rule set contains an unordered list of (policy) rules. Each rule has a condition, an action, and a transformation component. Permission: The term "permission" refers to the action and transformation components of a rule. Location Servers: Entities that evaluate the geolocation authorization policies. Presence Servers: The geolocation privacy architecture is, as described in RFC 4079 [RFC4079], aligned with the presence architecture, and a "Presence Server" is therefore an entity that distributes location information along with other presence-specific XML data elements. Schulzrinne, et al. Standards Track [Page 6] RFC 6772 Geolocation Policy January 2013 3. Generic Processing 3.1. Structure of Geolocation Authorization Documents A geolocation authorization document is an XML document, formatted according to the schema defined in [RFC4745]. Geolocation authorization documents inherit the media type of Common Policy documents, application/auth-policy+xml. As described in [RFC4745], this document is composed of rules that contain three parts: conditions, actions, and transformations. Each action or transformation, which is also called a permission, has the property of being a positive grant of information to the Location Recipient. As a result, there is a well-defined mechanism for combining actions and transformations obtained from several sources. This mechanism is privacy enabling, since the lack of any action or transformation can only result in less information being presented to a Location Recipient. 3.2. Rule Transport There are two ways the authorization rules described in this document may be conveyed between different parties: o RFC 4119 [RFC4119] allows enhanced authorization policies to be referenced via a Uniform Resource Locator (URL) in the 'ruleset- reference' element. The 'ruleset-reference' element is part of the basic rules that always travel with the Location Object. o Authorization policies might, for example, also be stored at a Location Server / Presence Server. The Rule Maker therefore needs to use a protocol to create, modify, and delete the authorization policies defined in this document. Such a protocol is available with the Extensible Markup Language (XML) Configuration Access Protocol (XCAP) [RFC4825]. 4. Location-Specific Conditions This section describes the location-specific conditions of a rule. The element contains zero or more child element(s). The element only evaluates to TRUE if all child elements evaluate to TRUE; therefore, multiple elements are not normally useful. The element MUST contain at least one child element. The element evaluates to TRUE if any of its child elements matches the location of the Target, i.e., elements are combined using a logical OR. Schulzrinne, et al. Standards Track [Page 7] RFC 6772 Geolocation Policy January 2013 The three attributes of are 'profile', 'xml:lang', and 'label'. The 'profile' indicates the location profile that is included as child elements in the element. Two location profiles, geodetic and civic, are defined in Sections 4.1 and 4.2. Each profile describes under what conditions a element evaluates to TRUE. The 'label' attribute allows a human-readable description to be added to each element. The 'xml:lang' attribute contains a language tag providing further information for rendering of the content of the 'label' attribute. The and the elements provide extension points. If an extension is not understood by the entity evaluating the rules, then this rule evaluates to FALSE. This causes a element to evaluate to FALSE if a element is unsupported. A is considered TRUE if any of the elements understood by the rule evaluator is TRUE. 4.1. Geodetic Location Condition Profile The geodetic location profile is identified by the token 'geodetic- condition'. Rule Makers use this profile by placing a Geography Markup Language [GML] element within the element (as described in Section 5.2.3 of [RFC5491]). The element containing the information for the geodetic location profile evaluates to TRUE if the current location of the Target is completely within the described location (see Section 6.1.15.3 of [OGC-06-103r4]). Note that the Target's actual location might be represented by any of the location shapes described in [RFC5491]. If the geodetic location of the Target is unknown, then the element containing the information for the geodetic location profile evaluates to FALSE. Implementations MUST support the World Geodetic System 1984 (WGS 84) [NIMA.TR8350.2-3e] coordinate reference system using the formal identifier from the European Petroleum Survey Group (EPSG) Geodetic Parameter Dataset (as formalized by the Open Geospatial Consortium (OGC)): 2D: WGS 84 (latitude, longitude), as identified by the URN "urn:ogc:def:crs:EPSG::4326". This is a two-dimensional CRS. A Coordinate Reference System (CRS) MUST be specified using the above URN notation only; implementations do not need to support user- defined CRSs. Schulzrinne, et al. Standards Track [Page 8] RFC 6772 Geolocation Policy January 2013 Implementations MUST specify the CRS using the "srsName" attribute on the outermost geometry element. The CRS MUST NOT be changed for any sub-elements. The "srsDimension" attribute MUST be omitted, since the number of dimensions in these CRSs is known. 4.2. Civic Location Condition Profile The civic location profile is identified by the token 'civic- condition'. Rule Makers use this profile by placing a element, defined in [RFC5139], within the element. All child elements of a element that carry elements MUST evaluate to TRUE (i.e., logical AND) in order for the element to evaluate to TRUE. For each child element, the value of that element is compared to the value of the same element in the Target's civic location. The child element evaluates to TRUE if the two values are identical based on an octet-by-octet comparison. A element containing a profile evaluates to FALSE if a civic address is not present for the Target. For example, this could occur if location information has been removed by other rules or other transmitters of location information or if only the geodetic location is known. In general, it is RECOMMENDED behavior for an LS not to apply a translation from geodetic location to civic location (i.e., geocode the location). 5. Actions This document does not define location-specific actions. 6. Transformations This document defines several elements that allow Rule Makers to specify transformations that o reduce the accuracy of the returned location information, and o set the basic authorization policies carried inside the PIDF-LO. 6.1. Set Retransmission-Allowed This element specifies a change to or the creation of a value for the element in the PIDF-LO. The data type of the element is a boolean. If the value of the element is set to TRUE, then the element in the PIDF-LO MUST be set to TRUE. If the value of the Schulzrinne, et al. Standards Track [Page 9] RFC 6772 Geolocation Policy January 2013 element is set to FALSE, then the element in the PIDF-LO MUST be set to FALSE. If the element is absent, then the value of the element in the PIDF-LO MUST be kept unchanged, or if the PIDF-LO is created for the first time, then the value MUST be set to FALSE. 6.2. Set Retention-Expiry This transformation asks the LS to change or set the value of the element in the PIDF-LO. The data type of the element is a non-negative integer. The value provided with the element indicates seconds, and these seconds are added to the time that the LS provides location. A value of zero requests that the information is not retained. If the element is absent, then the value of the element in the PIDF-LO is kept unchanged, or if the PIDF-LO is created for the first time, then the value MUST be set to the current date. 6.3. Set Note-Well This transformation asks the LS to change or set the value of the element in the PIDF-LO. The data type of the element is a string. The value provided with the element contains a privacy statement as a human-readable text string, and an 'xml:lang' attribute denotes the language of the human-readable text. If the element is absent, then the value of the element in the PIDF-LO is kept unchanged, or if the PIDF-LO is created for the first time, then no content is provided for the element. 6.4. Keep Ruleset Reference This transformation specifies whether the element in the PIDF-LO carries the extended authorization rules defined in [RFC4745]. The data type of the element is boolean. If the value of the element is set to TRUE, then the element in the PIDF-LO is kept unchanged Schulzrinne, et al. Standards Track [Page 10] RFC 6772 Geolocation Policy January 2013 when included. If the value of the element is set to FALSE, then the element in the PIDF-LO MUST NOT contain a reference to an external rule set. The reference to the ruleset is removed, and no rules are carried as MIME bodies (in case of Content-ID (cid:) URIs [RFC2392]). If the element is absent, then the value of the element in the PIDF-LO is kept unchanged when available, or if the PIDF-LO is created for the first time, then the element MUST NOT be included. 6.5. Provide Location The element contains child elements of a specific location profile that controls the granularity of returned location information. This form of location granularity reduction is also called 'obfuscation' and is defined in [DUCKHAM05] as the means of deliberately degrading the quality of information about an individual's location in order to protect that individual's location privacy. Location obscuring presents a number of technical challenges. The algorithms provided in this document are provided as examples only. A discussion of the technical constraints on location obscuring is included in Section 13.5. The functionality of location granularity reduction depends on the type of location provided as input. This document defines two profiles for reduction, namely: o civic-transformation: If the element has a child element, then civic location information is disclosed as described in Section 6.5.1, subject to availability. o geodetic-transformation: If the element has a child element, then geodetic location information is disclosed as described in Section 6.5.2, subject to availability. The element MUST contain the 'profile' attribute if it contains child elements, and the child elements MUST be appropriate for the profile. If the element has no child elements, then civic as well as geodetic location information is disclosed without reducing its granularity, subject to availability. In this case, the profile attribute MUST NOT be included. Schulzrinne, et al. Standards Track [Page 11] RFC 6772 Geolocation Policy January 2013 6.5.1. Civic Location Profile This profile uses the token 'civic-transformation'. This profile allows civic location transformations to be specified by means of the element that restricts the level of civic location information the LS is permitted to disclose. The symbols of these levels are: 'country', 'region', 'city', 'building', and 'full'. Each level is given by a set of civic location data items such as and , ..., , as defined in [RFC5139]. Each level includes all elements included by the lower levels. The 'country' level includes only the element; the 'region' level adds the element; the 'city' level adds the and elements; the 'building' level and the 'full' level add further civic location data as shown below. full {, , , , , , , , , , , , , , , , , ,,,, , , , , , , , , } | | building {, , , , , , , , , , , , , , , , , } | | city {, , , } | | region {, } | | country {} | | none {} The default value is "none". The schema of the element is defined in Section 8. Schulzrinne, et al. Standards Track [Page 12] RFC 6772 Geolocation Policy January 2013 6.5.2. Geodetic Location Profile This profile uses the token 'geodetic-transformation' and refers only to the Coordinate Reference System (CRS) WGS 84 (urn:ogc:def:crs:EPSG::4326, 2D). This profile allows geodetic location transformations to be specified by means of the element that may restrict the returned geodetic location information based on the value provided in the 'radius' attribute. The value of the 'radius' attribute expresses the radius in meters. The schema of the element is defined in Section 8. The algorithm proceeds in six steps. The first two steps are independent of the measured position to be obscured and should be run only once or very infrequently for each region and desired uncertainty. The steps are: 1. Choose a geodesic projection with Cartesian coordinates and a surface you want to cover. Limit the worst-case distortion of the map as noted below. 2. Given a desired uncertainty radius "d", choose a grid of so- called "landmarks" at a distance of at least d units apart from each other. 3. Given a measured location M=(m,n) on the surface, calculate its 4 closest landmarks on the grid, with coordinates: SW = (l,b), SE=(r,b), NW=(l,t), NE=(r,t). Thus, l<=m element. Requests match only if the Target is at a civic location with country set to 'Germany', state (A1) set to 'Bavaria', city (A3) set to 'Munich', city division (A4) set to 'Perlach', street name (A6) set to 'Otto-Hahn-Ring', and house number (HNO) set to '6'. No actions and transformation child elements are provided in this rule example. The actions and transformation could include presence- specific information when the Geolocation Policy framework is applied to the Presence Policy framework (see [RFC5025]). DE Bavaria Munich Perlach Otto-Hahn-Ring 6 Schulzrinne, et al. Standards Track [Page 15] RFC 6772 Geolocation Policy January 2013 7.2. Rule Example with Geodetic Location Condition This example illustrates a rule that employs the geodetic location condition. The rule matches if the current location of the Target is inside the area specified by the polygon. The polygon uses the EPSG 4326 coordinate reference system. No altitude is included in this example. -33.8570029378 151.2150070761 1500 Schulzrinne, et al. Standards Track [Page 16] RFC 6772 Geolocation Policy January 2013 7.3. Rule Example with Civic and Geodetic Location Condition This example illustrates a rule that employs a mixed civic and geodetic location condition. Depending on the available type of location information, namely civic or geodetic location information, one of the location elements may match. DE Bavaria Munich Perlach Otto-Hahn-Ring 6 -34.410649 150.87651 1500 Schulzrinne, et al. Standards Track [Page 17] RFC 6772 Geolocation Policy January 2013 7.4. Rule Example with Location-Based Transformations This example shows the transformations specified in this document. The element indicates that the available civic location information is reduced to building level granularity. If geodetic location information is requested, then a granularity reduction is provided as well. false 86400 My privacy policy goes here. false building Schulzrinne, et al. Standards Track [Page 18] RFC 6772 Geolocation Policy January 2013 The following rule describes the shorthand notation for making the current location of the Target available to Location Recipients without granularity reduction. 7.5. Location Obfuscation Example Suppose you want to obscure positions in the continental USA. Step 1: First, you choose a geodesic projection. If you are measuring location as latitude and longitude, a natural choice is to take a rectangular projection. One latitudinal degree corresponds to approximately 110.6 kilometers, while a good approximation of a longitudinal degree at latitude phi is (pi/180)*M*cos(phi), where pi is approximately 3.1415, and M is the Earth's average meridional radius, approximately 6,367.5 km. For instance, one longitudinal degree at 30 degrees (say, New Orleans) is 96.39 km, while the formula given offers an estimation of 96.24, which is good enough for our purposes. We will set up a grid not only for the continental USA, but for the whole earth between latitudes 25 and 50 degrees, and thus will cover also the Mediterranean, South Europe, Japan, and the north of China. As will be seen below, the grid distortion (for not too large grids in this region) is approx cos(25)/cos(50), which is 1.4099. As origin of our grid, we choose the point at latitude 25 degrees and longitude 0 (Greenwich). The latitude 25 degrees is chosen to be just south of Florida and thus south of the continental USA. (On the Southern Hemisphere, the origin should be north of the region to be covered; if the region crosses the Equator, the Schulzrinne, et al. Standards Track [Page 19] RFC 6772 Geolocation Policy January 2013 origin should be on the Equator. In this way, it is guaranteed that the latitudinal degree has the largest distance at the latitude of the origin). At 25 degrees, one degree in east-west direction corresponds to approximately (pi/180)*M*cos(25) = 100.72 km. The same procedure, basically, produces grids for * 45 degrees south to 45 degrees north: Tropics and subtropics, Africa, Australia * 25 to 50 degrees (both north or south): Continental United States, Mediterranean, most of China; most of Chile and Argentina, New Zealand * 35 to 55 degrees (both north or south): Southern and Central Europe * 45 to 60 degrees (both north or south): Central and Northern Europe, Canada * 55 to 65 degrees (both north or south): most of Scandinavia * 60 to 70 degrees (both north or south): Alaska Since we do not want to change the grid system often (this would leak more information about obscured locations when they are repeatedly visited), the algorithm should prefer to use the grids discussed above, with origin at the Greenwich meridian and at latitudes o=0, o=25, o=35, o=45, 0=55, and o=60 degrees (north) or at latitudes o=-25, o=-35, o=-45, 0=-55, and o=-60 degrees (the minus to indicate "south"). Our choice for the continental USA is o=25. For locations close to the poles, a different projection should be used (not discussed here). Step 2: To construct the grid, we start with our chosen origin and place grid points at regular intervals along each of the axes (north- south and east-west) with a distance d between each. Schulzrinne, et al. Standards Track [Page 20] RFC 6772 Geolocation Policy January 2013 We will now construct a grid for a desired uncertainty of d = 100km. At our origin, 100 km correspond roughly to d1 = 100/ 100.72 = 0.993 degrees in an east-west direction and to d2 = 100/ 110.6 = 0.904 degrees in a north-south direction. The (i,j)-point in the grid (i and j are integers) has longitude d1*i and latitude 25+d2*j, measured in degrees. More generally, if the grid has origin at coordinates (0,o), measured in degrees, the (i,j)-point in the grid has coordinates (longitude = d1*i, latitude = o+d2*j). The grid has almost no distortion at the latitude of the origin, but it does as we go further away from it. The distance between two points in the grid at 25 degrees latitude is indeed approximately 100 km, but just above the Canadian border, on the 50th degree, it is 0.993*(pi/180)*M*cos(50) = 70.92km. Thus, the grid distortion is 100/70.92 = 1.41, which is acceptable (<1.5). (In the north-south direction, the grid has roughly no distortion; the vertical distance between two neighboring grid points is approximately 100 km). Step 3: Now suppose you measure a position at M, with longitude -105 (the minus sign is used to denote 105 degrees *west*; without minus, the point is in China, 105 degrees east) and latitude 40 degrees (just north of Denver, CO). The point M is 105 degrees west and 15 degrees north of our origin (which has longitude 0 and latitude 25). Let "floor" be the function that returns the largest integer smaller or equal to a floating point number. To calculate SW, the closest point of the grid on the southwest of M=(m,n), we calculate i= floor(m/d1) = floor(-105/0.993) = -106 j= floor(n-o/d2) = floor(15/0.904) = 16 Those are the indexes of SW on the grid. The coordinates of SW are then: (d1*i, 25+d2*j) = (-105.242, 39.467). Thus: l=d1*floor(m/d1) = -105.243 r=l+d1 = -105.243+0.993 = -104.250 b=o+d2*floor(n-o/d2) = 39.467 Schulzrinne, et al. Standards Track [Page 21] RFC 6772 Geolocation Policy January 2013 t=b+d2 = 39.467+0.904 = 40.371 These are the formulas for l, r, b, and t in the general case of Cartesian projections based on latitude and longitude. Step 4: Calculate x and y, the local coordinates of the point M in the small grid square that contains it. This is easy: x=(m-l)/(r-l) = [-105 -(-105.243)]/0.993 = 0.245 y=(n-b)/(t-b) = [40 - 39.467]/0.904 = 0.590 Step 5: First, compare x with p (0.2887) and 1-p (0.7113). x is smaller than p. Therefore, only cases 1, 4, or 6 could hold. Also, compare y with p (0.2887) and 1-p (0.7113). y is between them: p <= y < q. Thus, we must be in case 4. To check, compare y (0.59) with x (0.245) and 1-x. y is larger than x and smaller than 1-x. We are in case C4 (p <= y < q and x <= y and y < 1-x). Step 6: Now we choose either SW or NW as the center of the circle. The obscured location is the circle with radius 100 km and center in SW (coordinates: -105.243, 39.467) or NW (coordinates: -105.243, 40.371). Schulzrinne, et al. Standards Track [Page 22] RFC 6772 Geolocation Policy January 2013 8. XML Schema for Basic Location Profiles This section defines the location profiles used as child elements of the transformation element. Schulzrinne, et al. Standards Track [Page 23] RFC 6772 Geolocation Policy January 2013 9. XML Schema for Geolocation Policy This section presents the XML schema that defines the Geolocation Policy schema described in this document. The Geolocation Policy schema extends the Common Policy schema (see [RFC4745]). Schulzrinne, et al. Standards Track [Page 24] RFC 6772 Geolocation Policy January 2013 10. XCAP Usage This section defines the details necessary for clients to manipulate geolocation privacy documents from a server using XCAP. If used as part of a presence system, it uses the same Application Unique ID (AUID) as those rules. See [RFC5025] for a description of the XCAP usage in context with presence authorization rules. Schulzrinne, et al. Standards Track [Page 25] RFC 6772 Geolocation Policy January 2013 10.1. Application Unique ID XCAP requires application usages to define a unique Application Unique ID (AUID) in either the IETF tree or a vendor tree. This specification defines the "geolocation-policy" AUID within the IETF tree, via the IANA registration in Section 11. 10.2. XML Schema XCAP requires application usages to define a schema for their documents. The schema for geolocation authorization documents is described in Section 9. 10.3. Default Namespace XCAP requires application usages to define the default namespace for their documents. The default namespace is urn:ietf:params:xml:ns:geolocation-policy. 10.4. MIME Media Type XCAP requires application usages to define the MIME media type for documents they carry. Geolocation privacy authorization documents inherit the MIME type of Common Policy documents, application/ auth-policy+xml. 10.5. Validation Constraints This specification does not define additional constraints. 10.6. Data Semantics This document discusses the semantics of a geolocation privacy authorization. 10.7. Naming Conventions When a Location Server receives a request to access location information of some user foo, it will look for all documents within http://[xcaproot]/geolocation-policy/users/foo and use all documents found beneath that point to guide authorization policy. 10.8. Resource Interdependencies This application usage does not define additional resource interdependencies. Schulzrinne, et al. Standards Track [Page 26] RFC 6772 Geolocation Policy January 2013 10.9. Authorization Policies This application usage does not modify the default XCAP authorization policy, which is that only a user can read, write, or modify his/her own documents. A server can allow privileged users to modify documents that they do not own, but the establishment and indication of such policies is outside the scope of this document. 11. IANA Considerations There are several IANA considerations associated with this specification. 11.1. Geolocation Policy XML Schema Registration This section registers an XML schema in the IETF XML Registry as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:schema:geolocation-policy Registrant Contact: IETF Geopriv Working Group (geopriv@ietf.org), Hannes Tschofenig (hannes.tschofenig@nsn.com). XML: The XML schema to be registered is contained in Section 9. Its first line is and its last line is 11.2. Geolocation Policy Namespace Registration This section registers a new XML namespace in the IETF XML Registry as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:ns:geolocation-policy Registrant Contact: IETF Geopriv Working Group (geopriv@ietf.org), Hannes Tschofenig (hannes.tschofenig@nsn.com). Schulzrinne, et al. Standards Track [Page 27] RFC 6772 Geolocation Policy January 2013 XML: BEGIN Geolocation Policy Namespace

Namespace for Geolocation Authorization Policies

urn:ietf:params:xml:schema:geolocation-policy

See RFC 6772.

END 11.3. Geolocation Policy Location Profile Registry This document creates a registry of location profile names for the Geolocation Policy framework. Profile names are XML tokens. This registry will operate in accordance with RFC 5226 [RFC5226], Specification Required. This document defines the following profile names: geodetic-condition: Defined in Section 4.1. civic-condition: Defined in Section 4.2. geodetic-transformation: Defined in Section 6.5.2. civic-transformation: Defined in Section 6.5.1. 11.4. Basic Location Profile XML Schema Registration This section registers an XML schema in the IETF XML Registry as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:schema:basic-location-profiles Registrant Contact: IETF Geopriv Working Group (geopriv@ietf.org), Hannes Tschofenig (hannes.tschofenig@nsn.com). Schulzrinne, et al. Standards Track [Page 28] RFC 6772 Geolocation Policy January 2013 XML: The XML schema to be registered is contained in Section 8. Its first line is and its last line is 11.5. Basic Location Profile Namespace Registration This section registers a new XML namespace in the IETF XML Registry as per the guidelines in [RFC3688]. URI: urn:ietf:params:xml:ns:basic-location-profiles Registrant Contact: IETF Geopriv Working Group (geopriv@ietf.org), Hannes Tschofenig (hannes.tschofenig@nsn.com). XML: BEGIN Basic Location Profile Namespace

Namespace for Basic Location Profile

urn:ietf:params:xml:schema:basic-location-profiles

See RFC 6772.

END 11.6. XCAP Application Usage ID This section registers an XCAP Application Unique ID (AUID) in the "XML-XCAP Application Unique IDs" registry according to the IANA procedures defined in [RFC4825]. Name of the AUID: geolocation-policy Schulzrinne, et al. Standards Track [Page 29] RFC 6772 Geolocation Policy January 2013 Description: Geolocation privacy rules are documents that describe the permissions that a Target has granted to Location Recipients that access information about his/her geographic location. 12. Internationalization Considerations The policies described in this document are mostly meant for machine- to-machine communications; as such, many of its elements are tokens not meant for direct human consumption. If these tokens are presented to the end user, some localization may need to occur. The policies are, however, supposed to be created with the help of humans, and some of the elements and attributes are subject to internationalization considerations. The content of the