Network Working Group M. Wahl
Internet-Draft Informed Control Inc.
Expires: September 8, 2005 March 7, 2005
P3P Policy Attributes for LDAP
draft-wahl-ldap-p3p-00
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 8, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document defines attributes that can be retrieved via
Lightweight Directory Access Protocol version 3 (LDAP) requests,
which contain URIs pointing to the privacy policy documents
describing access to a directory server and that apply to the
contents of a subtree of entries. These attributes enable a
directory client to retrieve the privacy policies before sending
further requests to the directory server.
Wahl Expires September 8, 2005 [Page 1]
Internet-Draft P3P Policy Attributes for LDAP March 2005
1. Introduction
This document discusses how clients can obtain a P3P1.0 privacy
policy statement [1] from a directory server via LDAPv3 [2].
The words "MUST" and "MAY" are used as defined in [3].
Please send comments to the author at mark.wahl@informed-control.com.
Wahl Expires September 8, 2005 [Page 2]
Internet-Draft P3P Policy Attributes for LDAP March 2005
2. Policy documents
The attributes defined in this document contain Uniform Resource
Identifiers (URIs) [6]. The URIs are anticipated to be of a form,
such as http [7], which has a protocol for the retrieval of an XML
document. This document does not define how to retrieve XML content
from the directory server itself.
Unlike the use of privacy policies in web protocols described in
section 2 of P3P [1], this specification does not incorporate the
indirection procedures of the policy reference file. (Policy
reference files are omitted as their INCLUDE and EXCLUDE elements
assume a relative URL hierarchy, which not appropriate to the
identification of resources in directory servers which follow a
different hierarchy, and the policy documents are likely stored on a
different kind of server than the directory server itself). Instead,
the URI directly identifies the document containing the POLICIES
element.
The URI stored in the directory attributes defined in the sections
below MUST identify a file which is an UTF-8 encoded XML format
document. That file MUST contain a POLICIES element, as defined in
section 3.2 of P3P1.0 [1]. The URI MUST contain a URI fragment that
specifies the name of the policy within that POLICIES element.
For example, a directory entry might contain the attribute
subtreeP3PrivacyPolicy: http://www.example.com/pol.xml#policy-ds
The client SHOULD then attempt to contact the server for
www.example.com via HTTP, and obtain the file /pol.xml.
This file might resemble:
....
....
The client would locate the POLICY element which has a name matching
that of the fragment in the URI, policy-ds. The client processing of
this information MUST be in accordance with section 2.4.4 of P3P1.0
[1].
Wahl Expires September 8, 2005 [Page 3]
Internet-Draft P3P Policy Attributes for LDAP March 2005
3. Attribute for Directory Server Privacy Policy
This attribute publishes the policy of the directory server as it
relates to collecting data from the LDAP client. The purpose of this
attribute is to ensure that directory clients have the ability to
become aware of the privacy implications of further interactions with
a particular directory server. Based on this information, the
directory client might choose to disconnect or might present an end
user with information on the privacy policy.
The semantics of this attribute are analogous to those of a web
server publishing via HTTP and P3P the policy for browsers accessing
a web site hosted on that server. Specifically, it informs the
directory client that operation requests sent to the directory server
might be used for one or more purposes, as described in the policy
document.
The attribute is defined as follows:
attributeTypes: ( OID-TBD
NAME 'serverP3PrivacyPolicy'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE directoryOperation )
The value is a single URI, which is encoded as a string in the UTF-8
charset [5]. The form of URI is specified in section 2 above.
This attribute MAY be present in the directory server's root DSE.
The attribute is retrievable if a client performs a base object
search of the root DSE (with a distinguished name of zero length)
with a filter of "(objectClass=*)", as described in section 4 of RFC
2251 [4].
Wahl Expires September 8, 2005 [Page 4]
Internet-Draft P3P Policy Attributes for LDAP March 2005
4. Attribute for Directory Subtree Privacy Policy
This attribute publishes the policy of the directory service as it
relates to the privacy protection of a subtree of entries, typically
representing individual persons, that are held in a particular
subtree of the directory.
The semantics of this attribute is different from that of the
previous section. This attribute provides a directory client that
might be searching and extracting information from a particular
directory subtree information about individuals, with the privacy
policy governing that information. How these individuals'
information was entered into the directory is outside of the scope of
this document, but is is assumed that the privacy policy applied to
the gathering of this information, and SHOULD be respected by clients
that are searching it.
The attribute is defined as follows:
attributeTypes: ( OID-TBD
NAME 'subtreeP3PrivacyPolicy'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
The value is a single URI, which is encoded as a string in the UTF-8
charset [5]. The form of URI is specified in section 2 above.
This attribute MAY be present in any entry.
In order to allow this class to be present on objects of many
different structural classes, an auxiliary object class is defined.
objectClasses: ( OID-TBD
NAME 'subtreeP3PrivacyPolicyClass'
AUXILIARY
MAY ( subtreeP3PrivacyPolicy ) )
This auxiliary class might most usefully be combined with the
organization or organizationalUnit classes.
Clients MUST NOT assume the absence of this class in an entry's
objectClass implies that the subtreeP3PrivacyPolicy attribute is not
present in the entry, as this attribute might be part of a privately-
defined schema, or be provided through collective attributes.
A client SHOULD locate this attribute in entries which are typically
used for the base object of subtrees of entries representing people,
Wahl Expires September 8, 2005 [Page 5]
Internet-Draft P3P Policy Attributes for LDAP March 2005
before searching to extract data from those entries. For example,
the attribute may be stored in the base organization entry, or in an
organizationalUnit entry for a particular category of users (such as
employees or customers).
Applying different privacy policies to each individual user's entry
is outside of the scope of this document.
Wahl Expires September 8, 2005 [Page 6]
Internet-Draft P3P Policy Attributes for LDAP March 2005
5. Data Schema
This document does not attempt to define a general mapping between
the LDAP schema representation and the P3P Basic Data Structures and
base data schema.
For a policy referenced by a serverP3PPrivacyPolicy, the anticipated
P3P data structures that would be used in the policy would be those
of sections 5.5.3 (logins), 5.5.4 (certificates) and 5.5.7 (access
logs and internet addresses) of P3P1.0 [1]. The login id would
correspond to the distinguished name or other identifier which the
client provides in an authenticated bind request. A client which
sends add, modify or modrdn operations SHOULD also check for the
subtreeP3PrivacyPolicy for the subtree in which these operations are
targeted.
Wahl Expires September 8, 2005 [Page 7]
Internet-Draft P3P Policy Attributes for LDAP March 2005
6. Security Considerations
This document addresses two security concerns with LDAP directories.
The first concern is that most directory servers maintain a log of
client requests. For each connection, the log might contain the
incoming connection's source IP addresses, the distinguished name or
other forms of identity used in bind requests, the type and fields of
requests sent by the client, as well as the server's responses. This
log may contain personally identifiable information, particularly
bind information, as well as information that could later be
correlated with other server's log information, in order to identify
the user and their patterns of operations. Some organizations which
operate directory services, in particular publicly accessible
services or those which are available to the organization's partners
and customers, may wish to advertise the privacy policy of their
directory servers, in order to ensure that persons operating
directory clients accessing those servers are aware of what data is
being collected and the procedures surrounding this.
The second concern is that most directories contain a significant
quantity of personally identifiable and personal information about
individuals who are represented by entries in the directory.
Directory clients SHOULD ensure that information which is obtained
from the directory is handled in such a way that the privacy
protections asserted for those individual's information is not
violated. This document defines a mechanism for a client to at least
be able to obtain the privacy protection requirements in the form of
a P3P policy element, and a client application which parses this can
determine whether its handling of the information is in accordance
with the policy.
Directory server deployments which provide unrestricted or public
access to information SHOULD permit clients to search to retrieve the
serverP3PrivacyPolicy attribute from the root DSE without needing to
have bound. The server SHOULD also consider this operation part of
the P3P "Safe Zone", as described in section 2.4.3 of P3P1.0 [1].
Directory clients SHOULD exercise good practice when determining how
to access the resources identified by the URIs present in the
serverP3PrivacyPolicy and subtreeP3PrivacyPolicy attributes.
Section 7 of RFC 3986 [6] also discusses security considerations when
handling URIs.
Wahl Expires September 8, 2005 [Page 8]
Internet-Draft P3P Policy Attributes for LDAP March 2005
7. IANA Considerations
The following declarations will be submitted to IANA to register the
attribute type and object class definitions.
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): serverP3PrivacyPolicy
Object Identifier: OID-TBD
Person & email address to contact for further information:
Mark Wahl
Usage: attributeTypes
Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): subtreeP3PrivacyPolicy
Object Identifier: OID-TBD
Person & email address to contact for further information:
Mark Wahl
Usage: attributeTypes
Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
Subject: Request for LDAP Descriptor Registration
Descriptor (short name): subtreeP3PrivacyPolicyClass
Object Identifier: OID-TBD
Person & email address to contact for further information:
Mark Wahl
Usage: objectClasses
Specification: RFC XXXX
Author/Change Controller: IESG
Comments:
Wahl Expires September 8, 2005 [Page 9]
Internet-Draft P3P Policy Attributes for LDAP March 2005
8. References
8.1 Normative References
[1] Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall,
M., and J. Reagle, "The Platform for Privacy Preferences 1.0
(P3P1.0) Specification", April 2002,
.
[2] Hodges, J. and R. Morgan, "Lightweight Directory Access Protocol
(v3): Technical Specification", RFC 3377, September 2002.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, BCP 14, March 1997.
[4] Wahl, M., Howes, T., and S. Kille, "Lightweight Directory Access
Protocol (v3)", RFC 2251, December 1997.
[5] Wahl, M., Coulbeck, A., Howes, T., and S. Kille, "Lightweight
Directory Access Protocol (v3): Attribute Syntax Definitions",
RFC 2252, December 1997.
[6] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", RFC 3986,
January 2005.
8.2 Informative References
[7] "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
Author's Address
Mark Wahl
Informed Control Inc.
PO Box 90626
Austin, TX 78709
US
Email: mark.wahl@informed-control.com
Wahl Expires September 8, 2005 [Page 10]
Internet-Draft P3P Policy Attributes for LDAP March 2005
Appendix A. Copyright
Copyright (C) The Internet Society 2005. This document is subject to
the rights, licenses and restrictions contained in BCP 78, and except
as set forth therein, the authors retain all their rights. This
document and the information contained herein are provided on an "AS
IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Wahl Expires September 8, 2005 [Page 11]
Internet-Draft P3P Policy Attributes for LDAP March 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Wahl Expires September 8, 2005 [Page 12]