mirror of
https://github.com/uw-imap/imap.git
synced 2024-11-16 18:38:21 +01:00
22f316e36d
MD5 2126fd125ea26b73b20f01fcd5940369
396 lines
12 KiB
Plaintext
396 lines
12 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Network Working Group R. Siemborski
|
||
Request for Comments: 4959 Google, Inc.
|
||
Category: Standards Track A. Gulbrandsen
|
||
Oryx Mail Systems GmbH
|
||
September 2007
|
||
|
||
|
||
IMAP Extension for Simple Authentication and Security Layer (SASL)
|
||
Initial Client Response
|
||
|
||
Status of This Memo
|
||
|
||
This document specifies an Internet standards track protocol for the
|
||
Internet community, and requests discussion and suggestions for
|
||
improvements. Please refer to the current edition of the "Internet
|
||
Official Protocol Standards" (STD 1) for the standardization state
|
||
and status of this protocol. Distribution of this memo is unlimited.
|
||
|
||
Abstract
|
||
|
||
To date, the Internet Message Access Protocol (IMAP) has used a
|
||
Simple Authentication and Security Layer (SASL) profile which always
|
||
required at least one complete round trip for an authentication, as
|
||
it did not support an initial client response argument. This
|
||
additional round trip at the beginning of the session is undesirable,
|
||
especially when round-trip costs are high.
|
||
|
||
This document defines an extension to IMAP which allows clients and
|
||
servers to avoid this round trip by allowing an initial client
|
||
response argument to the IMAP AUTHENTICATE command.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 1]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
1. Introduction
|
||
|
||
The SASL initial client response extension is present in any IMAP
|
||
[RFC3501] server implementation which returns "SASL-IR" as one of the
|
||
supported capabilities in its CAPABILITY response.
|
||
|
||
Servers which support this extension will accept an optional initial
|
||
client response with the AUTHENTICATE command for any SASL [RFC4422]
|
||
mechanisms which support it.
|
||
|
||
2. Conventions Used in This Document
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in [RFC2119].
|
||
|
||
In examples, "C:" and "S:" indicate lines sent by the client and
|
||
server, respectively.
|
||
|
||
Formal syntax is defined by [RFC4234] as extended by [RFC3501].
|
||
|
||
3. IMAP Changes to the IMAP AUTHENTICATE Command
|
||
|
||
This extension adds an optional second argument to the AUTHENTICATE
|
||
command that is defined in Section 6.2.2 of [RFC3501]. If this
|
||
second argument is present, it represents the contents of the
|
||
"initial client response" defined in Section 5.1 of [RFC4422].
|
||
|
||
As with any other client response, this initial client response MUST
|
||
be encoded as defined in Section 4 of [RFC4648]. It also MUST be
|
||
transmitted outside of a quoted string or literal. To send a zero-
|
||
length initial response, the client MUST send a single pad character
|
||
("="). This indicates that the response is present, but is a zero-
|
||
length string.
|
||
|
||
When decoding the BASE64 [RFC4648] data in the initial client
|
||
response, decoding errors MUST be treated as IMAP [RFC3501] would
|
||
handle them in any normal SASL client response. In particular, the
|
||
server should check for any characters not explicitly allowed by the
|
||
BASE64 alphabet, as well as any sequence of BASE64 characters that
|
||
contains the pad character ('=') anywhere other than the end of the
|
||
string (e.g., "=AAA" and "AAA=BBB" are not allowed).
|
||
|
||
If the client uses an initial response with a SASL mechanism that
|
||
does not support an initial response, the server MUST reject the
|
||
command with a tagged BAD response.
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 2]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
Note: support and use of the initial client response is optional for
|
||
both clients and servers. Servers that implement this extension MUST
|
||
support clients that omit the initial client response, and clients
|
||
that implement this extension MUST NOT send an initial client
|
||
response to servers that do not advertise the SASL-IR capability. In
|
||
such a situation, clients MUST fall back to an IMAP [RFC3501]
|
||
compatible mode.
|
||
|
||
If either the client or the server do not support the SASL-IR
|
||
capability, a mechanism which uses an initial client response is
|
||
negotiated using the challenge/response exchange described in
|
||
[RFC3501], with an initial zero-length server challenge.
|
||
|
||
4. Examples
|
||
|
||
The following is an example authentication using the PLAIN (see
|
||
[RFC4616]) SASL mechanism (under a TLS protection layer, see
|
||
[RFC4346]) and an initial client response:
|
||
|
||
... client connects to server and negotiates a TLS
|
||
protection layer ...
|
||
C: C01 CAPABILITY
|
||
S: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN
|
||
S: C01 OK Completed
|
||
C: A01 AUTHENTICATE PLAIN dGVzdAB0ZXN0AHRlc3Q=
|
||
S: A01 OK Success (tls protection)
|
||
|
||
Note that even when a server supports this extension, the following
|
||
negotiation (which does not use the initial response) is still valid
|
||
and MUST be supported by the server:
|
||
|
||
... client connects to server and negotiates a TLS
|
||
protection layer ...
|
||
C: C01 CAPABILITY
|
||
S: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN
|
||
S: C01 OK Completed
|
||
C: A01 AUTHENTICATE PLAIN
|
||
(note that there is a space following the "+" in the
|
||
following line)
|
||
S: +
|
||
C: dGVzdAB0ZXN0AHRlc3Q=
|
||
S: A01 OK Success (tls protection)
|
||
|
||
The following is an example authentication using the SASL EXTERNAL
|
||
mechanism (defined in [RFC4422]) under a TLS protection layer (see
|
||
[RFC4346]) and an empty initial client response:
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 3]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
... client connects to server and negotiates a TLS
|
||
protection layer ...
|
||
C: C01 CAPABILITY
|
||
S: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=EXTERNAL
|
||
S: C01 OK Completed
|
||
C: A01 AUTHENTICATE EXTERNAL =
|
||
S: A01 OK Success (tls protection)
|
||
|
||
This is in contrast with the handling of such a situation when an
|
||
initial response is omitted:
|
||
|
||
... client connects to server and negotiates a TLS protection
|
||
layer ...
|
||
C: C01 CAPABILITY
|
||
S: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN AUTH=EXTERNAL
|
||
S: C01 OK Completed
|
||
C: A01 AUTHENTICATE EXTERNAL
|
||
(note that there is a space following the "+" in the
|
||
following line)
|
||
S: +
|
||
C:
|
||
S: A01 OK Success (tls protection)
|
||
|
||
5. IANA Considerations
|
||
|
||
The IANA has added SASL-IR to the IMAP4 Capabilities Registry.
|
||
|
||
6. Security Considerations
|
||
|
||
The extension defined in this document is subject to many of the
|
||
Security Considerations defined in [RFC3501] and [RFC4422].
|
||
|
||
Server implementations MUST treat the omission of an initial client
|
||
response from the AUTHENTICATE command as defined by [RFC3501] (as if
|
||
this extension did not exist).
|
||
|
||
Although [RFC3501] has no express line length limitations, some
|
||
implementations choose to enforce them anyway. Such implementations
|
||
MUST be aware that the addition of the initial response parameter to
|
||
AUTHENTICATE may increase the maximum line length that IMAP parsers
|
||
may expect to support. Server implementations MUST be able to
|
||
receive the largest possible initial client response that their
|
||
supported mechanisms might receive.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 4]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
7. Formal Syntax
|
||
|
||
The following syntax specification uses the Augmented Backus-Naur
|
||
Form [RFC4234] notation. [RFC3501] defines the non-terminals
|
||
capability, auth-type, and base64.
|
||
|
||
capability =/ "SASL-IR"
|
||
|
||
authenticate = "AUTHENTICATE" SP auth-type [SP (base64 / "=")]
|
||
*(CRLF base64)
|
||
;;redefine AUTHENTICATE from [RFC3501]
|
||
|
||
8. Acknowledgments
|
||
|
||
The authors would like to acknowledge the contributions of Ken
|
||
Murchison and Mark Crispin, along with the rest of the IMAPEXT
|
||
Working Group for their assistance in reviewing this document.
|
||
|
||
Alexey Melnikov and Cyrus Daboo also had some early discussions about
|
||
this extension.
|
||
|
||
9. References
|
||
|
||
9.1. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
|
||
4rev1", RFC 3501, March 2003.
|
||
|
||
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
||
Specifications: ABNF", RFC 4234, October 2005.
|
||
|
||
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
|
||
Security Layer (SASL)", RFC 4422, June 2006.
|
||
|
||
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
|
||
Encodings", RFC 4648, October 2006.
|
||
|
||
9.2. Informative References
|
||
|
||
[RFC4616] Zeilenga, K., "The PLAIN Simple Authentication and
|
||
Security Layer (SASL) Mechanism", RFC 4616, August 2006.
|
||
|
||
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
|
||
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 5]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
Authors' Addresses
|
||
|
||
Robert Siemborski
|
||
Google, Inc.
|
||
1600 Ampitheatre Parkway
|
||
Mountain View, CA 94043
|
||
|
||
Phone: +1 650 623 6925
|
||
EMail: robsiemb@google.com
|
||
|
||
|
||
Arnt Gulbrandsen
|
||
Oryx Mail Systems GmbH
|
||
Schweppermannstr. 8
|
||
D-81671 Muenchen
|
||
Germany
|
||
|
||
EMail: arnt@oryx.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 6]
|
||
|
||
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The IETF Trust (2007).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
|
||
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
|
||
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
|
||
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Siemborski & Gulbrandsen Standards Track [Page 7]
|
||
|