Network Working Group                                         R. Gellens
Internet-Draft                                     QUALCOMM Incorporated
Obsoletes: 5721 (if approved)                                  C. Newman
Intended status: Standards Track                                  Oracle
Expires: December 14, 2012 January 17, 2013                                         J. Yao
                                                                   CNNIC
                                                             K. Fujiwara
                                                                    JPRS
                                                           June 12,
                                                           July 16, 2012

                         POP3 Support for UTF-8
                    draft-ietf-eai-rfc5721bis-05.txt
                    draft-ietf-eai-rfc5721bis-06.txt

Abstract

   This specification extends the Post Office Protocol version 3 (POP3)
   to support un-encoded international characters in user names,
   passwords, mail addresses, message headers, and protocol-level
   textual strings.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 14, 2012. January 17, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Conventions Used in This Document  . . . . . . . . . . . .  3
   2.  LANG Capability  . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  UTF8 Capability  . . . . . . . . . . . . . . . . . . . . . . .  6
     3.1.  The UTF8 Command . . . . . . . . . . . . . . . . . . . . .  7
     3.2.  USER Argument to UTF8 Capability . . . . . . . . . . . . .  8
   4.  Native UTF-8 Maildrops . . . . . . . . . . . . . . . . . . . .  9
   5.  UTF8 Response Code . . . . . . . . . . . . . . . . . . . . . .  9
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   8.  Change History . . . . . . . . . . . . . . . . . . . . . . . . 10
     8.1.  draft-ietf-eai-rfc5721bis: Version 00  . . . . . . . . . . 10
     8.2.  draft-ietf-eai-rfc5721bis:  Version 01 . . . . . . . . . . 10
     8.3.  draft-ietf-eai-rfc5721bis:  Version 02 . . . . . . . . . . 10
     8.4.  draft-ietf-eai-rfc5721bis:  Version 03 . . . . . . . . . . 10
     8.5.  draft-ietf-eai-rfc5721bis:  Version 04 . . . . . . . . . . 11
     8.6.  draft-ietf-eai-rfc5721bis:  Version 05 . . . . . . . . . . 11
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 12
   Appendix A.  Design Rationale  . . . . . . . . . . . . . . . . . . 12
   Appendix B.  Acknowledgments . . . . . . . . . . . . . . . . . . . 13

1.  Introduction

   This document forms part of the Email Address Internationalization
   (EAI) protocols described in the EAI Framework document [RFC6530].
   As part of the overall EAI work, email messages could be transmitted
   and delivered containing un-encoded UTF-8 characters in the header
   and/or body, and maildrops that are accessed using POP3 [RFC1939]
   might natively store UTF-8.

   This specification extends POP3 [RFC1939] using the POP3 extension
   mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers,
   and bodies (e.g., transferred using 8-bit Content Transfer Encoding)
   as described in "Internationalized Email Headers" [RFC6532].  It also
   adds a mechanism to support login names and passwords containing
   UTF-8 characters, and a mechanism to support UTF-8 characters in
   protocol level response strings as well as the ability to negotiate a
   language for such response strings.

   This specification also adds a new response code to indicate that a
   message could not be returned because it requires UTF-8 mode and the
   server is unwilling to create and deliver variant form of the message
   discussed in Section 7 of [I-D.ietf-eai-5738bis].

   This specification replaces an earlier, experimental, approach to the
   same problem RFC 5721 [RFC5721].  Section 6 of [RFC6530] describes
   the changes in approach between RFC 5721 [RFC5721] and this
   specification.

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in "Key words for use in
   RFCs to Indicate Requirement Levels" [RFC2119].

   In examples, "C:" and "S:" indicate lines sent by the client and
   server, respectively.  If a single "C:" or "S:" label applies to
   multiple lines, then the line breaks between those lines are for
   editorial clarity only and are not part of the actual protocol
   exchange.

   Note that examples always use 7-bit ASCII characters due to
   limitations of this document format; Otherwise, some examples for the
   "LANG" command may appear incorrectly as a result.

2.  LANG Capability

   Per "POP3 Extension Mechanism" [RFC2449], this document adds a new
   capability response tag to indicate support for a new command: LANG.
   The capability tag and new command are described below.

   CAPA tag:
      LANG

   Arguments with CAPA tag:
      none

   Added Commands:
      LANG

   Standard commands affected:
      All

   Announced states / possible differences:
      both / no

   Commands valid in states:
      AUTHORIZATION, TRANSACTION

   Specification reference:
      this document

   Discussion:

   POP3 allows most +OK and -ERR server responses to include human-
   readable text that, in some cases, might be presented to the user.
   But that text is limited to ASCII by the POP3 specification
   [RFC1939].  The LANG capability and command permit a POP3 client to
   negotiate which language the server uses when sending human-readable
   text.

   The LANG command requests that human-readable text included in all
   subsequent +OK and -ERR responses be localized to a language matching
   the language range argument (the "Basic Language Range" as described
   by [RFC4647]).  If the command succeeds, the server returns a +OK
   response followed by a single space, the exact language tag selected,
   another space, and the rest of the line is human-readable text in the
   appropriate language.  This and subsequent protocol-level human-
   readable text is encoded in the UTF-8 charset.

   If the command fails, the server returns an -ERR response and
   subsequent human-readable response text continues to use the language
   that was previously active.

   The special "*" language range argument indicates a request to use a
   language designated as preferred by the server administrator.  The
   preferred language MAY vary based on the currently active user.

   If no argument is given and the POP3 server issues a positive
   response, then the response given is multi-line.  After the initial
   +OK, for each language tag the server supports, the POP3 server
   responds with a line for that language.  This line is called a
   "language listing".

   In order to simplify parsing, all POP3 servers are required to use a
   certain format for language listings.  A language listing consists of
   the language tag [RFC5646] of the message, optionally followed by a
   single space and a human-readable description of the language in the
   language itself, using the UTF-8 charset.  There are no specific
   listing order of languages, which may depend on configuration or
   implementation.

   Examples:

      < Note that some examples do not include the correct character
      accents due to limitations of this document format. >

      C: USER karen
      S: +OK Hello, karen
      C: PASS password
      S: +OK karen's maildrop contains 2 messages (320 octets)

      < Client requests deprecated MUL language.  Server replies
      with -ERR response. >

      C: LANG MUL
      S: -ERR invalid language MUL

      < A LANG command with no parameters is a request for
      a language listing. >

      C: LANG
      S: +OK Language listing follows:
      S: en English
      S: en-boont English Boontling dialect
      S: de Deutsch
      S: it Italiano
      S: es Espanol
      S: sv Svenska
      S: .

      < A request for a language listing might fail. >

      C: LANG
      S: -ERR Server is unable to list languages

      < Once the client selects the language, all responses will be in
      that language, starting with the response to the LANG command. >

      C: LANG es
      S: +OK es Idioma cambiado

      < If a server does not support the requested primary language,
      responses will continue to be returned in the current language
      the server is using. >

      C: LANG uga
      S: -ERR es Idioma <<UGA>> no es conocido

      C: LANG sv
      S: +OK sv Kommandot "LANG" lyckades

      C: LANG *
      S: +OK es Idioma cambiado

3.  UTF8 Capability

   Per "POP3 Extension Mechanism" [RFC2449], this document adds a new
   capability response tag to indicate support for new server
   functionality, including a new command: UTF8.  The capability tag and
   new command and functionality are described below.

   CAPA tag:
      UTF8

   Arguments with CAPA tag:
      USER

   Added Commands:
      UTF8

   Standard commands affected:
      USER, PASS, APOP, LIST, TOP, RETR

   Announced states / possible differences:
      both / no

   Commands valid in states:
      AUTHORIZATION

   Specification reference:
      this document

   Discussion:

   This capability adds the "UTF8" command to POP3.  The UTF8 command
   switches the session from ASCII to UTF-8 mode.  In UTF-8 mode, both
   servers and clients can send and accept UTF-8 characters.

3.1.  The UTF8 Command

   The UTF8 command enables UTF-8 mode.  The UTF8 command has no
   parameters.

   Maildrops can natively store UTF-8 or be limited to ASCII.  UTF-8
   mode has no effect on messages in an ASCII-only maildrop.  Messages
   in native UTF-8 maildrops can be ASCII or UTF-8 using
   internationalized headers [RFC6532] and/or 8bit content-transfer-
   encoding, as defined in MIME Section 2.8 [RFC2045].  In UTF-8 mode,
   both UTF-8 and ASCII messages are sent to the client as-is (without
   conversion).  When not in UTF-8 mode, UTF-8 messages in a native
   UTF-8 maildrop MUST NOT be sent to the client as-is.  If a client
   requests a UTF-8 message when not in UTF-8 mode, the server MUST
   either create the message content variant (discussed in Section 7 of
   [I-D.ietf-eai-5738bis]) it sends to the client to comply with
   unextended POP and Internet Mail Format without UTF-8 mode support,
   or fail the request with a -ERR response containing the UTF-8
   response code (see section 5).  The UTF8 command MAY fail.

   Note that even in UTF-8 mode, MIME binary content-transfer-encoding
   as defined in MIME Section 6.2 [RFC2045] is still not permitted.

   The octet count (size) of a message reported in a response to the
   LIST command SHOULD match the actual number of octets sent in a RETR
   response (not counting byte-stuffing).  Sizes reported elsewhere,
   such as in STAT responses and non-standardized, free-form text in
   positive status indicators (following "+OK") need not be accurate,
   but it is preferable if they were.

   Normal operation for UTF-8 maildrops will be for both servers and
   clients to support the extension discussed in this specification.
   Upgrading of both clients and servers is the only fully satisfactory
   way to support the capabilities offered by the "UTF8" extension and
   SMTPUTF8 mail more generally.  Servers must, however, anticipate the
   possibility of a client attempting to access a message that requires
   this extension without having issued the "UTF8" command.  There are
   no completely satisfactory responses for that case other than
   upgrading the client to support this specification.  One solution,
   unsatisfactory because the user may be confused by being able to
   access the message through some means and not others, is that a
   server MAY choose to reject the command to retrieve the message as
   discussed in Section 5.  Other alternatives, including the
   possibility of creating and delivering variant form of the message,
   are discussed in Section 7 of [I-D.ietf-eai-5738bis].

   Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8;
   servers MAY (but are not required to) enforce this by rejecting with
   an "-ERR" response an STLS command issued subsequent to a successful
   UTF8 command.  (Because this is a protocol error as opposed to a
   failure based on conditions, an extended response code [RFC2449] is
   not specified.)

3.2.  USER Argument to UTF8 Capability

   If the USER argument is included with this capability, it indicates
   that the server accepts UTF-8 user names and passwords.

   Servers that include the USER argument in the UTF8 capability
   response SHOULD apply SASLprep [RFC4013] or one of its standards-
   track successors to the arguments of the USER and PASS commands.

   A client or server that supports APOP and permits UTF-8 in user names
   or passwords MUST apply SASLprep [RFC4013] or one of its standards-
   track successors to the user name and password used to compute the
   APOP digest.

   When applying SASLprep [RFC4013], servers MUST reject UTF-8 user
   names or passwords that contain a Unicode character listed in Section
   2.3 of SASLprep [RFC4013].  When applying SASLprep to the USER
   argument, the PASS argument, or the APOP username argument, a
   compliant server or client MUST treat them as a query string
   [RFC3454](i.e., unassigned Unicode code points are allowed).  When
   applying SASLprep to the APOP password argument, a compliant server
   or client MUST treat them as a stored string [RFC3454] (i.e.,
   unassigned Unicode code points are prohibited).

   The client does not need to issue the UTF8 command prior to using
   UTF-8 in authentication.  However, clients MUST NOT use UTF-8
   characters in USER, PASS, or APOP commands unless the USER argument
   is included in the UTF8 capability response.

   The server MUST reject UTF-8 user names or passwords that fail to
   comply with the formal syntax in UTF-8 [RFC3629].

   Use of UTF-8 characters in the AUTH command is governed by the POP3
   SASL [RFC5034] mechanism.

4.  Native UTF-8 Maildrops

   When a POP3 server uses a native UTF-8 maildrop, it is the
   responsibility of the server to comply with the POP3 base
   specification [RFC1939] and Internet Message Format [RFC5322] when
   not in UTF-8 mode.  When the server is not in UTF-8 mode and the
   message requires that mode, requests to download the message MAY be
   rejected (as specified in the next section) or the various other
   alternatives outlined in Section 3.1 above and in Section 7 of the
   IMAP UTF-8 specification [draft-ietf-eai-5738bis], including creation
   and delivery of variations on the original message, MAY be
   considered.

5.  UTF8 Response Code

   Per "POP3 Extension Mechanism" [RFC2449], this document adds a new
   response code: UTF8, described below.

   Complete response code:
      UTF8

   Valid for responses:
      -ERR

   Valid for commands:
      LIST, TOP, RETR

   Response code meaning and expected client behavior:

   The UTF8 response code indicates that a failure is due to a request
   when not in UTF-8 mode for message content containing UTF-8
   characters.

   The client MAY reissue the command after entering UTF-8 mode.

6.  IANA Considerations

   Section 2 and 3 of this specification update two capabilities ("UTF8"
   and "LANG") to the POP3 capability registry [RFC2449].

   Section 5 of this specification also adds one new response code
   ("UTF8") to the POP3 response codes registry [RFC2449].

7.  Security Considerations

   The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013]
   apply to this specification, particularly with respect to use of
   UTF-8 in user names and passwords.

   The "LANG *" command might reveal the existence and preferred
   language of a user to an active attacker probing the system if the
   active language changes in response to the USER, PASS, or APOP
   commands prior to validating the user's credentials.  Servers are
   strongly advised to implement a configuration to prevent this
   exposure.

   It is possible for a man-in-the-middle attacker to insert a LANG
   command in the command stream, thus making protocol-level diagnostic
   responses unintelligible to the user.  A mechanism to protect the
   integrity of the session, such as , Transport Layer Security (TLS)
   [RFC2595] can be used to defeat such attacks.

   Modifying server authentication code (in this case, to support UTF8
   command) needs to be done with care to avoid introducing
   vulnerabilities (for example, in string parsing).

8.  Change History

8.1.  draft-ietf-eai-rfc5721bis: Version 00

   following the new charter

8.2.  draft-ietf-eai-rfc5721bis:  Version 01

   refine the texts

8.3.  draft-ietf-eai-rfc5721bis:  Version 02

   update the texts based on Joseph's comments

8.4.  draft-ietf-eai-rfc5721bis:  Version 03

   improve the texts

   text instructing servers to either downconvert or reject

   new UTF-8 response code for use

8.5.  draft-ietf-eai-rfc5721bis:  Version 04

   improve the texts

8.6.  draft-ietf-eai-rfc5721bis:  Version 05

   updated according to jabber interim meeting result

   updated according to john and apparea's review comments

9.  References

9.1.  Normative References

   [I-D.ietf-eai-5738bis]  Resnick, P., Newman, C., and S. Shen, "IMAP
                           Support for UTF-8", draft-ietf-eai-5738bis-03
                           (work in progress), December 2011.

   [RFC1939]               Myers, J. and M. Rose, "Post Office Protocol
                           - Version 3", STD 53, RFC 1939, May 1996.

   [RFC2045]               Freed, N. and N. Borenstein, "Multipurpose
                           Internet Mail Extensions (MIME) Part One:
                           Format of Internet Message Bodies", RFC 2045,
                           November 1996.

   [RFC2047]               Moore, K., "MIME (Multipurpose Internet Mail
                           Extensions) Part Three: Message Header
                           Extensions for Non-ASCII Text", RFC 2047,
                           November 1996.

   [RFC2119]               Bradner, S., "Key words for use in RFCs to
                           Indicate Requirement Levels", BCP 14,
                           RFC 2119, March 1997.

   [RFC2449]               Gellens, R., Newman, C., and L. Lundblade,
                           "POP3 Extension Mechanism", RFC 2449,
                           November 1998.

   [RFC3454]               Hoffman, P. and M. Blanchet, "Preparation of
                           Internationalized Strings ("stringprep")",
                           RFC 3454, December 2002.

   [RFC3629]               Yergeau, F., "UTF-8, a transformation format
                           of ISO 10646", STD 63, RFC 3629,
                           November 2003.

   [RFC4013]               Zeilenga, K., "SASLprep: Stringprep Profile
                           for User Names and Passwords", RFC 4013,
                           February 2005.

   [RFC4647]               Phillips, A. and M. Davis, "Matching of
                           Language Tags", BCP 47, RFC 4647,
                           September 2006.

   [RFC5322]               Resnick, P., Ed., "Internet Message Format",
                           RFC 5322, October 2008.

   [RFC5646]               Phillips, A. and M. Davis, "Tags for
                           Identifying Languages", BCP 47, RFC 5646,
                           September 2009.

   [RFC6530]               Klensin, J. and Y. Ko, "Overview and
                           Framework for Internationalized Email",
                           RFC 6530, February 2012.

   [RFC6532]               Yang, A., Steele, S., and N. Freed,
                           "Internationalized Email Headers", RFC 6532,
                           February 2012.

9.2.  Informative References

   [RFC2595]               Newman, C., "Using TLS with IMAP, POP3 and
                           ACAP", RFC 2595, June 1999.

   [RFC5034]               Siemborski, R. and A. Menon-Sen, "The Post
                           Office Protocol (POP3) Simple Authentication
                           and Security Layer (SASL) Authentication
                           Mechanism", RFC 5034, July 2007.

   [RFC5721]               Gellens, R. and C. Newman, "POP3 Support for
                           UTF-8", RFC 5721, February 2010.

Appendix A.  Design Rationale

   This non-normative section discusses the reasons behind some of the
   design choices in the above specification.

   Due to interoperability problems with RFC 2047 and limited deployment
   of RFC 2231, it is hoped these 7-bit encoding mechanisms can be
   deprecated in the future when UTF-8 header support becomes prevalent.

   USER is optional because the implementation burden of SASLprep
   [RFC4013] is not well understood, and mandating such support in all
   cases could negatively impact deployment.

Appendix B.  Acknowledgments

   Thanks to John Klensin, Joseph Yee, Tony Hansen, Alexey Melnikov and
   other EAI working group participants who provided helpful suggestions
   and interesting debate that improved this specification.

Authors' Addresses

   Randall Gellens
   QUALCOMM Incorporated
   5775 Morehouse Drive
   San Diego, CA  92651
   US

   EMail: rg+ietf@qualcomm.com

   Chris Newman
   Oracle
   800 Royal Oaks
   Monrovia, CA  91016-6347
   US

   EMail: chris.newman@oracle.com

   Jiankang YAO
   CNNIC
   No.4 South 4th Street, Zhongguancun
   Beijing

   Phone: +86 10 58813007
   EMail: yaojk@cnnic.cn

   Kazunori Fujiwara
   Japan Registry Services Co., Ltd.
   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
   Tokyo

   Phone: +81 3 5215 8451
   EMail: fujiwara@jprs.co.jp