Network Working Group                                        A. Melnikov
Internet Draft                                                    Editor
Document: draft-ietf-sasl-rfc2222bis-08.txt                    June draft-ietf-sasl-rfc2222bis-09.txt                 October 2004
Obsoletes: RFC 2222                                Expires in six months

            Simple Authentication and Security Layer (SASL)

Status of this Memo

   This document is an Internet Draft

   By submitting this Internet-Draft, I certify that any applicable
   patent or other IPR claims of which I am aware have been disclosed,
   and is any of which I become aware will be disclosed, in full conformance accordance with
   all provisions of Section 10 of
   RFC 2026. 3668.

   Internet Drafts are working documents of the Internet Engineering
   Task Force (IETF), its Areas, and its Working Groups.  Note that
   other groups may also distribute working documents as Internet
   Drafts. Internet Drafts are draft documents valid for a maximum of
   six months.  Internet Drafts may be updated, replaced, or obsoleted
   by other documents at any time.  It is not appropriate to use
   Internet Drafts as reference material or to cite them other than as
   ``work in progress''.

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   A revised version of this draft document will be submitted to the RFC
   editor as a Standards Track RFC for the Internet Community.
   Discussion and suggestions for improvement are requested.
   Distribution of this draft is unlimited.

   When published as an RFC this document will obsolete RFC 2222.

Internet DRAFT                    SASL                      28 June                   25 October 2004

Abstract

   The Simple Authentication and Security Layer (SASL) is a framework
   for providing authentication and data security services in
   connection-oriented protocols via replaceable mechanisms. It provides
   a structured interface between protocols and mechanisms.  The
   resulting framework allows new protocols to reuse existing mechanisms
   and allows old protocols to make use of new mechanisms.  The
   framework also provides a protocol for securing subsequent protocol
   exchanges within a data security layer.

   This document describes how a SASL mechanism is structured, describes
   how protocols add support for SASL, and defines the protocol for
   carrying a data security layer over a connection.  Additionally, this
   document defines one SASL mechanism, the EXTERNAL mechanism.

1.  Conventions used in this document

   In examples, "C:" and "S:" indicate lines sent by the client and
   server respectively.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   in this document are to be interpreted as defined in "Key words for
   use in RFCs to Indicate Requirement Levels" [KEYWORDS].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

   This document uses terms "integrity protection" and "confidentiality
   protection". The former refers to a security layer (see Section
   "Introduction" below for the definition) designed to provide "data
   integrity service" as defined in [Sec-Glossary]. Confidentiality
   protection is a security layer that provides "data confidentiality
   service" as defined in [Sec-Glossary]. The term "confidentiality
   protection" usually implies "integrity protection". Security layers may offer
   other kinds of security services.

2.    Introduction

   The Simple Authentication and Security Layer (SASL) is a framework
   for providing authentication and data security services in
   connection-oriented protocols via replaceable mechanisms.  SASL
   provides a structured interface between protocols and mechanisms.
   SASL also provides a protocol for securing subsequent protocol
   exchanges within a data security layer.

Internet DRAFT                    SASL                      28 June                   25 October 2004

   SASL

   SASL's design is intended to allow new protocols to reuse existing
   mechanisms without requiring redesign of the mechanisms and allows
   existing protocols to make use of new mechanisms without redesign of
   protocols.

   The SASL is conceptually a framework which provides a layer between
   protocols and mechanisms, as illustrated in the following diagram.

                SMTP Protocol     LDAP Protocol          Other Protocols
                   Profile           Profile            . . .
                          \-----        |       -----/
                                \       |      /
                                 SASL framework
                                /       |      \
                          /-----        |       -----\
                  DIGEST-MD5         EXTERNAL            Other Mechanisms
                SASL mechanism    SASL mechanism        . . .

   It is through the interfaces of this layer that the framework allows
   any protocol to be utilized with any mechanism.  While the layer does
   generally hide the particulars of protocols from mechanisms, mechanisms and the
   particulars of mechanisms from protocols, the layer does not
   generally hide the particulars of mechanisms from
   protocols. protocol
   implementations.  For example, different mechanisms require different
   information to operate, some of them use password based
   authentication, other some of then require realm information, others make
   use of Kerberos tickets, certificates, etc.  Also, in order to
   perform authorization step authorization, server implementations have to implement a
   mapping from a mechanism specific mechanism-specific authentication identity format to a protocol specific
   protocol-specific format.

   It is noted that it is possible to design and implement this framework in ways which
   do abstract away particulars of similar mechanisms.  Such
   implementation could also be designed to be shared by multiple
   implementations of various protocols.

   As illustrated above, the SASL framework interfaces with both
   protocols and mechanisms.

   To use SASL, a protocol includes a command for identifying and
   authenticating a user to a server and for optionally negotiating a
   security layer for subsequent protocol interactions.  If the use of a
   security layer is negotiated, that security layer is inserted between
   the protocol and the connection.  Section 4 ("Protocol profile
   requirements") profiles the requirements that a protocol
   specification must fulfill to make use of SASL. A SASL protocol
   profile is a part of the protocol specification that satisfies the

Internet DRAFT                    SASL                   25 October 2004

   requirements of Section 4.

   A SASL mechanism is a series of server challenges and client
   responses specific to the mechanism.  Each SASL mechanism are

Internet DRAFT                    SASL                      28 June 2004

   identity is
   identified by a registered name.  Section 5. 5 ("Mechanism profile
   guidelines") profiles the requirements that a mechanism specification
   must fulfill to define a SASL mechanism.

   This document is written to serve several different audiences:

   o)

   - protocol designers using this specification to support
   authentication in their protocol

   o) protocol,

   - mechanism designers that define new SASL mechanisms

   o) mechanisms, and

   - implementors of clients or servers for those protocols using this
   specification.

   The sections "Authentication Mechanisms", mechanisms", "Protocol Profile
   Requirements", profile
   requirements", "Specific Issues", issues", and "Security Considerations" considerations" cover
   issues that protocol designers need to understand and address in
   profiling this specification for use in a specific protocol.

   The sections "Authentication Mechanisms", mechanisms", "Mechanism Profile
   Requirements", profile
   guidelines", "Security Considerations" considerations" and "Registration procedure"
   cover issues that mechanism designers need to understand and address
   in designing new SASL mechanisms.

   The sections "Authentication Mechanisms", mechanisms", "Protocol profile
   requirements", "Specific issues" and "Security Considerations" considerations" cover
   issues that implementors of a protocol that uses SASL framework need
   to understand.  The implementors will also need to understand a
   specification of a SASL profile specific to the protocol, as well as
   aspects of mechanism specifications they intend to use (regardless of
   whether they are implementing the mechanisms themselves or using an
   existing implementation) to understand, for instance, the mechanism mechanism-
   specific authentication identity forms, the offered services, and
   security and other considerations.

2.1.  Relationship to other documents

   This document obsoletes RFC 2222.  It replaces all portions of RFC
   2222 excepting sections 7.1 (Kerberos version 4 mechanism), 7.2
   (GSSAPI mechanism), 7.3 (S/Key mechanism).  The Kerberos version 4
   (KERBEROS_IV) and S/Key (SKEY) mechanisms are now viewed as obsolete.
   The GSSAPI mechanism is now separately specified [SASL-GSSAPI].

Internet DRAFT                    SASL                   25 October 2004

3.    Authentication mechanisms

   SASL mechanisms are named by strings, from 1 to 20 characters in
   length, consisting of ASCII [ASCII] upper-case letters, digits,
   hyphens, and/or underscores.  Names of SASL mechanisms or families of
   mechanisms must be registered with the Internet Assigned Numbers
   Authority (IANA) as described in section 8.2.

   The "sasl-mech" ABNF production below defines the syntax of a SASL
   mechanism name.  This uses the Augmented Backus-Naur Form (ABNF)
   notation as specified in [ABNF].

Internet DRAFT                    SASL                      28 June 2004

   sasl-mech    = 1*20mech-char
   mech-char    = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
                  ; mech-char is restricted to "A"-"Z", "0"-"9", "-",
                  ; and "_" from ASCII character set.

   UPPER-ALPHA  = %x41-5A
                  ; "A"-"Z"

   DIGIT        = %x30-39
                  ; "0"-"9"

   HYPHEN       = %x2D
                  ; "-"

   UNDERSCORE   = %x5F
                  ; "_"

3.1.  Authentication protocol exchange Exchange

   A SASL mechanism is responsible for conducting an authentication
   protocol
   exchange.  This consists of a series of server challenges and client
   responses, the contents of which are specific to and defined by the
   mechanism.  To the application protocol, the challenges and responses
   are opaque binary tokens of arbitrary length. length (including 0-length).
   The protocol's profile then specifies how these binary tokens are then
   encoded for transfer over the connection.

   After receiving an authentication command or any client response, a
   server mechanism may issue a challenge, indicate failure, or indicate
   completion.  The server mechanism may return additional data with a
   completion indication.  The protocol's profile specifies how each of
   these is then represented over the connection.

   After receiving a challenge, a client mechanism may issue a response
   or abort the exchange.  The protocol's profile specifies how each of

Internet DRAFT                    SASL                   25 October 2004

   these are then represented over the connection.

   During the authentication protocol exchange, the mechanism performs
   authentication, transmits an authorization identity (frequently (sometimes known
   as a userid) username<<>>) from the client to server, and negotiates may negotiate the
   use of a mechanism-specific security layer.  If the use of a security
   layer is agreed upon, then the mechanism must also define or
   negotiate the maximum security layer buffer size that each side is
   able to receive.

Internet DRAFT                    SASL                      28 June 2004

3.2.  Authorization and authentication identities  Identity Concepts

   Conceptually, SASL authentication deals with framework involves two identities:
     1) an identity associated with the authentication
   identity, derived from
     credentials (termed the client's authentication credentials; identity), and
     2) an identity to act as (termed the authorization identity, which is
     identity).

   The client provides its credentials and, optionally, a
   string representing the result requested authorization identity
   as part of the SASL processing
   and exchange.  When this string is used by omitted or empty,
   the server client is requesting to act as the primary identity for making access
   policy decisions.
   associated with the credentials (e.g., the user is
   requesting to act as the authentication identity).

   The processing model server is responsible for verifying the client's
   credentials and verifying that the client is allowed to
   act as follows. the authorization identity.  A server, upon completion SASL exchange
   fails if either (or both) of these verifications fails.

   SASL mechanism specifications describe the form of credentials
   used to authenticate clients, and SASL application
   profiles describe the form of authorization identities
   transferred as part of authentication mechanism, uses exchange.
   However, the results produced by
   precise form(s) of the authentication mechanism, the client-provided authorization identity
   value (which may be identities (used
   within the empty string), server in its verifications, or otherwise)
   and local policy information
   to derive an authorization identity.  The the precise form(s) of the authorization identity is
   made available to further server processing for use identities
   (used in making access
   policy decisions.  The provision of additional client attributes that
   may affect access policy authorization decisions, or otherwise) is not covered by
   beyond the scope of the SASL and this specification.

   The authorization  In
   some circumstances, the precise identity forms used
   outside of the SASL exchange may be an empty (zero length) string.  In
   this case, dictated by other
   specifications.  For instance, the server derives an authorization identity from policy
   specification for an application protocol may dictate the
   client's authentication identity.

   A mechanism which is incapable of transmitting
   precise form that an authorization identity must is to be treated as if it always transmits an
   represented in the authorization
   identity of an empty string. policy.

Internet DRAFT                    SASL                   25 October 2004

   <<Need to address few issues in the two remaining paragraphs>>
   Any normalization of the authentication identity (for the purposes
   of conducting authentication exchange) is defined by a particular
   SASL mechanism, the protocol profile doesn't influence it.
   Note, that the mechanism specification doesn't control how
   authentication identity information is represented elsewhere
   <<need to add few examples>>.

   The mechanism MUST preserve Unicode codepoint codepoints when transferring
   authorization identity (e.g. the mechanism cann't can't apply any form
   of normalization).

3.2.1.  Authorization identities and proxy authentication

   A mechanism which is incapable of transmitting an authorization identity
   must be treated as if it always transmits an authorization identity of an
   empty string. <<Is this redundant?>>

   If the authorization identity transmitted during the authentication
   protocol
   exchange is not the empty string, this is typically referred
   to as "proxy authentication".  This feature permits agents such as
   proxy servers to authenticate using their own credentials, yet request
   the access privileges of the identity for which they are proxying.

   The server makes an implementation defined implementation-defined policy decision as to
   whether the authentication identity is permitted to have the access
   privileges of the authorization identity and whether the authorization
   identity is permitted to receive service.  If it is not, the server
   indicates failure of the authentication protocol exchange.

Internet DRAFT                    SASL                      28 June 2004

   As a client might not have the same information as the server,
   clients SHOULD NOT derive authorization identities from authentication
   identities. Instead, clients SHOULD provide no (or empty) authorization
   identity when the user user<<client?>> has not provided an authorization identity.

   The server SHOULD verify that a received authorization identity is in the
   correct form. Protocol profiles whose authorization identities are simple user
   names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep"
   profile [SASLprep] of the "stringprep" algorithm [StringPrep] to prepare
   these names for matching. The profiles MAY use a stringprep profile
   that is more strict than "SASLprep". If the preparation of
   the authorization identity fails or results in an empty string,
   the server MUST fail the authentication exchange. The only exception to
   this rule is when the received authorization identity is already the empty
   string.

Internet DRAFT                    SASL                   25 October 2004

3.2.2.  Authorization Identity Format

   An authorization identity is a string of zero or more Unicode [Unicode]
   coded characters.  The NUL <U+0000> character is not
   permitted prohibited
   in authorization identities.

   The character encoding scheme used for transmitting an authorization
   identity over the protocol is specified in each authentication mechanism.
   All IETF-defined mechanisms MUST, and all other mechanisms SHOULD,
   use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF policy regarding character
   sets and encoding schemes.)

   Mechanisms are expected to be capable of carrying the entire Unicode
   repertoire (with the exception of the NUL character). An authorization
   identity of the empty string and an absent authorization identity
   MUST be treated as equivalent. A mechanism
   which provides an optional field for an authorization identity,
   SHOULD NOT allow that field, when present, to be empty.
   The meaning of the empty string as an authorization identity is described
   in the
   previous section. Section 3.2.

3.3.  Security layers

   If use of a security layer is negotiated by the authentication
   protocol exchange, the security layer is applied to all subsequent
   data sent over the connection (until another security layer is
   negotiated; negotiated (
   see also section 6.3). 6.3) or underlying connection is closed). The security
   layer takes effect
   immediately following the last response of the authentication exchange
   for data sent by the client and the completion indication for data
   sent by the server. The exact position MUST be defined by the protocol profile
   (see section 4 part 5).

Internet DRAFT                    SASL                      28 June 2004

   Note that all SASL mechanisms that are unable to negotiate a security
   layer automatically select no security layer.

   Once the security layer is in effect the
   protocol stream is processed by the security layer into buffers of
   protected data.  If the security layer is not able to produce a buffer,
   the connection MUST be closed. If the security layer is not able to
   decode a received buffer, the connection MUST be closed. In both cases the
   underlying connection SHOULD be closed gracefully.

   Each buffer of protected data is
   transferred over the connection as a stream of octets prepended with a
   four octet field in network byte order that represents the length of
   the following buffer.  The length of the protected data buffer
   MUST be no larger than the maximum size that was either defined in the
   mechanism specification or negotiated by
   the other side during the authentication protocol exchange.
   Upon the receipt of a data buffer which is larger than the defined/negotiated

Internet DRAFT                    SASL                   25 October 2004

   maximal buffer size the receiver SHOULD close the connection.  This connection,
   as this might be a sign of an attack or attack.

   SASL mechanisms which are unable to negotiate a buggy implementation. security layer
   are treated as selecting no security layer.

4.    Protocol profile requirements

   In order to use this specification, a protocol definition MUST supply
   the following information:

     1) A service name, to be selected from the IANA registry of "service"
     elements for the GSSAPI host-based service name form [GSSAPI]. This
     service name is made available to the authentication mechanism.

     The registry is available at the URL
     <http://www.iana.org/assignments/gssapi-service-names>.

     2) A definition of the command to initiate the authentication protocol
     exchange.  This command must have as a parameter the
     name of the mechanism being selected by the client.

     The command SHOULD have an optional parameter giving an initial
     response.  If the protocol allows for the initial response,
     the protocol profile SHOULD MUST also describe how an empty initial response is
     encoded.  This optional parameter allows the client to avoid a round
     trip when using a mechanism which is defined to have the client send
     data first.  When this initial response is sent by the client and the
     selected mechanism is defined to have the server start with an initial
     challenge, the command fails.  See section 6.1 of this document for
     further information.

     3) A definition of the method by which the authentication protocol
     exchange is carried out, including how the challenges and responses
     are encoded, how the server indicates completion or failure of the
     exchange, how the client aborts an exchange, and how the exchange method
     interacts with any line length limits in the protocol.

     The exchange method SHOULD allow the server to include an
     optional

Internet DRAFT                    SASL                      28 June 2004 data ("optional challenge") with a success notification.  This allows the
     server to avoid a round trip when using a mechanism which is defined
     to have the server send additional data along with the indication of
     successful completion.  Note that an if additional data is sent with success can't success,
     it can not be empty. See section 6.2 of this document for further information.

     4) A protocol profile SHOULD specify a mechanism through
     which a client may obtain the names of the SASL mechanisms available
     to it.  This is typically done through the protocol's extensions or

Internet DRAFT                    SASL                   25 October 2004

     capabilities mechanism.

     5) Identification of the octet where any negotiated security layer starts
     to take effect, in both directions.

     6) Specify if the protocol profile supports "multiple authentications"
     (see section 6.3).

     7) If both a Transport Layer Security [TLS] and a SASL security layer are
     allowed to be negotiated by
     the protocol, the protocol profile MUST define in which order they are
     applied to a cleartext data sent over the connection.

     8) A protocol profile MAY further refine the definition of an
     authorization identity by adding additional syntactic restrictions and
     protocol-specific semantics. A protocol profile MUST specify the form
     of the authorization identity (since it is protocol specific, protocol-specific, as opposed
     to the authentication identity, which is mechanism specific) mechanism-specific) and how
     authorization identities are to be compared. Profiles whose authorization
     identities are simple user names (e.g. IMAP [RFC 3501]) SHOULD use
     "SASLprep" profile [SASLprep] of the "stringprep" algorithm [StringPrep]
     to prepare these names for matching. The profiles MAY use a stringprep profile
     that is more strict than SASLprep.

     9) Where the application-layer protocol does not precisely state
     how identities established through SASL relate to identities
     used elsewhere (e.g., access controls) in the application-layer
     protocol, it may be useful for the application-layer protocol
     to provide a facility which the client may use to discover the
     identity used.

   A protocol profile SHOULD NOT attempt to amend the definition of
   mechanisms or make create mechanism-specific encodings.  This breaks the
   separation between protocol and mechanism that is fundamental to the
   design of SASL. Likewise, (Likewise, SASL mechanisms SHOULD are intended to be profile neutral.

Internet DRAFT                    SASL                      28 June 2004 neutral.)

5.    Mechanism profile guidelines

   Designers of new SASL mechanism should be aware of the following issues:

   1) Authorization identity

   While some legacy mechanisms are incapable of transmitting an authorization
   identity (which means that for these mechanisms the authorization identity
   is always the empty string), newly defined mechanisms SHOULD be
   capable of transmitting a non-empty authorization identity. See also section 3.2.

Internet DRAFT                    SASL                   25 October 2004

   2) Character string issues

   Authentication mechanisms SHOULD encode character strings in UTF-8 [UTF-8]
   (see [CHARSET-POLICY] for IETF policy regarding character sets in IETF protocols).
   In order to avoid interoperability problems due to differing normalizations,
   when a mechanisms mechanism specifies that character data is to be used as input to a
   cryptographic and/or comparison function, the mechanism specification MUST
   detail how the data is to be represented, including any normalizations or
   other preparations, to ensure proper function.  Designers of mechanisms SHOULD use
   the "SASLprep" profile [SASLprep] of the "stringprep" algorithm [StringPrep] where applicable.  However it should be noted
   that this rule doesn't
   This recommendation does not apply to authorization identities, identities as they are
   protocol specific. their handling is protocol-specific.

   The preparation can be potentially performed on the client end side (upon getting user input
   or retrieving a value from configuration) or on the server end side (upon receiving the value
   from the client, retrieving a value from its authentication database or generating a
   new value in order to store in in the authentication database).
   SASL mechanisms
   must MUST define which entity (or entities) must perform the
   preparation. If preparation fails or results in an turns a non-empty string into the empty string, the entity
   doing the preparation MUST fail the authentication exchange.

   Implementation note:
   A server end side can be represented by multiple processes. For example, it the server side may
   consist of the server process itself that communicated with a client, client and a command line
   utility (a server agent) that is able to store passwords/hashes (or derivitives) in a
   database that can be later used by the server. For the server agent the
   requirement to "fail the authentication exchange" should be interpreted
   as a requirement to refuse to store the data in the database.

   3) If the underlying cryptographic technology used by a mechanism supports
   data integrity than integrity, then the mechanism specification MUST

Internet DRAFT                    SASL                      28 June 2004 integrity protect
   the transmission of an authorization identity and the negotiation of
   the security layer.

   4) The mechanism should not SHOULD NOT use the authorization identity in generation of any
   long-term cryptographic keys/hashes.  The reason is that different protocols
   (and sometimes even different implementations of the same protocol) may use
   multiple forms of an authorization identity that are semantically equivalent
   and some clients may use one form while other clients use a different form.

   5) SASL mechanisms should be designed to minimize the number of round
   trips required required, because SASL can be used with protocols where connections
   are short-lived.

6.    Specific issues

6.1.  Client sends data first

   Some

   6) SASL does not provide for re-keying (see Section 9.1), but SASL mechanisms may.

   <<Original Nico's text follows:>>
   SASL mechanisms specify that the first data sent support re-keying SHOULD:
    - indicate that re-keying is or will be needed immediately; <<Alexey: HOW?>>

Internet DRAFT                    SASL                   25 October 2004

    - provide re-keying messages or transparently include re-keying
      messages in the
   authentication protocol exchange is from security layers; the client latter can happen without
      application involvement, but only as long as the application is
      engaged in timely bidirectional exchanges with its peer.

   <<Alternative text by Alexey:>>
   A SASL mechanism supports re-keying if it is able to generate/process
   messages that request immediate re-keying and it is able to carry out
   re-keying exchange. (Note that the mechanism MAY use a single message
   type to do both). SASL mechanisms that support re-keying MAY also be
   able to indicate that re-keying will be needed in the future.
   A re-keying exchange can be conducted transparently by the mechanism,
   or the mechanism should be able to provide/accept re-keying messages
   to/from the application. The former can happen without application
   involvement, but only as long as the application is engaged in timely
   bidirectional exchanges with its peer.

   7) SASL mechanisms SHOULD be profile neutral.

6.    Specific issues

6.1.  Client sends data first

   Some mechanisms specify that the first data sent in the
   authentication exchange is from the client to the server.

   If a protocol's profile permits the command which initiates an
   authentication protocol exchange to contain an initial client
   response, this parameter SHOULD be used with such mechanisms.

   If the initial client response parameter is not given, or if a
   protocol's profile does not permit the command which initiates an
   authentication protocol exchange to contain an initial client
   response, then the server issues a challenge with no data.  The
   client's response to this challenge is then used as the initial client
   response.  (The server then proceeds to send the next challenge,
   indicates completion, or indicates failure.)

6.1.1.  Client sends data first examples

   The following are two examples of an the SECURID authentication [SASL-
   SECURID] [SASL-SECURID] in the SMTP
   protocol [SMTP].  In the first example below, the client is trying fast reauthentication
   by sending the initial response:

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Welcome client.example.com

Internet DRAFT                    SASL                   25 October 2004

      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA=
      S: 235 Authentication successful

Internet DRAFT                    SASL                      28 June 2004

   The example below is almost identical to the previous, but here the
   client chooses not to use the initial response parameter.

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Welcome client.example.com
      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID
      S: 334
      C: AG1hZ251cwAxMjM0NTY3OAA=
      S: 235 Authentication successful

   Additonal examples that show usage of initial response can be found
   in section 7.2.

6.2.  Server returns success with additional data

   Some mechanisms may specify that additional data be sent to the
   client along with an indication of successful completion of the
   exchange.  This data would, for example, authenticate the server to
   the client.

   If a protocol's profile does not permit this additional data to be
   returned with a success indication, then the server issues the data
   as a server challenge, without an indication of successful
   completion.  The client then responds with no data.  After receiving
   this empty response, the server then indicates successful completion
   (with no additional data).

   Client implementors should be aware of an additional failure case
   that might occur when the profile supports sending the additional
   data with success. Imagine that an active attacker is trying to
   impersonate the server and sends faked data, which should be used to
   authenticate the server to the client, with success.  (A similar
   situation can happen when either the server and/or the client has a
   bug and they calculate different responses.) After checking the data,
   the client will think that the authentication exchange has failed,
   however the server will think that the authentication exchange has
   completed successfully.  At this point the client can not abort the
   authentication exchange; it SHOULD close the connection instead.
   However, if the profile did not support sending of additional data

Internet DRAFT                    SASL                   25 October 2004

   with success, the client could have aborted the exchange at the very
   last step of the authentication exchange.

Internet DRAFT                    SASL                      28 June 2004

6.2.1.  Server returns success with additional data examples

   The following are two examples of a DIGEST-MD5 authentication [SASL-
   DIGEST] in the Extensible Messaging and Presence Protocol [XMPP]. In
   the first example below, the server is sending mutual authentication
   data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'
          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
         ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </success>

      The example below is almost identical to the previous, but here
      the server chooses not to use the additional data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'

Internet DRAFT                    SASL                      28 June                   25 October 2004

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'
          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
         ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

6.3.  Multiple authentications

   Unless otherwise stated by the protocol's profile, only one
   successful SASL negotiation may occur in a protocol session.  In this
   case, once an authentication protocol exchange has successfully completed,
   further attempts to initiate an authentication protocol exchange fail.

   If a profile explicitly permits multiple successful SASL negotiations
   to occur, then in no case may multiple security layers be
   simultaneously in effect.  If a security layer is in effect and a
   subsequent SASL negotiation selects a second security layer, then the
   second security layer replaces the first. first; this can be used as a form

Internet DRAFT                    SASL                   25 October 2004

   of re-keying, where SASL mechanisms that provide security layers fail
   to provide for re-keying, provided that the authenticated identity
   remains the same.  If a security layer is in effect and a subsequent
   SASL negotiation selects no security layer, the original security
   layer remains in effect.

Internet DRAFT                    SASL                      28 June 2004

   Where a protocol profile permits multiple successful SASL
   negotiations, the profile MUST detail the effect of a failed SASL
   negotiation upon the previously established authentication state.
   In particular, it MUST state whether the previously established
   authenticated state remain remains in force or whether the connection is to
   revert to an non-authenticated state. Regardless of the specified
   effect upon authentication state, the previously negotiated security
   layer remains in effect.

7.    The EXTERNAL mechanism

   The mechanism name associated with external authentication is
   "EXTERNAL".

   The client sends a single message containing the UTF-8 encoding of
   the requested authorization identity. The message may be empty. The
   form of the authorization identity is further may be restricted by the application-level
   application protocol's SASL profile.

   The server uses information,

   Some system external to SASL, to determine whether
   the client is permitted to SASL must authenticate as the authorization
   identity. client.  If the client is so authorized, that
   succeeds, the server indicates
   successful completion of determines the authentication exchange; otherwise the
   server indicates failure.

   The system providing this external identity from
   information may be, for example,
   IPSec from this system.  If the requested authorization
   identity is empty, the authorization identity is derived from the
   authentication identity.  The server determines if the authentication
   identity is allowed to act as the authorization identity.  If all
   that succeeds, the server indicates successful completion of the
   authentication exchange; otherwise it indicates failure.

   The system providing this external information may be, for example,
   IPSec [IPSec] or TLS [TLS]. However, the client can make no
   assumptions as to what information the server can use in determining
   client authorization.  For example, just because TLS was established,
   doesn't mean that the server will use the information provided by
   TLS.

   If the client sends the empty string as the authorization identity,
   the authorization identity is to be derived from authentication
   credentials which exist in the system that is providing the external
   authentication.

7.1.  Formal syntax

   The following syntax specification uses the augmented Backus-Naur
   Form (BNF) notation as specified in [ABNF].  Non-terminals referenced
   but not defined below are as defined by [UTF-8].

   The "extern-resp" rule below defines the message sent from client to

Internet DRAFT                    SASL                   25 October 2004

   server.

   extern-resp       = *( UTF8-char-no-nul )

Internet DRAFT                    SASL                      28 June 2004

   UTF8-char-no-nul  = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4

   UTF8-1-no-nul     = %x01-7F

7.2.  Examples of SASL EXTERNAL

   The following is an example of an EXTERNAL authentication in the SMTP
   protocol [SMTP]. In this example, the client is proxy authenticating,
   sending the authorization identity "fred" using "fred@example.com" in the
   (optional) initial response. The server has obtained the client's
   (authentication) identity from an external service, such as IPsec,
   and has a security policy that permits that identity to assume the
   identity of the asserted authorization identity.

   To the protocol profile, the four octet sequence "fred" "fred@example.com" is an opaque
   binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies
   that server challenges and client responses are encoded in BASE64
   [BASE64, section 3]; the BASE64 encoding of "fred" "fred@example.com" is "ZnJlZA==".
   "ZnJlZEBleGFtcGxlLmNvbQ==".

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com
      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL ZnJlZA== ZnJlZEBleGFtcGxlLmNvbQ==
      S: 235 Authentication successful.

   The following example is almost identical to the one above, but the
   client doesn't request proxy authentication.

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com
      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL
      S: 235 Authentication successful.

      The following is an example of an EXTERNAL authentication in the
      IMAP4 protocol [IMAP]. IMAP4 doesn't support the initial response
      feature of SASL.  As in the previous example, the client doesn't
      request proxy authentication.

      S: * OK IMAP4rev1 Server

Internet DRAFT                    SASL                   25 October 2004

      C: C01 CAPABILITY
      S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=EXTERNAL
      [...]
      C: A01 AUTHENTICATE EXTERNAL
      (note that there is a space following the "+" in the following line)

Internet DRAFT                    SASL                      28 June 2004
      S: +
      C:
      S: A01 OK Success

8.    IANA Considerations

8.1.  Guidelines for IANA

   It is requested that IANA updates the SASL mechanisms registry as
   follows:

      Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
      registrations to OBSOLETE.  Change the "Published specification"
      of the EXTERNAL mechanism to this document. Updated registration
      information is provided in Section 8.6.

8.2.  Registration procedure

   Registration of a SASL mechanism is done by filling in the template
   in section 8.5 and sending it via electronic mail to <iana@iana.org>.
   IANA has the right to reject obviously bogus registrations, but will
   perform no review of claims made in the registration form.  SASL
   mechanism registrations are currently available at the URL
   <http://www.iana.org/assignments/sasl-mechanisms>.

   There is no naming convention for SASL mechanisms; any name that
   conforms to the syntax of a SASL mechanism name can be registered.
   However an IETF Standards Track document may reserve a portion of the
   SASL mechanism namespace ("family of SASL mechanisms") for its own
   use, amending the registration rules for that portion of the
   namespace.  Each family of SASL mechanisms MUST be identified by a
   prefix.

   While the registration procedures do not require it, expert review,
   authors of SASL mechanisms are encouraged to seek community review
   and comment whenever that is feasible.  Authors may seek community
   review by posting a specification of their proposed mechanism as an Internet-
   Draft.
   Internet-Draft.  SASL mechanisms intended for widespread use should

Internet DRAFT                    SASL                   25 October 2004

   be standardized through the normal IETF process, when appropriate.

Internet DRAFT                    SASL                      28 June 2004

8.3.  Comments on SASL mechanism registrations

   Comments on registered SASL mechanisms should first be sent to the
   "owner" of the mechanism and/or to the SASL WG mailing list.
   Submitters of comments may, after a reasonable attempt to contact the
   owner, request IANA to attach their comment to the SASL mechanism
   registration itself.  If IANA approves of this, the comment will be
   made accessible in conjunction with the SASL mechanism registration
   itself.

8.4.  Change control

   Once a SASL mechanism registration has been published by IANA, the
   author may request a change to its definition.  The change request
   follows the same procedure as the registration request.

   The owner of a SASL mechanism may pass responsibility for the SASL
   mechanism to another person or agency by informing IANA; this can be
   done without discussion or review.

   The IESG may reassign responsibility for a SASL mechanism. The most
   common case of this will be to enable changes to be made to
   mechanisms where the author of the registration has died, moved out
   of contact or is otherwise unable to make changes that are important
   to the community.

   SASL mechanism registrations may not be deleted; mechanisms which are
   no longer believed appropriate for use can be declared OBSOLETE by a
   change to their "intended usage" field; such SASL mechanisms will be
   clearly marked in the lists published by IANA.

   The IESG is considered to be the owner of all SASL mechanisms which
   are on the IETF standards track.

8.5.  Registration template

     Subject: Registration of SASL mechanism X

     Family of SASL mechanisms: (YES or NO)

     SASL mechanism name (or prefix for the family):

     Security considerations:

     Published specification (optional, recommended):

Internet DRAFT                    SASL                   25 October 2004

     Person & email address to contact for further information:

Internet DRAFT                    SASL                      28 June 2004

     Intended usage:

     (One of COMMON, LIMITED USE or OBSOLETE)

     Owner/Change controller:

     (Any other information that the author deems interesting may be
     added below this line.)

8.6.  The EXTERNAL mechanism registration

   It is requested that the SASL Mechanism registry [IANA-SASL] entry
   for the EXTERNAL mechanism be updated to reflect that this document
   now provides its technical specification.

      Subject: Updated Registration of SASL mechanism EXTERNAL

      Family of SASL mechanisms: NO

      SASL mechanism name: EXTERNAL

      Security considerations: See RFC XXXX, section 9.

      Published specification (optional, recommended): RFC XXXX

      Person & email address to contact for further information:
        Alexey Melnikov <Alexey.Melnikov@isode.com>

      Intended usage: COMMON

      Owner/Change controller: IESG <iesg@ietf.org>

      Note: Updates existing entry for EXTERNAL

9.   Security considerations

   Security issues are discussed throughout this memo.

   When the client selects a security layer with at least integrity
   protection, this protects against an active attacker hijacking the
   connection and modifying the authentication exchange to negotiate a
   plaintext connection.

   When a server or client supports multiple authentication mechanisms,

Internet DRAFT                    SASL                   25 October 2004

   each of which has a different security strength, it is possible for
   an active attacker to cause a party to use the least secure mechanism

Internet DRAFT                    SASL                      28 June 2004
   supported.  To protect against this sort of attack, a client or
   server which supports mechanisms of different strengths should have a
   configurable minimum strength that it will use.  It is not sufficient
   for this minimum strength check to only be on the server, since an
   active attacker can change which mechanisms the client sees as being
   supported, causing the client to send authentication credentials for
   its weakest supported mechanism.

   The client's selection of a SASL mechanism is done in the clear and
   may be modified by an active attacker.  It is important for any new
   SASL mechanisms to be designed such that an active attacker cannot
   obtain an authentication with weaker security properties by modifying
   the SASL mechanism name and/or the challenges and responses.

   In order to detect Man-in-the-middle (MITM) attacks the client MAY
   list available SASL mechanisms both before and after the SASL
   security layer is negotiated.  This allows the client to detect
   active attacks that remove mechanisms from the server's list of
   supported mechanisms, and allows the client to ensure that it is
   using the best mechanism supported by both client and server.  New
   protocol profiles SHOULD require servers to make the list of SASL
   mechanisms available for the initial authentication available to the
   client after security layers are established.  Some older protocols
   do not require this (or don't support listing of SASL mechanisms once
   authentication is complete); for these protocols clients MUST NOT
   treat an empty list of SASL mechanisms after authentication as a MITM
   attack.

   Any protocol interactions prior to authentication are performed in
   the clear and may be modified by an active attacker.  In the case
   where a client selects integrity protection, it is important that any
   security-sensitive protocol negotiations be performed after
   authentication is complete.  Protocols should be designed such that
   negotiations performed prior to authentication should be either
   ignored or revalidated once authentication is complete.

   Clients should be admonished to validate TLS server IDs to prevent
   MITM attacks when using SASL-over-TLS.  The same recommendation
   applies to other protocols providing security services.

   When use of a security layer is negotiated by the authentication
   protocol exchange, the receiver should handle gracefully any
   protected data buffer larger than the defined/negotiated maximal
   size. In particular, it must not blindly allocate the amount of
   memory specified in the buffer size field, as this might cause the
   "out of memory" condition. If the receiver detects a large block, it

Internet DRAFT                    SASL                   25 October 2004

   SHOULD close the connection.

   Distributed server implementations need to be careful in how they
   trust other parties.  In particular, authentication secrets should
   only be disclosed to other parties that are trusted to manage and use
   those secrets in manner acceptable to disclosing party.  Applications

Internet DRAFT                    SASL                      28 June 2004
   using SASL assume that SASL security layers providing data
   confidentiality are secure even when an attacker chooses the text to
   be protected by the security layer. Similarly applications assume
   that the SASL security layer is secure even if the attacker can
   manipulate the ciphertext output of the security layer. New SASL
   mechanisms MUST meet these assumptions.

   "stringprep" and Unicode security considerations apply to
   authentication identities, authorization identities and passwords.

   The EXTERNAL mechanism provides no security protection; it is
   vulnerable to spoofing by either client or server, active attack, and
   eavesdropping.  It should only be used when external security
   mechanisms are present and have sufficient strength.

10.    References

10.1.  Normative References

   [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax
   Specifications: ABNF", RFC 2234, November 1997

   [ASCII] American National Standards Institute, "Code Extension
   Techniques for Use with

9.1.  Re-keying

   The secure or administratively permitted lifetimes of SASL
   mechanisms' security layers are finite.  Cryptographic keys weaken as
   they are used and as time passes; the 7-bit Coded Character Set more time and/or ciphertext
   that a cryptanalyst has after the first use of American
   National Standard Code (ASCII) the a key, the easier
   it is for Information Interchange", FIPS PUB
   35, 1974

   [CHARSET-POLICY] Alvestrand, H., "IETF the cryptanalyst to mount attacks on the key.

   Administrative limits on security layers lifetime may take the form
   of time limits expressed in x.509 certificates, Kerberos V tickets,
   or in directories, and are often desired.  <<In practice one likely
   effect of administrative security layers lifetime limits is that
   applications may find that security layers stop working in the middle
   of application protocol operation, such as, perhaps, during large
   data transfers.  As the result of this the connection will be closed
   (see section 3.3), which will result in unpleasant user experience.>>

   Re-keying (key renegotiation process) is a<<>> way of addressing the
   weakening of cryptographic keys. SASL framework does not provide for
   re-keying.  SASL mechanisms may; all future SASL mechanisms that
   provide security layers should provide for re-keying.

   Applications that wish to re-key SASL security layers where the
   mechanism does not provide for re-keying should reauthenticate the
   same IDs and replace the expired or soon-to-expire security layers.

Internet DRAFT                    SASL                   25 October 2004

   This approach requires support for re-keying in the application
   protocols.  See section 6.3.

10.    References

10.1.  Normative References

   [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax
   Specifications: ABNF", RFC 2234, November 1997

   [ASCII] American National Standards Institute, "Code Extension
   Techniques for Use with the 7-bit Coded Character Set of American
   National Standard Code (ASCII) for Information Interchange", FIPS PUB
   35, 1974

   [CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and
   Languages", RFC 2277, BCP 18, January 1998

   [GSSAPI] Linn, J., "Generic Security Service Application Program
   Interface, Version 2, Update 1", RFC 2743, January 2000

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", RFC 2119, BCP 19, March 1997

   [Unicode] The Unicode Consortium, "The Unicode Standard, Version
   3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading,
   MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the
   "Unicode Standard Annex #27: Unicode 3.1"
   (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard
   Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/).

   [Stringprep] Hoffman, P., Blanchet, M., "Preparation of
   Internationalized Strings ("stringprep")", RFC 3454, December 2002.

   [SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names
   and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.

Internet DRAFT                    SASL                      28 June 2004

   [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
   RFC 3629, STD 63, November 2003.

10.2.  Informative References

   [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in
   progress, draft-ietf-sasl-gssapi-XX.txt, November 2003

   [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest

Internet DRAFT                    SASL                   25 October 2004

   Authentication as a SASL Mechanism", work in progress, draft-ietf-
   sasl-rfc2831bis-XX.txt, replaces RFC 2831

   [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
   2444, October 1998.

   [SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC
   2808, April 2000.

   [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April
   2001.

   [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication",
   RFC 2554, March 1999.

   Being revised by Siemborski, R., "SMTP Service Extension for
   Authentication", work in progress, draft-siemborski-rfc2554bis-
   XX.txt.

   [XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol
   (XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt.

   [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
   Encodings", RFC 3548, July 2003.

   [RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC
   Authors", RFC 2223, October 1997.

   [IANA-SASL]  IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
   MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms.

   [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
   2246, January 1999.

   [IPSec] Kent, S., and R.  Atkinson, "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

   [Sec-Glossary] Shirey, R., "Internet Security Glossary", RFC 2828,

Internet DRAFT                    SASL                      28 June 2004
   May 2000.

11.   Editor's Address

     Alexey Melnikov
     Isode Limited
     5 Castle Business Village
     36 Station Road
     Hampton, Middlesex,

Internet DRAFT                    SASL                   25 October 2004

     TW12 2BX, United Kingdom

     Email: Alexey.Melnikov@isode.com
     URI:   http://www.melnikov.ca/

12.   Acknowledgments

   This document is a revision of RFC 2222 written by John G. Myers.  He
   also contributed significantly to this revision.

   Contributions of many members of the SASL mailing list are gratefully
   acknowledged, in particular that of Kurt Zeilenga, Peter Saint-Andre,
   Rob Siemborski, Magnus Nystrom, Jeffrey Hutzelman, Hallvard B
   Furuseth, Tony Hansen, Simon Josefsson, Abhijit Menon-Sen, RL 'Bob'
   Morgan, Sam Hartman, Nicolas Williams, Tim Alsop and Luke Howard for proofreading Howard.

Appendix A. Relation of SASL to transport security

   Questions have been raised about the document relationship between SASL and
   various editorial suggestions.

13.   Full Copyright Statement

   Copyright (C) services (such as IPsec and TLS) which provide a secured
   connection.

   Two of the key features of SASL are:

      The Internet Society (2004).  This document is subject
   to separation of the rights, licenses and restrictions contained authorization identity from the identity in BCP 78, and
   except as set forth therein,
      the authors retain all their rights. client's credentials.  This document and translations permits agents such as proxy
      servers to authenticate using their own credentials, yet request
      the access privileges of it may be copied and furnished the identity for which they are proxying.

      Upon successful completion of an authentication exchange, the
      server knows the authorization identity the client wishes to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or use.
      This allows servers to move to a "user is authenticated" state in part, without restriction of any
   kind, provided that
      the above copyright notice and this paragraph protocol.

   These features are
   included on all such copies and derivative works.  However, this
   document itself may extremely important to some application protocols,
   yet Transport Security services do not always provide them.  To
   define SASL mechanisms based on these services would be modified in any way, such a very messy
   task, as by removing the copyright notice or references to framing of these services would be redundant with the Internet Society or other
   Internet organizations, except as needed for
   framing of SASL and some method of providing these important SASL
   features would have to be devised.

   Sometimes it is desired to enable within an existing connection the purpose
   use of
   developing Internet standards in a security service which case does not fit the procedures SASL model.  (TLS is
   an example of such a service.)  This can be done by adding a command,
   for
   copyrights defined in example "STARTTLS", to the Internet Standards process must protocol.  Such a command is outside
   the scope of SASL, and should be
   followed, or as required to translate it into languages other than
   English. different from the command which
   starts a SASL authentication protocol exchange.

Internet DRAFT                    SASL                      28 June                   25 October 2004

   In certain situations, it is reasonable to use SASL underneath one of
   these Transport Security services.  The limited permissions granted above are perpetual and will not be
   revoked by transport service would
   secure the Internet Society or its successors or assigns.

   This document and connection, either service would authenticate the information contained herein are provided on an
   "AS IS" basis client,
   and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by SASL would negotiate the
   Internet Society.

14.   Intellectual Property authorization identity.  The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might SASL
   negotiation would be claimed what moves the protocol from "unauthenticated"
   to
   pertain "authenticated" state.  The "EXTERNAL" SASL mechanism is
   explicitly intended to handle the implementation or use of case where the technology described in
   this document or transport service
   secures the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on connection and authenticates the procedures with respect to rights client and SASL
   negotiates the authorization identity.

Appendix B. Changes since RFC 2222

   The GSSAPI mechanism was removed.  It is now specified in a separate
   document [SASL-GSSAPI].

   The "KERBEROS_V4" mechanism defined in RFC documents can be
   found 2222 is obsolete and has
   been removed.

   The "SKEY" mechanism described in BCP 78 RFC 2222 is obsolete and BCP 79.

   Copies of IPR disclosures made to has been
   removed.  It has been replaced by the IETF Secretariat OTP mechanism [SASL-OTP].

   The introduction has been substantially reorganized and any
   assurances of licenses to be made available, or clarified.

   Clarified the result definition and semantics of an
   attempt made to obtain the authorization identity.

   Prohibited the NUL character in authorization identities.

   Added a general license or permission for section on character string issues.

   The word "must" in the use of
   such proprietary rights by implementers or users first paragraph of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring "Protocol profile
   requirements" section was changed to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology "MUST".

   Specified that may be required protocol profiles SHOULD provide a way for clients to implement
   this standard.  Please address
   discover available SASL mechanisms.

   Made the information to requirement that protocol profiles specify the IETF at ietf-
   ipr@ietf.org.

Appendix A. Relation semantics of SASL
   the authorization identity optional to transport security

   Questions have been raised about the relationship between SASL and
   various services (such as IPsec and TLS) which provide protocol profile.
   Clarified that such a secured
   connection.

   Two specification is a refinement of the key features of SASL are:

Internet DRAFT                    SASL                      28 June 2004

      The separation of definition
   in the authorization identity base SASL spec.

   Added a requirement discouraging protocol profiles from breaking the identity in
      the client's credentials.  This permits agents such as proxy
      servers to authenticate using
   separation between protocol and mechanism.

   Mentioned that standards track documents may carve out their own credentials, yet request
      the access privileges
   portions of the identity SASL mechanism namespace and may amend registration
   rules for which they are proxying.

      Upon successful completion of an authentication exchange, the
      server knows portion. However registration of individual SASL
   mechanisms is still required.

Internet DRAFT                    SASL                   25 October 2004

   Clarified that authorization identity should be encoded in UTF-8.

   Specified that the authorization identity in the client wishes to use.
      This allows servers to move to a "user EXTERNAL mechanism
   is authenticated" state encoded in
      the protocol.

   These features are extremely important UTF-8.

   Added a statement that a protocol profile SHOULD allow challenge data
   to some application protocols,
   yet Transport Security services do not always provide them.  To
   define SASL mechanisms based on these services would be sent with a very messy
   task, as success indication.

   Added a security consideration for the framing of these services would be redundant EXTERNAL mechanism.

   Clarified sections concerning success with additional data.

   Cleaned up IANA considerations/registrations and assembled them in
   one place.

   Updated references and split them into Informative and Normative.

   Added text to the
   framing Security considerations section regarding handling
   of extremely large SASL blocks.

   Added text about SASLprep for authentication identities and some method of providing these important
   passwords.  Described where SASLprep preparation should take place.

   Added paragraph about verifying authorization identities.

   Added a protocol profile requirement to specify interaction between
   SASL
   features would have and TLS security layers.

   Added a protocol profile requirement to be devised.

   Sometimes specify if it supports
   reauthentication.

   Removed the text that seemed to suggest that SASL security layer must
   not be used when TLS is desired available.

   Created two subsections in 3.2 to enable within talk separately about proxy
   authorization and format of the authorization identities.

   Made requirement to verify that an existing connection authorization identity is correct
   by performing SASLprep.

   Clarified that each SASL mechanism must decide where SASLprep is
   taking place.

   Added 4 new examples for initial response and additional data with
   success.

   Added text on checking the
   use list of available SASL mechanisms after
   negotiating a security service which does not fit the layer.

Internet DRAFT                    SASL model.  (TLS is
   an example                   25 October 2004

   Added definition of such "integrity protection" and "confidentiality
   protection".

   Added warning about negotiating no layer once a service.)  This can be done by adding security layer is
   negotiated.

   Added new section with guidelines to a command,
   for example "STARTTLS", SASL mechanism designer.

   Added a requirement to the protocol.  Such specify how an empty initial challenge is
   encoded if initial response is supported by a command protocol.

   Clarified that empty "additional data with success" is outside
   the scope not allowed.

   Replaced "buffers of SASL, and should cipher-text" with "buffers of protected data"
   for clarity.

   Clarified that SASL EXTERNAL can be different from the command which
   starts a used even with SASL authentication profiles that
   don't support initial client response.

   Changed "authentication protocol exchange.

   In certain situations, it is reasonable exchange" to use SASL underneath one of
   these Transport Security services. "authentication
   exchange" everywhere.

Appendix C. Full Copyright Statement and Intellectual Property Statement

Full Copyright Statement

   Copyright (C) The transport service would
   secure Internet Society (2004).  This document is subject
   to the connection, either service would authenticate rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the client, authors retain all their rights.

   This document and SASL would negotiate translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the authorization identity.  The SASL
   negotiation would above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be what moves modified in any way, such as by removing
   the protocol from "unauthenticated"
   to "authenticated" state.  The "EXTERNAL" SASL mechanism is
   explicitly intended copyright notice or references to handle the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case where the transport service
   secures procedures for
   copyrights defined in the connection Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and authenticates will not be
   revoked by the client and Internet Society or its successors or assigns.

Internet DRAFT                    SASL
   negotiates the authorization identity.

Appendix B. Relationship to other documents                   25 October 2004

   This document obsoletes RFC 2222.  It replaces all portions of RFC
   2222 excepting sections 7.1 (Kerberos version 4 mechanism), 7.2
   (GSSAPI mechanism), 7.3 (S/Key mechanism).  The Kerberos version 4
   (KERBEROS_IV) and S/Key (SKEY) mechanisms the information contained herein are now viewed as obsolete.
   The GSSAPI mechanism is now separately specified [SASL-GSSAPI].

Appendix C. Changes since RFC 2222

   The GSSAPI mechanism was removed.  It is now specified in a separate
   document [SASL-GSSAPI].

   The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete provided on an
   "AS IS" basis and has

Internet DRAFT                    SASL                      28 June 2004

   been removed.

   The "SKEY" mechanism described in THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC 2222 Editor function is obsolete and has been
   removed.  It has been replaced currently provided by the OTP mechanism [SASL-OTP].
   Internet Society.

Intellectual Property

   The introduction has been substantially reorganized and clarified.

   Clarified IETF takes no position regarding the definition and semantics validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the authorization identity.

   Prohibited implementation or use of the NUL character in authorization identities.

   Added a section on character string issues.

   The word "must" technology described in
   this document or the first paragraph of the "Protocol profile
   requirements" section was changed extent to "MUST".

   Specified that protocol profiles SHOULD provide a way for clients to
   discover available SASL mechanisms.

   Made the requirement that protocol profiles specify the semantics of
   the authorization identity optional to the protocol profile.
   Clarified that which any license under such a specification is a refinement of the definition
   in the base SASL spec.

   Added a requirement discouraging protocol profiles from breaking the
   separation between protocol and mechanism.

   Mentioned that standards track documents may carve out their own
   portions of the SASL mechanism namespace and may amend registration
   rules for the portion. However registration of individual SASL
   mechanisms is still required.

   Specified that the authorization identity in the EXTERNAL mechanism
   is encoded in UTF-8.

   Added a statement that a protocol profile SHOULD allow challenge data
   to rights
   might or might not be sent with a success indication.

   Added a security consideration for the EXTERNAL mechanism.

   Clarified sections concerning success with additional data.

   Cleaned up IANA considerations/registrations and assembled them in
   one place.

   Updated references and split them into Informative and Normative.

   Added text available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the Security Considerations section regarding handling

Internet DRAFT                    SASL                      28 June 2004

   of extremely large SASL blocks.

   Replaced UTF-8 ABNF procedures with the reference to the UTF-8 document.

   Added text about SASLprep for authentication identities and
   passwords.  Described where SASLprep preparation should take place.

   Added paragraph about verifying authorization identities.

   Added a protocol profile requirement to specify interaction between
   SASL and TLS security layers.

   Added a protocol profile requirement to specify if it supports
   reauthentication.

   Removed the text that seemed respect to suggest that SASL security layer must
   not rights in RFC documents can be used when TLS is available.

   Created two subsections
   found in 3.2 to talk separately about proxy
   authorization and format of the authorization identities.

   Made requirement to verify that an authorization identity is correct
   by performing SASLprep a SHOULD, instead of a MUST.

   Clarified that each SASL mechanism must decide where SASLprep is
   taking place.

   Added 4 new examples for initial response BCP 78 and additional data with
   success.

   Added text on checking the list of available SASL mechanisms after
   negotiating a security layer.

   Added definition BCP 79.

   Copies of "integrity protection" and "confidentiality
   protection".

   Added warning about negotiating no layer once a security layer is
   negotiated.

   Added new section with guidelines IPR disclosures made to a SASL mechanism designer.

   Added a requirement the IETF Secretariat and any
   assurances of licenses to specify how be made available, or the result of an empty initial challenge is
   encoded if initial response is supported by
   attempt made to obtain a protocol.

   Clarified that empty "additional data with success" is not allowed.

   Replaced "buffers general license or permission for the use of security encoded data" with "buffers
   such proprietary rights by implementers or users of
   protected data" for clarity.

Internet DRAFT                    SASL                      28 June 2004

   Clarified that SASL EXTERNAL this
   specification can be used even with SASL profiles obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that
   don't support initial data with success. may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.

Internet DRAFT                    SASL                      28 June                   25 October 2004

   Status of this Memo .......................................... .....     i
   Abstract ..................................................... .     2
   1.  Conventions used in this document ........................ ..     2
   2.    Introduction ........................................... .     2
   2.1.  Relationship to other documents ..     4
   3.    Authentication mechanisms .............................. 4 ...     5
   3.1.  Authentication protocol exchange ....................... Exchange .....     5
   3.2.  Authorization and authentication identities ............  Identity Concepts .     6
   3.2.1.  Authorization identities and proxy authentication .... 6
   .....     7
   3.2.2.  Authorization Identity Format ........................ 7
   .....     8
   3.3.  Security layers ........................................ 7
   .....     8
   4.    Protocol profile requirements .......................... 8
   .....     9
   5.    Mechanism profile guidelines ..........................
   .....     10
   6.    Specific issues ....................................... 11
   .....     12
   6.1.  Client sends data first ............................... 11
   .....     12
   6.1.1.  Client sends data first examples .................... 11
   .....     12
   6.2.  Server returns success with additional data ........... 12 .....     13
   6.2.1.  Server returns success with additional data examples  13 ....     14
   6.3.  Multiple authentications .............................. 14 ....     15
   7.    The EXTERNAL mechanism ................................ 15 .     16
   7.1.  Formal syntax ......................................... 15 .....     16
   7.2.  Examples of SASL EXTERNAL ............................. 16 ...     17
   8.    IANA Considerations ................................... 17 ....     18
   8.1.  Guidelines for IANA ................................... 17 ....     18
   8.2.  Registration procedure ................................ 17 .     18
   8.3.  Comments on SASL mechanism registrations .............. 18 ...     19
   8.4.  Change control ........................................ 18 ....     19
   8.5.  Registration template ................................. 18 ..     19
   8.6.  The EXTERNAL mechanism registration ................... 19 ...     20
   9.   Security considerations ................................ 19 .     20
   9.1.  Re-keying ....     22
   10.    References ........................................... 21 ..     23
   10.1.  Normative References ................................. 21 ..     23
   10.2.  Informative References ............................... 22 .....     23
   11.   Editor's Address ...................................... 23 ..     24
   12.   Acknowledgments ....................................... 23
   13.   Full Copyright Statement .............................. 23
   14.   Intellectual Property ................................. 24 ...     25
   Appendix A. Relation of SASL to transport security .......... 24
   Appendix B. Relationship to other documents ................. ....     25
   Appendix C. B. Changes since RFC 2222 .......................... .....     26
   Appendix C. Full Copyright Statement and Intellectual Property Statement
   .....     28

Internet DRAFT                    SASL                   25 October 2004

   Full Copyright Statement .....     28
   Intellectual Property ...     29