Network Working Group
INTERNET-DRAFT                                A. Melnikov
Internet Draft                                                    Editor
Document: draft-ietf-sasl-rfc2222bis-10.txt                February 2005
Obsoletes: RFC 2222 Melnikov, Ed.
Intended Category: Standards Track            ISODE Limited
Expires in six months                         K. Zeilenga, Ed.
Obsoletes: RFC 2222                           OpenLDAP Project
                                              1 June 2005

             Simple Authentication and Security Layer (SASL)
                   <draft-ietf-sasl-rfc2222bis-11.txt>

Status of this Memo

  By submitting this Internet-Draft, I certify accept the provisions of Section
  3 of BCP 78.  By submitting this Internet-Draft, each author
  represents that any applicable patent or other IPR claims of which I am he
  or she is aware have been or will be disclosed, and any of which I become he or
  she becomes aware will be disclosed, in accordance with
   RFC 3668.

   Internet Drafts Section 6 of
  BCP 79.

  Internet-Drafts are working documents of the Internet Engineering Task
  Force (IETF), its Areas, areas, and its Working Groups. working groups. Note that other
  groups may also distribute working documents as Internet
   Drafts. Internet Drafts Internet-Drafts.

  Internet-Drafts are draft documents valid for a maximum of six months.  Internet Drafts months
  and may be updated, replaced, or obsoleted by other documents at any
  time. It is not appropriate inappropriate to use
   Internet Drafts Internet-Drafts as reference material
  or to cite them other than as
   ``work "work in progress''. progress."

  The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt
  http://www.ietf.org/1id-abstracts.html

  The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   A revised version of this draft document will be submitted to
  http://www.ietf.org/shadow.html

  Copyright (C) The Internet Society (2005).  All Rights Reserved.

  Please see the RFC
   editor as a Standards Track RFC for Full Copyright section near the Internet Community.
   Discussion and suggestions for improvement are requested.
   Distribution end of this draft is unlimited.

   When published as an RFC this document will obsolete RFC 2222.

Internet DRAFT                    SASL                  16 February 2005
  for more information.

Abstract

  The Simple Authentication and Security Layer (SASL) is a framework for
  providing authentication and data security services in
  connection-oriented protocols via replaceable mechanisms.  It provides
  a structured interface between protocols and mechanisms.  The
  resulting framework allows new protocols to reuse existing mechanisms
  and allows old protocols to make use of new mechanisms.  The framework
  also provides a protocol for securing subsequent protocol exchanges
  within a data security layer.

  This document describes how a SASL mechanism is structured, describes
  how protocols add include support for SASL, and defines the protocol for
  carrying a data security layer over a connection.  Additionally, this
  document defines one SASL mechanism, the EXTERNAL mechanism.

1.  Conventions used in this document

   In examples, "C:" and "S:" indicate lines sent by the client and
   server respectively.

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   in this

  This document are obsoletes RFC 2222.

Table of Contents

  [[Page numbers to be interpreted as defined in "Key words for
   use in RFCs to Indicate Requirement Levels" [KEYWORDS].

   Character names filled in by RFC-Editor]]

  Status of this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

   This document uses terms "integrity protection" and "confidentiality
   protection". The former refers to a security layer (see Section
   "Introduction" below for the definition) designed Memo
  Abstract
  1. Introduction
  1.1. Document Audiences
  1.2. Relationship to provide "data
   integrity service" as defined in [Sec-Glossary]. Confidentiality
   protection is a security layer that provides "data confidentiality
   service" as defined in [Sec-Glossary]. Other Documents
  1.3. Conventions
  2. Identity Concepts
  3. The term "confidentiality
   protection" implies "integrity protection". Authentication Exchange
  3.1. Mechanism Naming
  3.2. Mechanism Negotiation
  3.3. Request Authentication Exchange
  3.4. Challenges and Responses
  3.4.1. Authorization Identity String
  3.5. Aborting Authentication Exchanges
  3.6. Authentication Outcome
  3.7. Security layers may offer
   other kinds of security services, for example re-keying, truncation
   detection, as well as other services, e.g. compression.

2. Layers
  3.8. Multiple Authentications
  4. Protocol Requirements
  5. Mechanism Requirements
  6. Security Considerations
  6.1. Active Attacks
  6.1.1. Man-in-the-middle Attacks
  6.1.2. Replay Attacks
  6.1.3. Truncation Attacks
  6.2. Passive Attacks
  6.3. Re-keying
  6.4. Other considerations
  7. IANA Considerations
  8. References
  9. Editors' Address
  10. Acknowledgments
  A. The SASL EXTERNAL Mechanism
  B. Changes since RFC 2222

1.    Introduction

  The Simple Authentication and Security Layer (SASL) is a framework for
  providing authentication and data security services in
  connection-oriented protocols via replaceable mechanisms.  SASL
  provides a structured interface between protocols and mechanisms.
  SASL also provides a protocol for securing subsequent protocol

Internet DRAFT                    SASL                  16 February 2005
  exchanges within a data security layer.  The data security layer can
  provide data integrity, data confidentiality, and other services.

  SASL's design is intended to allow new protocols to reuse existing
  mechanisms without requiring redesign of the mechanisms and allows
  existing protocols to make use of new mechanisms without redesign of
  protocols.

   The

  SASL is conceptually a framework which provides a an abstraction layer
  between protocols and mechanisms, mechanisms as illustrated in the following
  diagram.

            SMTP Protocol    LDAP Protocol    XMPP   Other Protocols
                   Profile           Profile            . . .
                          \----- protocols ...
               \       |    |       -----/      /
                \      |    |     /
               SASL framework abstraction layer
                /      |    |     \
                          /-----
               /       |       -----\
                  DIGEST-MD5    |      \
        EXTERNAL   GSSAPI  PLAIN   Other Mechanisms
                SASL mechanism    SASL mechanism        . . . mechanisms ...

  It is through the interfaces of this abstraction layer that the
  framework allows any protocol to be utilized with utilize any mechanism.  While the this
  layer does generally hide the particulars of protocols from mechanisms
  and the particulars of mechanisms from protocols, the this layer does not
  generally hide the particulars of mechanisms from protocol
  implementations.  For example, different mechanisms require different
  information to operate, some of them use password based password-based
  authentication, some of then require realm information, others make
  use of Kerberos tickets, certificates, etc. etc..  Also, in order to
  perform authorization, server implementations generally have to
  implement a identity mapping from a mechanism-specific between authentication identities, whose
  form is mechanism-specific, and authorization identities, whose form
  is application protocol specific.  Section 2 discusses identity format to a
   protocol-specific format.
  concepts.

  It is possible to design and implement this framework in ways which do
  abstract away particulars of similar mechanisms.  Such
   implementation a framework
  implementation, as well as mechanisms implementations, could also be
  designed not only to be shared by multiple implementations of various a
  particular protocol, but be shared by implementations of multiple
  protocols.

   As illustrated above, the SASL

  The framework incorporates interfaces with both protocols and mechanisms.
  mechanisms in which authentication exchanges are carried out.  Section
  3 discusses SASL authentication exchanges.

  To use SASL, a each protocol includes (amongst other items) provides a command method for
  identifying and
   authenticating a user which mechanism is to be used, provides a server and method for optionally negotiating
  exchange of mechanism-specific server-challenges and client-responses,
  and a
   security layer method for subsequent protocol interactions.  If communicating the use outcome of a
   security layer is negotiated, that security layer is inserted between
   the protocol and the connection. authentication
  exchange.  Section 4 ("Protocol profile
   requirements") profiles the requirements that a protocol

Internet DRAFT                    SASL                  16 February 2005

   specification must fulfill to make use of SASL. A discusses SASL protocol
   profile is a part of the protocol specification that satisfies the
   requirements of Section 4.

   A requirements.

  Each SASL mechanism is defines (amongst other items) a series of server
  challenges and client responses specific to the mechanism.  Each SASL mechanism is
   identified by a registered name. which provide authentication services
  and negotiate data security services.  Section 5 ("Mechanism profile
   guidelines") profiles the requirements that a discusses SASL
  mechanism specification
   must fulfill to define a requirements.

  Section 6 discusses security considerations.  Section 7 discusses IANA
  considerations.  Appendix A defines the SASL EXTERNAL mechanism.

1.1.  Document Audiences

  This document is written to serve several different audiences:

    - protocol designers using this specification to support
      authentication in their protocol,

    - mechanism designers that define new SASL mechanisms, and

    - implementors of clients or servers for those protocols using this
   specification.

   The sections "Authentication mechanisms", "Protocol profile
   requirements", "Specific issues", and "Security considerations" cover
   issues that protocol designers need which
      support SASL.

  While the document organization is intended to understand and address in
   profiling this specification for use in a specific protocol.

   The sections "Authentication mechanisms", "Mechanism profile
   guidelines", "Security considerations" and "Registration procedure"
   cover issues that mechanism designers need allow readers to understand and address
   in designing new SASL mechanisms.

   The sections "Authentication mechanisms", "Protocol profile
   requirements", "Specific issues" and "Security considerations" cover
   issues that implementors of a protocol that uses SASL framework need focus
  on details relevant to understand.  The implementors will also need their engineering, readers are encouraged to
  read and understand a
   specification of a SASL profile specific to the protocol, as well as all aspects of mechanism specifications they intend to use (regardless of
   whether they are implementing the mechanisms themselves or using an
   existing implementation) to understand, for instance, the mechanism-
   specific authentication identity forms, the offered services, and
   security and other considerations.

2.1. this document.

1.2.  Relationship to other documents

  This document obsoletes RFC 2222.  It replaces all portions of RFC
  2222 excepting sections 7.1 (Kerberos version 4 (the KERBEROS_IV mechanism), 7.2
   (GSSAPI (the
  GSSAPI mechanism), 7.3 (S/Key (the SKEY mechanism).  The Kerberos version 4
   (KERBEROS_IV) KERBEROS_IV and S/Key (SKEY) SKEY
  mechanisms are now viewed as obsolete. obsolete and their specifications
  provided in RFC 2222 are Historic.  The GSSAPI mechanism is now
  separately specified [SASL-GSSAPI].

Internet DRAFT                    SASL                  16 February 2005

3.    Authentication mechanisms

   SASL mechanisms

  Appendix B provides a summary of changes since RFC 2222.

1.3.  Conventions

  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
  document are named by strings, from 1 to 20 characters in
   length, consisting of ASCII [ASCII] upper-case letters, digits,
   hyphens, and/or underscores.  Names of SASL mechanisms or families of
   mechanisms must be registered with the Internet Assigned Numbers
   Authority (IANA) interpreted as described in section 8.2.

   The "sasl-mech" ABNF production below defines the syntax of a SASL
   mechanism name.  This uses BCP 14 [RFC2119].

  Character names in this document use the Augmented Backus-Naur Form (ABNF) notation as specified in [ABNF].

   sasl-mech    = 1*20mech-char
   mech-char    = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
                  ; mech-char is restricted to "A"-"Z", "0"-"9", "-",
                  ; for code points and "_"
  names from ASCII character set.

   UPPER-ALPHA  = %x41-5A
                  ; "A"-"Z"

   DIGIT        = %x30-39
                  ; "0"-"9"

   HYPHEN       = %x2D
                  ; "-"

   UNDERSCORE   = %x5F
                  ; "_"

3.1.  Authentication Exchange

   A SASL mechanism is responsible for conducting an authentication
   exchange.  This consists of the Unicode Standard [Unicode].  For example, the letter
  "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

  Note: a series glossary of server challenges and client
   responses, terms used in Unicode can be found in [Glossary].
  Information on the contents Unicode character encoding model can be found in
  [CharModel].

  In examples, "C:" and "S:" indicate lines of which are specific data to and defined be sent by the
   mechanism.  To the application protocol, the challenges
  client and responses
   are opaque binary tokens of arbitrary length (including 0-length).
   The protocol's profile then specifies how these binary tokens are
   encoded server respectively.  Lines have been wrapped for transfer over the connection.

   After receiving an improved
  readability.

2.  Identity Concepts

  In practice, authentication command or any client response, a
   server mechanism may issue a challenge, indicate failure, or indicate
   completion.  The server mechanism and authorization may return additional data involve multiple
  identities, possibly in different forms (simple username, Kerberos
  principal, X.500 Distinguished Name, etc.), possibly with a
   completion indication.  The protocol's profile specifies how each of
   these is then represented over different
  representations (e.g.: ABNF-described UTF-8 encoded Unicode character
  string, BER-encoded Distinguished Name).  While technical
  specifications often prescribe both the connection.

   After receiving a challenge, a client mechanism identity form and
  representation used on the network, different identity forms and/or
  representations may issue (and often are) used within implementations.  How
  identities of different forms relate to each other is, generally, a response
   or abort the exchange.  The protocol's profile specifies how each of

Internet DRAFT                    SASL                  16 February 2005

   these are then represented over the connection.

   During the authentication exchange, the mechanism performs
   authentication, transmits an authorization identity (sometimes known
   as a username) from
  local matter.  Additionally, the client to server, forms and may negotiate the use
   of a mechanism-specific security layer.  If the use of a security
   layer is agreed upon, then the mechanism must also define or
   negotiate the maximum security layer buffer size that each side representations used within
  an implementation is
   able to receive.

3.2.  Identity Concepts

   Conceptually, a local matter.

  However, conceptually, SASL framework involves two identities:
    1) an identity associated with the authentication credentials
       (termed the authentication identity), and
    2) an identity to act as (termed the authorization identity).

  The client provides its credentials and, optionally, a character
  string representing the requested authorization identity as part of
  the SASL exchange.  When this string is omitted or empty, the client
  is requesting to act as the identity associated with the credentials
  (e.g., the user is requesting to act as the authentication identity).

  The server is responsible for verifying the client's credentials and
  verifying that the client is allowed to act as the authorization
  identity.  A SASL exchange fails if either (or both) of these
  verifications fails.  (The SASL exchange may fail for other reasons,
  such as service authorization failure.)

  SASL mechanism specifications describe the form of credentials credential form(s) (e.g.,
  X.509 certificates, Kerberos tickets, simple username/password) used
  to authenticate clients, the client, including (where appropriate) the syntax
  and semantics of associated identities.  SASL application profiles protocol specifications
  describe the
   form identity form(s) used in authorization and, in
  particular, prescribe the syntax and semantics of the authorization identities
  identity character string to be transferred as part of
   authentication exchange. by mechanisms.

  However, the precise form(s) of the authentication identities (used
  within the server in its verifications, or otherwise) and the precise
  form(s) of the authorization identities (used in making authorization
  decisions, or otherwise) is beyond the scope of the SASL and this
  specification.  In some circumstances, the precise identity forms used
  in some context outside of the SASL exchange may be dictated by other
  specifications.  For instance,
   the an identity assumption authorization
  (proxy authorization) policy specification for an application protocol may dictate the precise form that an how
  authentication and authorization identity is to be identities are represented in the authorization policy.

   <<Need to address few issues in the two remaining paragraphs>> Any
   normalization
  policy statement.

3.  The Authentication Exchange

  Each authentication exchange consists of a message from the authentication identity (for client to
  the purposes of
   conducting server requesting authentication exchange) is defined by via a particular SASL mechanism,
  followed by pairs of challenges from servers and responses from
  clients, followed by a message from the protocol profile doesn't influence it.  Note, that the

Internet DRAFT                    SASL                  16 February 2005

   mechanism specification doesn't control how authentication identity
   information is represented elsewhere <<need to add few examples>>.

   The mechanism MUST preserve Unicode codepoints when transferring
   authorization identity (e.g. server indicating the mechanism can't apply any form outcome
  of
   normalization).

3.2.1.  Authorization identities and proxy the authentication

   A mechanism which is incapable of transmitting an authorization
   identity must exchange.  (Note: exchanges may also be treated aborted
  as if it always transmits an authorization
   identity discussed in Section 3.5.)

  The following illustration provides a high-level overview of an empty string.

   If the authorization identity transmitted during the
  authentication exchange.

      C: Request authentication exchange is not
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

  If the empty string, outcome is successful and a data layer was negotiated, this
  layer is typically referred then installed.  Protocols may allow this data to as
   "proxy authentication". be carried
  in the request message.  This feature permits agents such applies as proxy
   servers well to authenticate using their own credentials, yet request the
   access privileges of following
  illustrations.

  Some mechanisms specify that the identity for which they are proxying.

   The server makes first data sent in the authentication
  exchange is from the client to the server.  Protocols may provide an implementation-defined policy decision as
  optional initial response field in the request message to
   whether carry this
  data.  Where the authentication identity mechanism specifies the first data data sent in the
  exchange is permitted from the client to have the access
   privileges of server, the authorization identity protocol provides an
  optional initial response field, and whether the
   authorization identity client uses this field, the
  exchange is permitted to receive service.  If it shortened by one round-trip:

      C: Request authentication exchange + Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

  Where the mechanism specifies the first data sent in the exchange is
   not,
  from the client to the server indicates failure of and this field is unavailable or unused,
  the client request is followed by an empty challenge.

      C: Request authentication exchange.

   As exchange
      S: Empty Challenge
      C: Initial Response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

  Should a client might include an initial response in its request where the
  mechanism does not have allow the same information as client to send data first, the server,
   clients SHOULD NOT derive authorization identities from
  authentication identities. Instead, clients SHOULD provide no (or
   empty) authorization identity when exchange fails.

  Some mechanisms specify that the user has not provided an
   authorization identity.

   The server SHOULD verify that a received authorization identity is in to send additional data to
  the correct form. Protocol profiles whose authorization identities
   are simple user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep"
   profile [SASLprep] of client when indicating a successful outcome.  Protocols may
  provide an optional additional data field in the "stringprep" algorithm [StringPrep] outcome message to
   prepare these names for matching. The profiles MAY use a stringprep
   profile that
  carry this data.  Where the mechanism specifies the server is more strict than "SASLprep". If to
  return additional data with the preparation of successful outcome, the authorization identity fails or results in protocol
  provides an empty string, optional additional data field in the outcome message, and
  the server MUST fail uses this field, the exchange is shortened by one
  round-trip:

      C: Request authentication exchange. The only exception to
   this rule exchange
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange with
         additional data with success

  Where the mechanism specifies the server is when to return additional data
  to the received authorization identity client with a successful outcome and and this field is already
  unavailable or unused, the
   empty string.

3.2.2.  Authorization Identity Format

   An authorization identity additional data is sent as a string of zero or more Unicode
   [Unicode] coded characters.  The NUL <U+0000> character challenge
  whose response is prohibited

Internet DRAFT                    SASL                  16 February 2005

   in authorization identities.

   The character encoding scheme used for transmitting an authorization
   identity over empty.  After receiving this response, the protocol is specified in each server
  then indicates the successful outcome.

      C: Request authentication
   mechanism.  All IETF-defined mechanisms MUST, and all other
   mechanisms SHOULD, use UTF-8 [UTF-8]. (See [CHARSET-POLICY] for IETF
   policy regarding character sets and encoding schemes.)

   Mechanisms are expected to be capable exchange
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Additional data challenge
      C: Empty Response
      S: Outcome of carrying the entire Unicode
   repertoire (with authentication exchange

  Where mechanisms specify the exception of first data sent in the NUL character). An
   authorization identity of exchange is from
  the empty string and an absent
   authorization identity MUST be treated as equivalent. A mechanism
   which provides an optional field for an authorization identity,
   SHOULD NOT allow that field, when present, client to be empty.  The meaning
   of the empty string as an authorization identity server and additional data is described in
   Section 3.2.

3.3.  Security layers

   SASL mechanisms may offer sent to the client
  along with indicating a wide range of services in "security
   layers".  Typical examples of such services are data integrity, data
   confidentiality, re-keying, truncation detection successful outcome, and compression.

   If use of a security layer is negotiated by the authentication protocol exchange, the security layer is applied to all subsequent
   data sent over the connection (until another security layer is
   negotiated ( see also section 6.3) or underlying connection is
   closed). The security layer takes effect immediately following provides
  fields supporting both, the
   last exchange can be shorted by two
  round-trips:

      C: Request authentication exchange + Initial response
      <additional challenge/response messages>
      S: Outcome of the authentication exchange for
         with additional data sent by the
   client and the completion indication for with success

  instead of:

      C: Request authentication exchange
      S: Empty Challenge
      C: Initial Response
      <additional challenge/response messages>
      S: Additional data sent by the server. The
   exact position MUST be defined challenge
      C: Empty Response
      S: Outcome of authentication exchange

3.1. Mechanism Naming

  SASL mechanisms are named by the protocol profile (see section 4
   part 5).

   Once the security layer is character strings, from 1 to 20
  characters in effect the protocol stream is processed
   by the security layer into buffers length, consisting of protected data.  If ASCII [ASCII] uppercase letters,
  digits, hyphens, and/or underscores.  In the
   security layer is not able to produce a buffer, following Augmented
  Backus-Naur Form (ABNF) [ABNF] grammar, the connection MUST
   be closed. If <sasl-mech> production
  defines the security layer is not able to decode a received
   buffer, the connection MUST be closed. In both cases the underlying
   connection SHOULD be closed gracefully.

   Each buffer syntax of protected data a SASL mechanism name.

      sasl-mech    = 1*20mech-char
      mech-char    = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
      ; mech-char is transferred over the connection restricted to A-Z (uppercase only), 0-9, -, and _
      ; from ASCII character set.

      UPPER-ALPHA  = %x41-5A  ; A-Z (uppercase only)
      DIGIT        = %x30-39  ; 0-9
      HYPHEN       = %x2D ; hyphen (-)
      UNDERSCORE   = %x5F ; underscore (_)
  SASL mechanisms names are registered as a
   stream of octets prepended with a four octet field discussed in network byte
   order Section 7.1.

3.2. Mechanism Negotiation

  Mechanism negotiation is protocol-specific.

  Commonly, a protocol will specify that represents the length of server advertises supported
  and available mechanisms to the buffer.  The length of client via some facility provided by
  the
   protected data buffer MUST be no larger than protocol and the maximum size client will then select the "best" mechanism from
  this list which its supports and finds suitable.

  It is noted that
   was either defined in the mechanism specification or negotiated negotiation is not protected by the
  subsequent authentication exchange and hence is subject to downgrade
  attacks if not protected by other side during means.

  To detect downgrade attacks, a protocol may allow the authentication exchange.  Upon client to
  discover available mechanism subsequent to the receipt
   of a authentication exchange
  (and, hence, protected by any data buffer which security layer provided by
  mechanism) so that downgrade attacks can be detected.

3.3. Request Authentication Exchange

  The authentication exchange is larger than the defined/negotiated maximal

Internet DRAFT                    SASL                  16 February 2005

   buffer size the receiver SHOULD close initiated by the connection, as this might
   be client by requesting
  authentication via a sign mechanism it specifies.  The client sends a
  message that contains the name of an attack.

   SASL mechanisms which are unable to negotiate a security layer are
   treated as selecting no security layer.

4.    Protocol profile requirements

   In order to use this specification, a protocol definition MUST supply
   the following information:

     1) A service name, to be selected from the IANA registry of
     "service" elements for the GSSAPI host-based service name form
     [GSSAPI]. This service name is made available the mechanism to the authentication
     mechanism. server.  The registry is available at the URL
     <http://www.iana.org/assignments/gssapi-service-names>.

     2) A definition
  particulars of the command to initiate the authentication message are protocol exchange.  This command must have as a parameter specific.

  It is noted that the name of the mechanism being selected is not protected by the client.

     The command SHOULD have an optional parameter giving an initial
     response.  If the protocol allows for the initial response, the
     protocol profile MUST also describe how
  mechanism, and hence subject to alteration by an empty initial response
     is encoded.  This optional parameter allows attacker if not
  integrity protected by other means.

  Where the client to avoid a
     round trip when using a mechanism which is defined to have allow the client to send data first.  When this first,
  and the protocol's request message includes an optional initial
  response is sent by field, the client and may include the selected mechanism is defined response to have the server
     start with an initial challenge, the command fails.  See section
     6.1 of this document for further information.

     3) A definition of the method by which
  challenge in the authentication protocol request message.

3.4. Challenges and Responses

  The authentication exchange is carried out, including how involves pairs of server-challenges and
  client-responses, the particulars of which are mechanism specific.
  These challenges and responses are encoded, how enclosed in protocol messages, the server indicates completion or failure
  particulars of which are protocol specific.

  Through these challenges and responses, the
     exchange, how mechanism may:
    - authenticate the client aborts an exchange, and how the exchange
     method interacts with any line length limits in to the protocol.

     The exchange method SHOULD allow server,
    - authenticate the server to include the client,
    - transfer an optional
     data ("optional challenge") with authorization identity string,
    - negotiate a success notification.  This
     allows security layer, and
    - provide other services.

  The negotiation of the server security layer may involve negotiation of the
  security services to avoid a round trip when using be provided in the layer, how these services will
  be provided, and negotiation of a mechanism
     which maximum cipher-text buffer size each
  size is defined able to have receive in the layer (see Section 3.6).

  After receiving an authentication request or any client response, the
  server send additional data along with may issue a challenge, abort the indication of successful completion.  Note that if additional
     data is sent with success, it can not be empty. See section 6.2 exchange, or indicate the
  outcome of
     this document for further information.

     4) A protocol profile SHOULD specify an exchange.  After receiving a mechanism through which challenge, a

Internet DRAFT                    SASL                  16 February 2005 client
  mechanism may obtain the names of issue a response or abort the SASL mechanisms available to it.
     This exchange.

3.4.1.  Authorization Identity String

  The authorization identity string is typically done through the protocol's extensions or
     capabilities mechanism.

     5) Identification a sequence of zero or more
  Unicode [Unicode] characters, excluding the octet where any negotiated security layer
     starts to take effect, in both directions.

     6) Specify if NUL (U+0000) character,
  representing the protocol profile supports "multiple
     authentications" (see section 6.3).

     7) If both a Transport Layer Security [TLS] and a SASL security
     layer are allowed identity to be negotiated by act as.

  If the protocol, authorization identity string is absent, the protocol
     profile MUST define in which order they are applied client is
  requesting to a cleartext
     data sent over act as the connection.

     8) A protocol profile MAY further refine identity the definition of server associates with the
  client's credentials.  An empty string is equivalent to an absent
  authorization identity.

  Non-empty authorization identity string indicates the client wishes to
  act as the identity represented by adding additional syntactic restrictions
     and protocol-specific semantics. A protocol profile MUST specify the string.  In this case, the form
  of the authorization identity (since it is protocol-
     specific, represented by the string, as well as opposed the precise syntax
  and semantics of the string, is protocol specific.

  While character encoding schema used to transfer the authorization
  identity string in the authentication identity, which exchange is
     mechanism-specific) and how authorization identities mechanism specific,
  mechanisms are expected to be
     compared. Profiles whose authorization identities are simple user
     names (e.g. IMAP [RFC 3501]) SHOULD use "SASLprep" profile
     [SASLprep] capable of carrying the entire Unicode
  repertoire (with the exception of the "stringprep" algorithm [StringPrep] NUL character).

3.5. Aborting Authentication Exchanges

  A client or server may desire to prepare
     these names for matching. The profiles MAY use a stringprep profile
     that abort an authentication exchange if
  it is more strict than SASLprep.

     9) Where unwilling or unable to continue (or enter into).

  A client may abort the application-layer protocol does not precisely state
     how identities established through SASL relate authentication exchange by sending a message,
  the particulars of which are protocol-specific, to identities used
     elsewhere (e.g., access controls) in the application-layer
     protocol, it server,
  indicating the exchange is aborted.  The server may be useful for required by the application-layer
  protocol to
     provide return a facility which message in response to the client client's abort
  message.

  Likewise, a server may use to discover abort the
     identity used.

   A protocol profile SHOULD NOT attempt to amend authentication exchange by sending a
  message, the definition particulars of
   mechanisms or create mechanism-specific encodings.  This breaks which are protocol-specific, to the
   separation between protocol and mechanism that
  client, indicating the exchange is fundamental to aborted.

3.6.  Authentication Outcome

  At the
   design conclusion of SASL. (Likewise, SASL mechanisms the authentication exchange, the server sends a
  message, the particulars of which are intended protocol specific, to be profile
   neutral.)

5.    Mechanism profile guidelines

   Designers of new SASL mechanism should be aware the client
  indicating the outcome of the following
   issues:

   1) Authorization identity

Internet DRAFT                    SASL                  16 February 2005

   While some legacy mechanisms are incapable of transmitting an
   authorization identity (which means that exchange.

  The outcome is not successful if
    - the authentication exchange failed for these mechanisms any reason,
    - the
   authorization clients credentials could not be verified,
    - the server cannot associate an identity is always with the empty string), newly defined
   mechanisms SHOULD be capable of transmitting a non-empty client's
      credentials,
    - the client-provided authorization identity. See also section 3.2.

   2) Character identity string issues

   Authentication mechanisms SHOULD encode character strings in UTF-8
   [UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character
   sets in IETF protocols).  In order to avoid interoperability problems
   due to differing normalizations, when a mechanism specifies that
   character data is malformed,
    - the identity associated with the client's credentials are not
      authorized to be used act as input to a cryptographic and/or
   comparison function, the mechanism specification MUST detail how requested authorization identity,
    - the
   data negotiated security layer (or lack thereof) is to be represented, including any normalizations not suitable,
      or other
   preparations, to ensure proper function.  Designers of mechanisms
   SHOULD use the "SASLprep" profile [SASLprep] of
    - the "stringprep"
   algorithm [StringPrep] where applicable.  This recommendation does server is not apply willing to provide service to authorization identities as their handling is protocol-
   specific.

   The preparation can be potentially performed on the client side (upon
   getting user input or retrieving a value from configuration) or on
   the server side (upon receiving the value from for any
      reason.

  The protocol may include an optional additional data field in this
  outcome message.

  If the client, retrieving outcome is successful and a value from its authentication database security layer was negotiated, this
  layer is then installed.  If the outcome is unsuccessful, or generating a new value in
   order to store in
  security layer was not negotiated, any existing security is left in the authentication database).
  place.

3.7.  Security Layers

  SASL mechanisms
   MUST define which entity (or entities) must perform the preparation.
   If preparation fails or turns may offer a non-empty string into the empty
   string, the entity doing the preparation MUST fail wide range of services in security layers.
  Typical services include data integrity and data confidentiality.
  SASL mechanisms which do not provide a security layer are treated as
  negotiating no security layer.

  If use of a security layer is negotiated in the authentication
   exchange.

   Implementation note: A server side can be represented
  protocol exchange, the layer is installed by multiple
   processes. For example, the server side may consist after
  indicating the outcome of the server
   process itself that communicated with a client authentication exchange and a utility (a
   server agent) that is able to store passwords/hashes (or derivitives)
   in a database that can be later used installed by
  the server. For client upon receipt the server
   agent outcome indication.  In both cases, the requirement to "fail
  layer is installed before transfer of further protocol data.  The
  precise position that the authentication exchange" should be
   interpreted as a requirement to refuse to store layer takes effect in the protocol data
  stream is protocol specific.

  Once the security layer is in effect in the
   database.

   3) The mechanism specification MUST detail whether or not protocol data stream, it offers
  remains in effect until either a subsequently negotiated security layer.  If it does, it MUST detail
  layer is installed, or the security and other
   services offered underlying transport connection is closed.

  When in effect, the security layer as well as how these services are processes protocol data into
  buffers of protected data.  If at any time the security layer is
  unable to continue producing buffers protecting protocol data, the
  underlying transport connection MUST be
   implemented.

   4) closed.  If the underlying cryptographic technology used by security layer
  is not able to decode a mechanism
   supports data integrity, then received buffer, the mechanism specification underlying connection
  MUST
   integrity protect be closed.  In both cases the transmission underlying transport connection
  SHOULD be closed gracefully.

  Each buffer of an authorization identity and

Internet DRAFT                    SASL                  16 February 2005 protected data is transferred over the negotiation underlying
  transport connection as a sequence of the security layer.

   5) The mechanism SHOULD NOT use the authorization identity octets prepended with a four
  octet field in
   generation of any long-term cryptographic keys/hashes.  The reason is network byte order that different protocols (and sometimes even different
   implementations of represents the same protocol) may use multiple forms length of an
   authorization identity that are semantically equivalent and some
   clients may use one form while other clients use a different form.

   6) SASL mechanisms should be designed to minimize the number
  buffer.  The length of round
   trips required, because SASL can be used with protocols where
   connections are short-lived.

   7) SASL mechanisms SHOULD be profile neutral.

6.    Specific issues

6.1.  Client sends data first

   Some mechanisms specify that the first protected data sent in buffer MUST be no larger
  than the
   authentication exchange is from maximum size the client to other side expects.  Upon the server.

   If receipt of a protocol's profile permits
  length field whose value is greater than maximum size, the command which initiates an
   authentication exchange to contain an initial client response, this
   parameter receiver
  SHOULD be used with such mechanisms.

   If close the initial client response parameter connection, as this might be a sign of an attack.

  The maximum size for each side expects is not given, fixed by the mechanism,
  either through negotiation or if a
   protocol's profile does not permit by its specification.

3.8.  Multiple Authentications

  Unless explicitly permitted in the command which initiates protocol (as stated in the
  protocol's technical specification), only one successful SASL
  authentication exchange may occur in a protocol session.  In this
  case, once an authentication exchange has successfully completed,
  further attempts to contain initiate an initial client response, then authentication exchange fail.

  Where multiple successful SASL authentication exchanges are permitted
  in the server issues a challenge with protocol, then in no data.  The client's response to
   this challenge case may multiple SASL security layers be
  simultaneously in effect.  If a security layer is in effect and a
  subsequent SASL negotiation selects a second security layer, then used as the initial client response.  (The
   server then proceeds to send
  second security layer replaces the next challenge, indicates
   completion, or indicates failure.)

6.1.1.  Client sends data first examples

   The following are two examples of first.  If a security layer is in
  effect and a subsequent SASL negotiation selects no security layer,
  the SECURID authentication [SASL-
   SECURID] original security layer remains in effect.

  Where multiple successful SASL negotiations are permitted in the SMTP protocol [SMTP].  In
  protocol, the first example below, effect of a failed SASL authentication exchange upon the client
  previously established authentication and authorization state is trying fast reauthentication by sending the initial
   response:

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Welcome client.example.com
      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA=

Internet DRAFT                    SASL                  16 February 2005

      S: 235 Authentication successful
  protocol specific.  The example below is almost identical to the previous, but here the
   client chooses not protocol's technical specification should be
  consulted to use determine whether the initial response parameter.

      S: 220-smtp.example.com ESMTP Server
      C: EHLO client.example.com
      S: 250-smtp.example.com Welcome client.example.com
      S: 250-AUTH GSSAPI SECURID
      S: 250 DSN
      C: AUTH SECURID
      S: 334
      C: AG1hZ251cwAxMjM0NTY3OAA=
      S: 235 Authentication successful

   Additonal examples that show usage of initial response can be found previous authentication and
  authorization state remains in section 7.2.

6.2.  Server returns success with additional data

   Some mechanisms may specify that additional data be sent force, or changed to the
   client along with an indication of successful completion anonymous
  state, or otherwise effected.  Regardless of the
   exchange.  This data would, for example, authenticate protocol-specific
  effect upon previously established authentication and authorization
  state, the server previously negotiated security layer remains in effect.

4.  Protocol Requirements

  In order for a protocol to offer SASL services, its specification MUST
  supply the client.

   If a protocol's profile does not permit this additional data following information:

  1) A service name, to be
   returned with a success indication, then selected from the server issues IANA registry of "service"
     elements for the data
   as GSSAPI host-based service name form [RFC2743].

  2) Detail any mechanism negotiation facility the protocol provides
     (see Section 3.2).

     A protocol SHOULD specify a server challenge, without an indication of successful
   completion.  The client then responds with no data.  After receiving
   this empty response, facility through which the server then indicates successful completion
   (with no additional data).

   Client implementors should be aware client may
     discover, both before initiation of an additional failure case
   that might occur when the profile supports sending SASL exchange and after
     installing security layers negotiated by the additional
   data with success. Imagine that an active attacker is trying to
   impersonate exchange, the server and sends faked data, which should be used to
   authenticate names of
     the SASL mechanisms the server makes available to the client, with success.  (A similar
   situation can happen when either the server and/or client.  The
     latter is important to allow the client has a
   bug and they calculate different responses.) After checking the data, to detect downgrade
     attacks.  This facility is typically provided through the client will think that
     protocol's extensions or capabilities discovery facility.

  3) Definition of the messages necessary for authentication exchange has failed,
   however the server will think that exchange,
     including:

     a) A message to initiate the authentication exchange has
   completed successfully.  At this point the client can not abort the
   authentication exchange; it SHOULD close the connection instead.
   However, if (see Section
        3.3).

        This message MUST contain a field for carrying the profile did not support sending name of additional data
   with success, the client could have aborted the exchange at
        mechanism selected by the very
   last step of client.

        This message SHOULD contain an optional field for carrying an
        initial response.  If the authentication exchange.

Internet DRAFT                    SASL                  16 February 2005

6.2.1.  Server returns success message is defined with additional data examples

   The following this field,
        the specification MUST describe how messages with an empty
        initial response are two examples distinguished from messages with no initial
        response.  This field MUST be capable of a DIGEST-MD5 authentication [SASL-
   DIGEST] in the Extensible Messaging carrying arbitrary
        sequences of octets (including zero length sequences and Presence Protocol [XMPP]. In
        sequences containing zero-valued octets).

     b) Messages to transfer server challenges and client responses.
        (see Section 3.4).

        Each of these messages MUST be capable of carrying arbitrary
        sequences of octets (including zero length sequences and
        sequences containing zero-valued octets).

     c) A message to indicate the first example below, outcome of the server is sending mutual authentication exchange
        (see Section 3.6).

        This message SHOULD contain an optional field for carrying
        additional data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'
          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
         ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </success>

      The example below a successful outcome.  If the message is almost identical to
        defined with this field, the previous, but here specification MUST describe how
        messages with an empty additional data are distinguished from
        messages with no additional data.  This field MUST be capable of
        carrying arbitrary sequences of octets (including zero length
        sequences and sequences containing zero-valued octets).

  4) Prescribe the server chooses not syntax and semantics of non-empty authorization
     identity strings (see Section 3.4.1).

     Specifications are encouraged to prescribe use of existing
     authorization identity forms as well as existing string
     representations, such as simple user names [RFC4013].  Protocols
     whose authorization identities are simple user names SHOULD use of
     SASLprep [RFC4013] (a profile of the additional data with success.

      C: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'

Internet DRAFT StringPrep [RFC3454]
     preparation algorithm) as their preparation algorithm.

     Where the specification does not precisely prescribe how identities
     in SASL                  16 February 2005

          to='example.com'
          version='1.0'>
      S: <stream:stream
          xmlns='jabber:client'
          xmlns:stream='http://etherx.jabber.org/streams'
          id='c2s_234'
          from='example.com'
          version='1.0'>
      S: <stream:features>
           <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
             <mechanism>DIGEST-MD5</mechanism>
             <mechanism>CRAM-MD5</mechanism>
           </mechanisms>
         </stream:features>
      C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
               mechanism='DIGEST-MD5'/>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9
         ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i
         T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw
         MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i
         LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo
         YXJzZXQ9dXRmLTgK
         </response>
      S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
         cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=
         </challenge>
      C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
      S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

6.3.  Multiple authentications

   Unless otherwise stated relate to identities used elsewhere in the protocol, for
     instance in access control policy statements, it may be appropriate
     for the protocol to provide a facility by which the protocol's profile, only one
   successful SASL negotiation client may occur
     discover information (such as the representation of the
     authentication identity used in a making access control decisions)
     about established identities for these uses.

  5) Detail any facility the protocol session.  In this
   case, once an provides that allows the client
     and/or server to abort authentication exchange has successfully completed,
   further attempts (see Section 3.5).

     Protocols which support multiple authentications typically allow a
     client to initiate abort an on-going authentication exchange fail.

   If by initiating a profile explicitly permits
     new authentication exchange.  Protocols which do not support
     multiple successful SASL negotiations authentications may require the client to occur, then close the
     connection and start over to abort an on-going authentication
     exchange.

     Protocols typically allow the server to abort on-going
     authentication exchanges by returning a non-successful outcome
     message.

  6) Identify precisely where newly negotiated security layers starts to
     take effect, in both directions (see Section 3.7).

     Typically, specifications require security layer to start taking
     effect, in data being sent by the server, on the first octet
     following the outcome message and, in data being sent by the
     client, on the first octet sent after receipt of the outcome
     message.

  7) If the protocol supports other layered security services, such as
     Transport Layer Security (TLS) [RFC2246], the specification MUST
     prescribe the order in no case may multiple which security layers be
   simultaneously in effect.  If are applied to
     protocol data.

     For instance, where a security layer is in effect protocol supports both TLS and a
   subsequent SASL negotiation selects a second security layer, then
     layers, the
   second specification could prescribe any of the following:
     a) SASL security layer replaces the first.  If a is always applied first to data being sent
        and, hence, applied last to received data,
     b) SASL security layer is always applied last to data being sent
        and, hence, applied first to received data,
     c) Layers are applied in
   effect the order in which they were installed,
     d) Layers are applied in the reverse order in which they were
        installed, or
     e) Both TLS and a subsequent SASL negotiation selects no security layer, layers cannot be installed.

  8) Indicate whether the original security layer remains in effect.

Internet DRAFT                    SASL                  16 February 2005

   Where a protocol profile permits supports multiple successful SASL
   negotiations, authentications
     (see Section 3.8).  If so, the profile protocol MUST detail the effect of a
     failed SASL
   negotiation authentication exchange will have upon the previously
     established authentication and authorization state.
   In particular, it MUST state whether the previously established
   authenticated state remains in force or whether the connection is to
   revert to an non-authenticated state. Regardless

  Protocol specifications SHOULD avoid stating implementation
  requirements which would hinder replacement of the specified
   effect upon authentication state, the previously negotiated security
   layer remains in effect.

7.    The EXTERNAL mechanism

   The applicable mechanisms.
  In general, protocol specification SHOULD be mechanism name associated with external authentication is
   "EXTERNAL".

   The client sends neutral.  There
  are a single message containing the UTF-8 encoding of
   the requested authorization identity. The message may be empty. The
   form of the authorization identity may be restricted by the
   application protocol's SASL profile.

   Some system external number reasonable exceptions to SASL must authenticate the client.  If that
   succeeds, the server determines this recommendation, including:
    - detailing how credentials (which are mechanism-specific) are
      managed in the protocol,
    - detailing how authentication identity from
   information from this system.  If the requested identities (which are
      mechanism-specific) and authorization
   identity is empty, identities (which are
      protocol-specific) relate to each other, and
    - detailing which mechanisms are applicable to the authorization identity is derived from protocol.

5.  Mechanism Requirements

  SASL mechanism specifications MUST supply the
   authentication identity. following information:

  1) The server determines if name of the authentication
   identity is allowed to act mechanism (see Section 3.1).  This name MUST be
     registered as discussed in Section 8.1.

  2) A definition of the authorization identity.  If all
   that succeeds, the server indicates successful completion server-challenges and client-responses of the
     authentication exchange; otherwise it indicates failure.

   The system providing this external information may be, for example,
   IPSec [IPSec] or TLS [TLS]. However, exchange, as well as:

     a) An indication whether the client can make no
   assumptions as is expected to what information send data first.
        If so, when the server can use in determining client authorization.  For example, just because TLS was established,
   doesn't mean that does not send data first, the initial
        challenge MUST be specified as being an empty challenge.

     b) An indication whether the server will use is expected to provide
        additional data when indicating a successful outcome.  If so, if
        the information provided by
   TLS.

7.1.  Formal syntax

   The following syntax specification uses server sends the augmented Backus-Naur
   Form (BNF) notation as specified in [ABNF].  Non-terminals referenced
   but not defined below are additional data as defined by [UTF-8].

   The "extern-resp" rule below defines a challenge, the message sent from client
        specification MUST indicate the response to
   server.

   extern-resp       = *( UTF8-char-no-nul )

   UTF8-char-no-nul  = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4

Internet DRAFT this challenge is an
        empty response.

     SASL                  16 February 2005

   UTF8-1-no-nul     = %x01-7F

7.2.  Examples mechanisms SHOULD be designed to minimize the number of SASL EXTERNAL

   The following
     challenges and responses necessary to complete the exchange.

  3) An indication of whether the mechanism is an example capable of transferring
     authorization identity strings (see Section 3.4.1).  While some
     legacy mechanisms are incapable of transmitting an EXTERNAL authentication in the SMTP
   protocol [SMTP]. In this example, authorization
     identity (which means that for these mechanisms the client authorization
     identity is proxy authenticating,
   sending always the empty string), newly defined mechanisms
     SHOULD be capable of transferring authorization identity "fred@example.com" in the
   (optional) initial response. strings.
     The server has obtained the client's
   (authentication) mechanism SHOULD NOT be capable of transferring both no
     authorization identity from an external service, such as IPsec, string and has a security policy that permits that an empty authorization identity.

     Mechanisms which are capable of transferring an authorization
     identity string MUST be capable of transferring arbitrary non-empty
     sequences of Unicode characters, excluding those which contain the
     NUL (U+0000) character.  Mechanisms SHOULD use the UTF-8 [RFC3629]
     transformation format.  The specification MUST detail how any
     Unicode code points special to assume the mechanism which might appear in
     the authorization identity string are escaped to avoid ambiguity
     during decoding of the asserted authorization identity.

   To the protocol profile, the sequence "fred@example.com" is an opaque
   binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies
   that server challenges and client responses are identity string.  Typically,
     mechanisms which have special characters require these special
     characters to be escaped or encoded in BASE64
   [BASE64, section 3]; the BASE64 character string (after
     encoding of "fred@example.com" is
   "ZnJlZEBleGFtcGxlLmNvbQ==".

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com
      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL ZnJlZEBleGFtcGxlLmNvbQ==
      S: 235 Authentication successful. it a particular Unicode transformation format) using a
     data encoding scheme such as Base64 [RFC3548].

  4) The following example is almost identical to specification MUST detail whether or not the one above, but mechanism offers a
     security layer.  If the
   client doesn't request proxy authentication.

      S: 220 smtp.example.com ESMTP server ready
      C: EHLO jgm.example.com
      S: 250-smtp.example.com
      S: 250 AUTH DIGEST-MD5 EXTERNAL
      C: AUTH EXTERNAL
      S: 235 Authentication successful.

      The following is an example of an EXTERNAL authentication in mechanism does, the
      IMAP4 protocol [IMAP]. IMAP4 doesn't support specification MUST
     detail the initial response
      feature of SASL.  As security and other services offered in the previous example, layer as well
     as how these services are to be implemented.

  5) If the client doesn't
      request proxy authentication.

      S: * OK IMAP4rev1 Server
      C: C01 CAPABILITY
      S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=EXTERNAL
      [...]
      C: A01 AUTHENTICATE EXTERNAL
      (note that there is underlying cryptographic technology used by a space following mechanism
     supports data integrity, then the "+" in mechanism specification MUST
     integrity protect the following line)
      S: +

Internet DRAFT                    SASL                  16 February 2005

      C:
      S: A01 OK Success

8.    IANA Considerations

8.1.  Guidelines for IANA

   It is requested that IANA updates transmission of an authorization identity and
     the negotiation of the security layer.

  SASL mechanisms registry SHOULD be protocol neutral.

  SASL mechanisms SHOULD reuse existing credential and identity forms,
  as
   follows:

      Change the "Intended usage" of the KERBEROS_V4 well as associated syntaxes and SKEY mechanism
      registrations semantics.

  SASL mechanisms SHOULD use UTF-8 transformation format [RFC3629] for
  encoding Unicode [Unicode] code points for transfer.

  In order to OBSOLETE.  Change the "Published specification"
      of the EXTERNAL mechanism avoid interoperability problems due to this document. Updated registration
      information is provided in Section 8.6.

8.2.  Registration procedure

   Registration of differing
  normalizations, when a SASL mechanism calls for character data is done by filling in to be
  used as input to a cryptographic and/or comparison function, the template
   in section 8.5
  specification MUST detail precisely how and sending it via electronic mail where (client or server)
  the character data is to <iana@iana.org>.
   IANA has be prepared, including all normalizations,
  for input into the right function to reject obviously bogus registrations, but will
   perform no review of claims made ensure proper operation.

  For simple user names and/or passwords in authentication credentials,
  SASLprep [RFC4013] (a profile of the registration form.  SASL StringPrep [RFC3454] preparation
  algorithm), SHOULD be specified as the preparation algorithm.

  The mechanism registrations are currently available at SHOULD NOT use the URL
   <http://www.iana.org/assignments/sasl-mechanisms>.

   There authorization identity string in
  generation of any long-term cryptographic keys or hashes as there is
  no naming convention for SASL mechanisms; any name requirement that
   conforms to the syntax of a SASL mechanism name can authorization identity string be registered.
   However an IETF Standards Track document may reserve be
  non-canonical.  Long-term, here, means a portion of term longer than the
   SASL mechanism namespace ("family duration
  of SASL mechanisms") for its own
   use, amending the registration rules for that portion of authentication exchange in which they were generated in.  That
  is, as different clients (of the
   namespace.  Each family same or different protocol) may
  provide different authorization identity strings which are
  semantically equivalent, use of authorization identity strings in
  generation of cryptographic keys and hashes will likely lead to
  interoperability and other problems.

6.  Security Considerations

  Security issues are discussed throughout this memo.

  Many existing SASL mechanisms MUST be identified by a
   prefix.

   While do not provide adequate protection
  against passive attacks, let alone active attacks, against the registration procedures
  authentication exchange.  Many existing SASL mechanisms do not require expert review,
   authors of offer
  any security layers.  It is hoped that future SASL mechanisms are encouraged to seek community review will
  provide strong protection against passive and comment whenever active attacks in the
  authentication exchange, as well as security layers with strong basis
  data security features (e.g., data integrity and data confidentiality)
  services.  It is also hoped that future mechanisms will provide more
  advance data security services like re-keying (see Section 6.1).

  Regardless, the SASL framework is feasible.  Authors may seek community
   review by posting suspectable to downgrade attacks.
  Section 6.1 offers a specification variety of their proposed mechanism as an
   Internet-Draft.  SASL mechanisms intended approaches for widespread preventing or detecting
  these attacks.  In some cases, it is appropriate to use should
   be standardized through the normal IETF process, when appropriate.

8.3.  Comments on SASL mechanism registrations

   Comments on registered data integrity
  protective services (e.g., TLS) external to SASL to protect against
  downgrade attacks in SASL.  This is especially true when the
  mechanisms should first be sent available to the
   "owner" client do not themselves offer adequate
  integrity or confidentiality protection of the mechanism authentication exchange
  and/or to protocol data.

6.1. Active Attacks

6.1.1. Man-in-the-middle Attacks

  When the SASL WG mailing list.

Internet DRAFT                    SASL                  16 February 2005

   Submitters of comments may, after client selects a reasonable attempt to contact security layer with at least integrity
  protection, this protects against an active attacker hijacking the
   owner, request IANA
  connection and modifying the authentication exchange to attach their comment negotiate a
  plain-text connection.  In this case, it is important that any
  security-sensitive protocol negotiations be performed after
  authentication is complete.  Protocols should be designed such that
  negotiations performed prior to authentication should be either
  ignored or revalidated once authentication is complete.

  Negotiation of the SASL mechanism
   registration itself.  If IANA approves mechanism, initiation of this, the comment will be
   made accessible in conjunction with the SASL mechanism registration
   itself.

8.4.  Change control

   Once a SASL mechanism registration has been published by IANA, the
   author may request a change to its definition.  The change request
   follows the same procedure as the registration request.

   The owner exchange,
  and portions of a SASL mechanism may pass responsibility for the SASL
   mechanism to another person or agency by informing IANA; this can be
   done without discussion or review.

   The IESG may reassign responsibility for authentication exchange itself are
  security-sensitive negotiations.

  When a SASL mechanism. The most
   common case server or client allows negotiation of this will be to enable changes authentication
  mechanisms and/or other security features, it is possible for an
  active attacker to be made cause a party to
   mechanisms where use the author of least secure services
  supported.  For instance, an attacker can modify the registration has died, moved out server-advertised
  mechanism list or can modify client-advertised security feature list
  within a mechanism response.  To protect against this sort of contact attack,
  implementations should not advertise mechanisms and/or features which
  cannot meet their minimum security requirements, should not enter into
  or is otherwise unable continue authentication exchanges which cannot meet their minimum
  security requirements, and should verify that completed authentication
  exchanges meets their minimum security requirements.  Note that each
  endpoint needs to make changes independently verify that its security requirements
  are important met.

  In order to detect downgrade attacks to the community.

   SASL least (or less) secure
  mechanism registrations supported, the client may not be deleted; mechanisms which are
   no longer believed appropriate for use can be declared OBSOLETE by a
   change to their "intended usage" field; such discover the SASL mechanisms will be
   clearly marked in the lists published by IANA.

   The IESG is considered to be
  server makes available both before the owner of all SASL mechanisms which
   are on authentication exchange
  and after the IETF standards track.

8.5.  Registration template

     Subject: Registration of negotiated SASL security layer (with at least integrity
  protection) has been installed through the protocol's mechanism X

     Family of SASL mechanisms: (YES or NO)

     SASL
  discovery facility.  If the client finds that the integrity protected
  list (the list obtained after the security layer was installed)
  contains a stronger mechanism name (or prefix for than those in the family):

     Security considerations:

     Published specification (optional, recommended):

     Person & email address to contact for further information:

     Intended usage:

     (One previously obtained
  list, the client should assume the previously obtained list was
  modified by an attacker.

  The client's initiation of COMMON, LIMITED USE or OBSOLETE)

Internet DRAFT the SASL                  16 February 2005

     Owner/Change controller:

     (Any other information that exchange, including the author deems interesting the
  selection of a SASL mechanism, is done in the clear and may be
     added below this line.)

8.6.  The EXTERNAL mechanism registration
  modified by an active attacker.  It is requested that the SASL Mechanism registry [IANA-SASL] entry important for the EXTERNAL mechanism be updated any new SASL
  mechanisms to reflect be designed such that this document
   now provides its technical specification.

      Subject: Updated Registration of SASL mechanism EXTERNAL

      Family of SASL mechanisms: NO an active attacker cannot obtain
  an authentication with weaker security properties by modifying the
  SASL mechanism name: EXTERNAL

      Security considerations: See RFC XXXX, section 9.

      Published specification (optional, recommended): RFC XXXX

      Person & email address to contact for further information:
        Alexey Melnikov <Alexey.Melnikov@isode.com>

      Intended usage: COMMON

      Owner/Change controller: IESG <iesg@ietf.org>

      Note: Updates existing entry for EXTERNAL

9.   Security considerations

   Security issues are discussed throughout this memo.

   When name and/or the client selects challenges and responses.

  When use of a security layer with at least integrity
   protection, is negotiated by the authentication
  protocol exchange, the receiver should handle gracefully any protected
  data buffer larger than the defined/negotiated maximal size.  In
  particular, it must not blindly allocate the amount of memory
  specified in the buffer size field, as this protects against an active attacker hijacking might cause the
   connection and modifying "out of
  memory" condition.  If the authentication exchange to negotiate receiver detects a
   plaintext large block, it SHOULD
  close the connection.

   When a

  Distributed server or client supports multiple implementations need to be careful in how they
  trust other parties.  In particular, authentication mechanisms,
   each of which has a different secrets should
  only be disclosed to other parties that are trusted to manage and use
  those secrets in manner acceptable to disclosing party.  Applications
  using SASL assume that SASL security strength, it is possible for layers providing data
  confidentiality are secure even when an active attacker to cause a party to use chooses the least secure mechanism
   supported.  To protect against this sort of attack, a client or
   server which supports mechanisms of different strengths should have a
   configurable minimum strength that it will use.  It is not sufficient
   for this minimum strength check text to only
  be on protected by the security layer.  Similarly applications assume
  that the server, since an

Internet DRAFT SASL                  16 February 2005

   active security layer is secure even if the attacker can change which mechanisms the client sees as being
   supported, causing
  manipulate the client to send authentication credentials for
   its weakest supported mechanism.

   The client's selection cipher-text output of a SASL mechanism is done in the clear and security layer.  New SASL
  mechanisms are expected to meet these assumptions.

6.1.2. Replay Attacks

  Some mechanisms may be modified subject to replay attacks unless protected by an active attacker.  It is important for any new
  external data security services (e.g., TLS).

6.1.3.  Truncation Attacks

  Most existing SASL mechanisms security layers to be designed such that an not, themselves, offer
  protection against truncation attack.   In a truncation attack, the
  active attacker cannot
   obtain an authentication with weaker security properties by modifying causes the SASL mechanism name and/or protocol session to be closed, causing a
  truncation of the challenges and responses.

   In order possibly integrity protected data stream that leads
  to detect Man-in-the-middle (MITM) attacks behavior of one or both the client MAY
   list available SASL protocol peers that inappropriately
  benefits the attacker.  Truncation attacks are fairly easy to defend
  against in connection-oriented application-level protocols.  A
  protocol can defend against these attacks simply by ensuring that each
  information exchange has a clear final result and that each protocol
  session has a graceful closure mechanism, and that these are integrity
  protected.

6.2.  Passive Attacks

  Many mechanisms both before are subject to various passive attacks, including
  simple eavesdropping of unprotected credential information in
  mechanisms, such as PLAIN, to online and after the offline dictionary attacks.

6.3.  Re-keying

  The secure or administratively permitted lifetimes of SASL mechanisms'
  security layer is negotiated.  This allows layers are finite.  Cryptographic keys weaken as they are
  used and as time passes; the client to detect
   active attacks more time and/or cipher-text that remove mechanisms from a
  cryptanalyst has after the server's list first use of
   supported mechanisms, and allows the client to ensure that a key, the easier it is
   using the best mechanism supported by both client and server.  New
   protocol profiles SHOULD require servers to make the list of SASL
   mechanisms available
  for the initial authentication available cryptanalyst to mount attacks on the
   client after key.

  Administrative limits on security layers are established.  Some older protocols
   do not require this (or don't support listing of SASL mechanisms once
   authentication is complete); for these protocols clients MUST NOT
   treat an empty list lifetime may take the form of SASL mechanisms after authentication as a MITM
   attack.

   Any protocol interactions prior to authentication are performed
  time limits expressed in
   the clear X.509 certificates, Kerberos V tickets, or in
  directories, and may be modified by an active attacker. are often desired.  In the case
   where a client selects integrity protection, it practice one likely effect of
  administrative security layers lifetime limits is important that any
   security-sensitive applications
  may find that security layers stop working in the middle of
  application protocol negotiations operation, such as, perhaps, during large data
  transfers.  As the result of this the connection will be performed after
   authentication closed (see
  Section 3.7), which will result in unpleasant user experience.

  Re-keying (key renegotiation process) is complete.  Protocols a way of addressing the
  weakening of cryptographic keys.  SASL framework does not itself
  provide for re-keying.  SASL mechanisms may.  Designers of future SASL
  mechanisms should be designed such consider providing re-keying services.

  Applications that
   negotiations performed prior wish to authentication re-key SASL security layers where the
  mechanism does not provide for re-keying should be either
   ignored reauthenticate the
  same IDs and replace the expired or revalidated once authentication soon-to-expire security layers.
  This approach requires support for reauthentication in the application
  protocols (see Section 3.8).

6.5. Other Considerations

  Unicode security considerations [UTR36] apply to authorization
  identity strings, and well as UTF-8 [RFC3629] security considerations
  where UTF-8 is complete.

   Clients used.  SASLprep [RFC4013] and StringPrep [RFC3454]
  security considerations also apply where used.

  Protocol designers and implementors should be admonished to validate TLS server IDs understand the security
  considerations of mechanisms so they may select mechanisms which are
  applicable to prevent
   MITM attacks when using SASL-over-TLS.  The same recommendation
   applies their needs.

  Multi-level negotiation of security features is prone to other downgrade
  attack.  Protocol designers should avoid offering higher level
  negotiation of security features in protocols providing (e.g., above SASL
  mechanism negotiation) and mechanism designers should avoid lower
  level negotiation of security services.

   When use features in mechanisms (e.g., below SASL
  mechanism negotiation).

7.    IANA Considerations

7.1.  SASL Mechanism Registry

  SASL mechanism registry is maintained by IANA.  The registry is
  currently available at
  <http://www.iana.org/assignments/sasl-mechanisms>.

7.1.1.  Registration Procedure

  Registration of a security layer SASL mechanism is negotiated requested by filling in the authentication
   protocol exchange,
  following template:

      Subject: Registration of SASL mechanism X

      Family of SASL mechanisms: (YES or NO)

      SASL mechanism name (or prefix for the receiver should handle gracefully any
   protected data buffer larger than family):

      Security considerations:

      Published specification (recommended):

      Person & email address to contact for further information:

      Intended usage: (One of COMMON, LIMITED USE or OBSOLETE)

      Owner/Change controller:

      Note: (Any other information that the defined/negotiated maximal
   size. In particular, author deems interesting may
      be added here .)

  and sending it must not blindly allocate via electronic mail to <iana@iana.org>.

  IANA has the amount right to reject obviously bogus registrations, but will
  perform no review of
   memory specified claims made in the buffer size field, registration form.  IANA will
  register new values on a First Come First Served basis, as this might cause defined in
  BCP 64 [RFC2434].

  There is no naming convention for SASL mechanisms; any name that
  conforms to the
   "out syntax of memory" condition. If the receiver detects a large block, it
   SHOULD close SASL mechanism name can be registered.
  However an IETF Standards Track document may reserve a portion of the connection.

   Most
  SASL mechanism namespace ("family of SASL mechanisms") for its own
  use, amending the currently available mechanisms that provide security
   layers only provide basic data security services, such as data
   integrity and data privacy services.  It is hoped registration rules for that future portion of the
  namespace.  Each family of SASL mechanisms will provide more advance data security services like re-

Internet DRAFT MUST be identified by a
  prefix.

  While the registration procedures do not require expert review,
  authors of SASL                  16 February 2005

   keying and truncation attack detection.

   Distributed server implementations need mechanisms are encouraged to seek community review and
  comment whenever that is feasible.  Authors may seek community review
  by posting a specification of their proposed mechanism as an
  Internet-Draft.  SASL mechanisms intended for widespread use should be careful in how they
   trust other parties.  In particular, authentication secrets
  standardized through the normal IETF process, when appropriate.

7.1.2.  Comments on SASL Mechanism Registrations

  Comments on registered SASL mechanisms should
   only first be disclosed to other parties that are trusted sent to manage and use
   those secrets in manner acceptable the
  "owner" of the mechanism and/or to disclosing party.  Applications
   using SASL assume that the SASL security layers providing data
   confidentiality are secure even when an attacker chooses WG mailing list.

  Submitters of comments may, after a reasonable attempt to contact the text
  owner, request IANA to
   be protected attach their comment to the SASL mechanism
  registration itself by sending mail to <iana@iana.org>.  At IANA sole
  discretion, IANA may attach the security layer. Similarly applications assume
   that comment to the registration SASL security layer is secure even if
  mechanism.

7.1.3.  Change Control

  Once a SASL mechanism registration has been published by IANA, the attacker can
   manipulate
  author may request a change to its definition.  The change request
  follows the ciphertext output same procedure as the registration request.

  The owner of a SASL mechanism may pass responsibility for the security layer. New SASL
   mechanisms MUST meet these assumptions.

   "stringprep" and Unicode security considerations apply to
   authentication identities, authorization identities and passwords.

   The EXTERNAL
  mechanism provides no security protection; it is
   vulnerable to spoofing another person or agency by either client informing IANA; this can be
  done without discussion or server, active attack, and
   eavesdropping.  It should only review.

  The IESG may reassign responsibility for a SASL mechanism.  The most
  common case of this will be used when external security to enable changes to be made to mechanisms are present and have sufficient strength.

9.1.  Re-keying

   The secure or administratively permitted lifetimes
  where the author of SASL
   mechanisms' security layers are finite.  Cryptographic keys weaken as
   they are used and as time passes; the more time and/or ciphertext
   that a cryptanalyst registration has after died, moved out of contact or
  is otherwise unable to make changes that are important to the first
  community.

  SASL mechanism registrations may not be deleted; mechanisms which are
  no longer believed appropriate for use of the can be declared OBSOLETE by a key,
  change to their "intended usage" field; such SASL mechanisms will be
  clearly marked in the easier
   it lists published by IANA.

  The IESG is for the cryptanalyst considered to mount attacks on the key.

   Administrative limits on security layers lifetime may take be the form owner of time limits expressed in x.509 certificates, Kerberos V tickets,
   or in directories, and all SASL mechanisms which
  are often desired.  In practice one likely
   effect of administrative security layers lifetime limits on the IETF standards track.

7.2.  Registration Changes

  It is requested that
   applications may find that security layers stop working in IANA updates the middle
   of application protocol operation, such as, perhaps, during large
   data transfers.  As SASL mechanisms registry as
  follows:

  1) Change the result "Intended usage" of this the connection will be closed
   (see section 3.3), which will result in unpleasant user experience.

   Re-keying (key renegotiation process) is a way KERBEROS_V4 and SKEY mechanism
  registrations to OBSOLETE.

  2) Change the "Published specification" of addressing the
   weakening EXTERNAL mechanism to
  this document as indicated below:

      Subject: Updated Registration of cryptographic keys. SASL framework does not itself
   provide for re-keying. SASL mechanisms may. Designers mechanism EXTERNAL
      Family of future SASL
   mechanisms should consider providing re-keying services.

   Applications that wish to re-key mechanisms: NO
      SASL security layers where the mechanism does not provide name: EXTERNAL
      Security considerations: See RFC XXXX, section 9.
      Published specification (optional, recommended): RFC XXXX
      Person & email address to contact for re-keying should reauthenticate further information:
          Alexey Melnikov <Alexey.Melnikov@isode.com>
      Intended usage: COMMON
      Owner/Change controller: IESG <iesg@ietf.org>
      Note: Updates existing entry for EXTERNAL

8.    References

  [[Note to the
   same IDs and RFC Editor: please replace the expired or soon-to-expire security layers.

Internet DRAFT                    SASL                  16 February 2005

   This approach requires support for reauthentication citation tags used in
  referencing Internet-Drafts with tags of the
   application protocols.  See section 6.3.

10.    References

10.1. form RFCnnnn where
  possible.]]

8.1.  Normative References

   [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF

  [RFC2119]     Bradner, S., "Key words for Syntax
   Specifications: ABNF", use in RFCs to Indicate
                Requirement Levels", BCP 14 (also RFC 2234, November 1997

   [ASCII] American National Standards Institute, "Code Extension
   Techniques for Use with the 7-bit Coded Character Set of American
   National Standard Code (ASCII) for Information Interchange", FIPS PUB
   35, 1974

   [CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets 2119), March 1997.

  [RFC2434]     Narten, T. and
   Languages", RFC 2277, H. Alvestrand, "Guidelines for Writing an
                IANA Considerations Section in RFCs", BCP 18, January 1998

   [GSSAPI] 26 (also RFC
                2434), October 1998.

                [RFC2743]     Linn, J., "Generic Security Service
                Application Program Interface, Version 2, Update 1", RFC
                2743, January 2000

   [KEYWORDS] Bradner, S., "Key words 2000.

  [RFC3454]     Hoffman, P. and M. Blanchet, "Preparation of
                Internationalized Strings ('stringprep')", RFC 3454,
                December 2002.

  [RFC3629]     Yergeau, F., "UTF-8, a transformation format of ISO
                10646", RFC 3629 (also STD 63), November 2003.

  [RFC4013]     Zeilenga, K., "SASLprep: Stringprep Profile for use in RFCs to Indicate
   Requirement Levels", User
                Names and Passwords", RFC 2119, BCP 19, March 1997 4013, February 2005.

  [ABNF]        Crocker, D. and P. Overell, "Augmented BNF for Syntax
                Specifications: ABNF", draft-crocker-abnf-rfc2234bis, a
                work in progress.

  [ASCII]       Coded Character Set--7-bit American Standard Code for
                Information Interchange, ANSI X3.4-1986.

  [Unicode]     The Unicode Consortium, "The Unicode Standard, Version
                3.2.0" is defined by "The Unicode Standard, Version 3.0"
                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
                as amended by the "Unicode Standard Annex #27: Unicode
                3.1" (http://www.unicode.org/reports/tr27/) and by the
                "Unicode Standard Annex #28: Unicode 3.2"
                (http://www.unicode.org/reports/tr28/).

   [Stringprep] Hoffman, P., Blanchet, M., "Preparation of
   Internationalized Strings ("stringprep")", RFC 3454, December 2002.

   [SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names
   and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt.

   [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646",
   RFC 3629, STD 63, November 2003.

10.2.  Informative References

   [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in
   progress, draft-ietf-sasl-gssapi-XX.txt, November 2003

   [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest

Internet DRAFT                    SASL                  16 February 2005

   Authentication as a SASL Mechanism", work in progress, draft-ietf-
   sasl-rfc2831bis-XX.txt, replaces RFC 2831

   [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC
   2444, October 1998.

   [SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC
   2808, April 2000.

   [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April
   2001.

   [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication",
   RFC 2554, March 1999.

   Being revised by Siemborski, R., "SMTP Service Extension for
   Authentication", work in progress, draft-siemborski-rfc2554bis-
   XX.txt.

   [XMPP] Saint-Andre, P., "Extensible Messaging

  [CharModel]   Whistler, K. and Presence Protocol
   (XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt.

   [BASE64] Josefsson, S., "The Base16, Base32, M. Davis, "Unicode Technical Report
                #17, Character Encoding Model", UTR17,
                <http://www.unicode.org/unicode/reports/tr17/>, August
                2000.

  [Glossary]    The Unicode Consortium, "Unicode Glossary",
                <http://www.unicode.org/glossary/>.

8.2.  Informative References

  [RFC2244]     Newman, C. and Base64 Data
   Encodings", RFC 3548, July 2003.

   [RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC
   Authors", J. Myers, "ACAP -- Application
                Configuration Access Protocol", RFC 2223, October 2244, November 1997.

   [IANA-SASL]  IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)
   MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms.

   [TLS]
  [RFC2246]     Dierks, T. and and, C. Allen, "The TLS Protocol Version
                1.0", RFC 2246, January 1999.

   [IPSec]

  [RFC3548]     Josefsson, S., "The Base16, Base32, and Base64 Data
                Encodings", RFC 3548, July 2003.

  [RFC2401]     Kent, S., and R.  Atkinson, "Security Architecture for
                the Internet Protocol", RFC 2401, November 1998.

   [Sec-Glossary] Shirey, R., "Internet Security Glossary", RFC 2828,
   May 2000.

11.   Editor's

  [SASL-GSSAPI] Melnikov, A. (Editor), "SASL GSSAPI mechanisms",
                draft-ietf-sasl-gssapi-XX.txt, a work in progress.

                [UTR36]       Davis, M., "(Draft) Unicode Technical
                Report #36, Character Encoding Model", UTR17,
                <http://www.unicode.org/unicode/reports/tr36/>, February
                2005.

9.   Editors' Address

  Alexey Melnikov
  Isode Limited
  5 Castle Business Village
  36 Station Road
  Hampton, Middlesex,

Internet DRAFT                    SASL                  16 February 2005
  TW12 2BX, United Kingdom

  Email: Alexey.Melnikov@isode.com
  URI:   http://www.melnikov.ca/

12.

  Kurt D. Zeilenga
  OpenLDAP Foundation

  Email: Kurt@OpenLDAP.org

10.   Acknowledgments

  This document is a revision of RFC 2222 written by John G. Myers.  He
   also

  This revision is a product of the IETF Simple Authentication and
  Security Layer (SASL) Working Group.

  The following individuals contributed significantly to this revision.

   Contributions of many members of the SASL mailing list are gratefully
   acknowledged, in particular that of Kurt Zeilenga, Peter Saint-Andre,
   Rob Siemborski, Magnus Nystrom, Jeffrey Hutzelman, revision:
  Abhijit Menon-Sen, Hallvard B Furuseth, Tony Hansen, Simon Josefsson, Abhijit Menon-Sen, RL 'Bob'
   Morgan, Sam Hartman, Nicolas Williams, Tim Alsop and Jeffrey Hutzelman, John Myers,
  Luke Howard.

Appendix A. Relation of SASL to transport security

   Questions have been raised about the relationship between SASL and
   various services (such as IPsec and TLS) which provide a secured
   connection.

   Two of the key features of SASL are:

      The separation of the authorization identity from the identity in
      the client's credentials.  This permits agents such as proxy
      servers to authenticate using their own credentials, yet request
      the access privileges of the identity for which they are proxying.

      Upon successful completion of an authentication exchange, the
      server knows the authorization identity the client wishes to use.
      This allows servers to move to a "user is authenticated" state in
      the protocol.

   These features are extremely important to some application protocols,
   yet Transport Security services do not always provide them.  To
   define SASL mechanisms based on these services would be a very messy
   task, as the framing of these services would be redundant with the
   framing of SASL Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
  'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim Alsop,
  and some method of providing these important Tony Hansen.

Appendix A.  The SASL
   features would have to be devised.

   Sometimes it EXTERNAL Mechanism

  This appendix is desired normative.

  The EXTERNAL mechanism allows a client to enable within an existing connection request the server use of a security service which does not fit the SASL model.  (TLS is
   an example of such a service.)  This can be done
  credentials established by adding a command,
   for example "STARTTLS", means external to the protocol.  Such a command is outside
   the scope of SASL, and should be different from the command which
   starts a SASL authentication protocol exchange.

Internet DRAFT                    SASL                  16 February 2005

   In certain situations, it is reasonable mechanism to use SASL underneath one of
   these Transport
  authenticate the client.  The external means may be, for instance, IP
  Security [RFC2401] or TLS [RFC2246] services.  The transport service would
   secure the connection, either service would authenticate  In absence of some
  apriori agreement between the client, client and SASL would negotiate the authorization identity.  The SASL
   negotiation would be server, the client cannot
  make any assumption as to what moves external means the protocol from "unauthenticated" server has used to "authenticated" state.  The "EXTERNAL" SASL mechanism is
   explicitly intended
  obtain the client's credentials, nor make an assumption as to handle the case where form
  of credentials.  For example, the transport service
   secures client cannot assume the connection and authenticates server will
  use the client and SASL
   negotiates credentials the authorization identity.

Appendix B. Changes since RFC 2222 client has established via TLS.

A.1.  EXTERNAL Technical Specification

  The GSSAPI name of this mechanism was removed.  It is now specified in a separate
   document [SASL-GSSAPI]. "EXTERNAL".

  The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has
   been removed. does not provide a security layer.

  The "SKEY" mechanism described in RFC 2222 is obsolete and has been
   removed.  It has been replaced by capable of transferring an authorization identity
  string.  If empty, the client is requesting to act as the OTP mechanism [SASL-OTP].

   The introduction identity the
  server has been substantially reorganized and clarified.

   Clarified associated with the definition and semantics of client's credentials.  If non-empty,
  the authorization identity.

   Prohibited client is requesting to act as the NUL character in authorization identities.

   Added a section on character string issues. identity represented by the
  string.

  The word "must" client is expected to send data first in the first paragraph of authentication
  exchange.  Where the "Protocol profile
   requirements" section was changed to "MUST".

   Specified that protocol profiles SHOULD client does not provide a way for clients an initial response data
  in its request to
   discover available SASL mechanisms.

   Made the requirement that protocol profiles specify initiate the semantics of authentication exchange, the authorization identity optional server is
  to respond to the protocol profile.
   Clarified that such a specification is a refinement of request with an empty initial challenge and then the definition
   in
  client is to provide its initial response.

  The client sends the base SASL spec.

   Added a requirement discouraging protocol profiles from breaking initial response containing the
   separation between protocol and mechanism.

   Mentioned that standards track documents may carve out their own
   portions UTF-8 [RFC3629]
  encoding of the SASL mechanism namespace and may amend registration
   rules for the portion. However registration of individual SASL
   mechanisms is still required.

Internet DRAFT                    SASL                  16 February 2005

   Clarified that requested authorization identity should be encoded in UTF-8.

   Specified that string.  This
  response is non-empty when the authorization client is requesting to act as identity in
  represented by the EXTERNAL mechanism (non-empty) string.  This response is encoded in UTF-8.

   Added a statement that a protocol profile SHOULD allow challenge data empty when
  the client is requesting to be sent act as the identity the server associated
  with its authentication credentials.

  The syntax of the initial response is specified as a success indication.

   Added a security consideration for value of the
  <extern-initial-resp> production detailed below using the EXTERNAL mechanism.

   Clarified sections concerning success with additional data.

   Cleaned up IANA considerations/registrations Augmented
  Backus-Naur Form (ABNF) [RFC2234] notation.

      external-initial-resp = authz-id-string
      authz-id-string           = *( UTF8-char-no-nul )
      UTF8-char-no-nul      = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
      UTF8-1-no-nul         = %x01-7F

  where the <UTF8-2>, <UTF8-3>, and assembled them <UTF8-4> productions are as defined
  in
   one place.

   Updated references and split them into Informative [RFC3629].

  There are no additional challenges and Normative.

   Added text responses.

  Hence, the server is to return the Security considerations section regarding handling outcome of extremely large SASL blocks.

   Added text about SASLprep for the authentication identities and
   passwords.  Described where SASLprep preparation should take place.

   Added paragraph about verifying authorization identities.

   Added a protocol profile requirement to specify interaction between
   SASL and TLS security layers.

   Added a protocol profile requirement to specify
  exchange.

  The exchange fails if it supports
   reauthentication.

   Removed
  - the text that seemed to suggest that SASL security layer must client has not be used when TLS is available.

   Created two subsections in 3.2 to talk separately about proxy established its credentials via external means,
  - the client's credentials are inadequate,
  - The client provided an empty authorization identity string and format of the authorization identities.

   Made requirement
    server unwilling or unable to verify that associate an authorization identity is correct
   by performing SASLprep.

   Clarified that each SASL mechanism must decide where SASLprep is
   taking place.

   Added 4 new examples for initial response and additional data
    with
   success.

   Added text on checking the list of available SASL mechanisms after
   negotiating clients credentials,
  - The client provided a security layer.

Internet DRAFT                    SASL                  16 February 2005

   Added definition non-empty authorization identity string which
    is invalid per the syntax requirements of "integrity protection" and "confidentiality
   protection".

   Added warning about negotiating no layer once the applicable application
    protocol specification,
  - The client provided a security layer non-empty authorization identity string
    representing an identity which the client is
   negotiated.

   Added new section with guidelines not allowed to act as,
    or
  - the server is unwilling or unable to provide service to the client
    for any other reason.

    Otherwise the exchange is successful.  When indicating a successful
    outcome, additional data is not provided.

A.2.  SASL mechanism designer.

   Added a requirement EXTERNAL Examples

    This section provides examples of EXTERNAL authentication exchanges.
    The examples are intended to specify how help the readers under the above text.
    The examples are not definitive.  The Application Configuration
    Access Protocol (ACAP) [RFC2244] is used in the examples.

    The first example shows use of EXTERNAL with an empty initial challenge is
   encoded if authorization
    identity.  In this example, the initial response is supported by a protocol.

   Clarified that empty "additional data with success" is not allowed.

   Replaced "buffers of cipher-text" with "buffers sent the
    client's request to initiate authentication exchange.

      S: * ACAP (SASL "DIGEST-MD5")
      C: a001 STARTTLS
      S: a001 OK "Begin TLS negotiation now"
      <TLS negotiation, further commands are under TLS layer>
      S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
      C: a002 AUTHENTICATE "EXTERNAL"
      S: + ""
      C: + ""
      S: a002 OK "Authenticated"

  In second example shows use of protected data"
   for clarity.

   Clarified that SASL EXTERNAL can be used even with SASL profiles that
   don't support an authorization identity
  of "fred@example.com".  In this example, the initial client response.

   Changed "authentication protocol exchange" to "authentication
   exchange" everywhere.

   Added some text about re-keying and other services that can be
   provided by a security layer.

Appendix C. Full Copyright Statement and Intellectual Property Statement

Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document response is subject
   to sent
  with the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, clients request to initiate the authors retain all their rights. authentication exchange.
  This document and translations of saves a round-trip.

      S: * ACAP (SASL "DIGEST-MD5")
      C: a001 STARTTLS
      S: a001 OK "Begin TLS negotiation now"
      <TLS negotiation, further commands are under TLS layer>
      S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
      C: a002 AUTHENTICATE "EXTERNAL" {16+}
      C: fred@example.com
      S: a002 NO "Cannot assume requested authorization identity"

A.3.  Security Considerations

  The EXTERNAL mechanism provides no security protection; it may be copied and furnished is
  vulnerable to
   others, and derivative works that comment on or otherwise explain it spoofing by either client or assist in its implementation may be prepared, copied, published server, active attack, and distributed,
  eavesdropping.  It should only be used when adequate security services
  have been established.

Appendix B.  Changes since RFC 2222

  This appendix is non-normative.

  The material in whole or RFC 2222 was significantly rewritten in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, production
  of this
   document itself may not be modified in any way, such as document.

  RFC 2222, by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for not stating the purpose authorization identity string was a
  string of
   developing Internet standards in which case Unicode characters, let alone character data, implied the procedures for
   copyrights
  authorization identity string was a string of octets.

  - The authorization identity string is now defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

Internet DRAFT                    SASL                  16 February 2005 a string of
    Unicode characters.  The limited permissions granted above NUL (U+0000) is prohibited.  While protocol
    specifications are perpetual and will not be
   revoked by responsible for defining the Internet Society or its successors or assigns.

   This document and authorization
    identity form, as well as the information contained herein are provided on an
   "AS IS" basis Unicode string syntax and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding related
    semantics, mechanism specifications are responsible for defining how
    the RFC Editor function Unicode string is currently provided by carried in the
   Internet Society. authentication exchange.

  The following technical change was made to the EXTERNAL mechanism:

  - The authorization identity string is to be UTF-8 encoded.

  It is noted that protocol and mechanism specification requirements
  have been significant tightened.  Existing protocol and mechanism
  specifications will need to be updated to meet these requirements.

Intellectual Property Rights
  The IETF takes no position regarding the validity or scope of any
  Intellectual Property Rights or other rights that might be claimed to
  pertain to the implementation or use of the technology described in
  this document or the extent to which any license under such rights
  might or might not be available; nor does it represent that it has
  made any independent effort to identify any such rights.  Information
  on the procedures with respect to rights in RFC documents can be found
  in BCP 78 and BCP 79.

  Copies of IPR disclosures made to the IETF Secretariat and any
  assurances of licenses to be made available, or the result of an
  attempt made to obtain a general license or permission for the use of
  such proprietary rights by implementers or users of this specification
  can be obtained from the IETF on-line IPR repository at
  http://www.ietf.org/ipr.

  The IETF invites any interested party to bring to its attention any
  copyrights, patents or patent applications, or other proprietary
  rights that may cover technology that may be required to implement
  this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.
  ietf-ipr@ietf.org.

Full Copyright

  Copyright (C) The Internet DRAFT                    SASL                  16 February 2005

   Status of this Memo .......................................... i
   Abstract ..................................................... 2
   1.  Conventions used in this Society (2005).  This document ........................ 2
   2.    Introduction ........................................... 2
   2.1.  Relationship is subject
  to other documents ........................ 4
   3.    Authentication mechanisms .............................. 5
   3.1.  Authentication Exchange ................................ 5
   3.2.  Identity Concepts ...................................... 6
   3.2.1.  Authorization identities the rights, licenses and proxy authentication .... 7
   3.2.2.  Authorization Identity Format ........................ 7
   3.3.  Security layers ........................................ 8
   4.    Protocol profile requirements .......................... 9
   5.    Mechanism profile guidelines .......................... 10
   6.    Specific issues ....................................... 12
   6.1.  Client sends data first ............................... 12
   6.1.1.  Client sends data first examples .................... 12
   6.2.  Server returns success with additional data ........... 13
   6.2.1.  Server returns success with additional data examples. 14
   6.3.  Multiple authentications .............................. 15
   7.    The EXTERNAL mechanism ................................ 16
   7.1.  Formal syntax ......................................... 16
   7.2.  Examples of SASL EXTERNAL ............................. 17
   8.    IANA Considerations ................................... 18
   8.1.  Guidelines for IANA ................................... 18
   8.2.  Registration procedure ................................ 18
   8.3.  Comments restrictions contained in BCP 78, and
  except as set forth therein, the authors retain all their rights.

  This document and the information contained herein are provided on SASL mechanism registrations .............. 18
   8.4.  Change control ........................................ 19
   8.5.  Registration template ................................. 19
   8.6.  The EXTERNAL mechanism registration ................... 20
   9.   Security considerations ................................ 20
   9.1.  Re-keying ............................................. 22
   10.    References ........................................... 23
   10.1.  Normative References ................................. 23
   10.2.  Informative References ............................... 23
   11.   Editor's Address ...................................... 24
   12.   Acknowledgments ....................................... 25
   Appendix A. Relation of SASL to transport security .......... 25
   Appendix B. Changes since RFC 2222 .......................... 26
   Appendix C. Full Copyright Statement an
  "AS IS" basis and Intellectual
               Property Statement .............................. 28
   Full Copyright Statement .................................... 28
   Intellectual Property ....................................... 29 THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
  OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
  ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
  INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
  INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
  WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.