draft-ietf-sasl-rfc2222bis-12.txt   draft-ietf-sasl-rfc2222bis-13.txt 
INTERNET-DRAFT A. Melnikov, Ed. INTERNET-DRAFT A. Melnikov, Ed.
Intended Category: Standards Track ISODE Limited Intended Category: Standards Track ISODE Limited
Expires in six months K. Zeilenga, Ed. Expires in six months K. Zeilenga, Ed.
Obsoletes: RFC 2222 OpenLDAP Project Obsoletes: RFC 2222 OpenLDAP Project
28 October 2005 10 November 2005
Simple Authentication and Security Layer (SASL) Simple Authentication and Security Layer (SASL)
<draft-ietf-sasl-rfc2222bis-12.txt> <draft-ietf-sasl-rfc2222bis-13.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware have applicable patent or other IPR claims of which he or she is aware have
been or will be disclosed, and any of which he or she becomes aware been or will be disclosed, and any of which he or she becomes aware
will be disclosed, in accordance with Section 6 of BCP 79. will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other Force (IETF), its areas, and its working groups. Note that other
skipping to change at page 6, line 31 skipping to change at page 6, line 31
in some context outside of the SASL exchange may be dictated by other in some context outside of the SASL exchange may be dictated by other
specifications. For instance, an identity assumption authorization specifications. For instance, an identity assumption authorization
(proxy authorization) policy specification may dictate how (proxy authorization) policy specification may dictate how
authentication and authorization identities are represented in policy authentication and authorization identities are represented in policy
statements. statements.
3. The Authentication Exchange 3. The Authentication Exchange
Each authentication exchange consists of a message from the client to Each authentication exchange consists of a message from the client to
the server requesting authentication via a particular mechanism, the server requesting authentication via a particular mechanism,
followed by one or more pairs of challenges from servers and responses followed by one or more pairs of challenges from the server and
from clients, followed by a message from the server indicating the responses from the client, followed by a message from the server
outcome of the authentication exchange. (Note: exchanges may also be indicating the outcome of the authentication exchange. (Note:
aborted as discussed in Section 3.5.) exchanges may also be aborted as discussed in Section 3.5.)
The following illustration provides a high-level overview of an The following illustration provides a high-level overview of an
authentication exchange. authentication exchange.
C: Request authentication exchange C: Request authentication exchange
S: Initial challenge S: Initial challenge
C: Initial response C: Initial response
<additional challenge/response messages> <additional challenge/response messages>
S: Outcome of authentication exchange S: Outcome of authentication exchange
If the outcome is successful and a security layer was negotiated, this If the outcome is successful and a security layer was negotiated, this
layer is then installed (see Section 3.7). This applies as well to layer is then installed (see Section 3.7). This also applies to the
the following illustrations. following illustrations.
Some mechanisms specify that the first data sent in the authentication Some mechanisms specify that the first data sent in the authentication
exchange is from the client to the server. Protocols may provide an exchange is from the client to the server. Protocols may provide an
optional initial response field in the request message to carry this optional initial response field in the request message to carry this
data. Where the mechanism specifies the first data sent in the data. Where the mechanism specifies the first data sent in the
exchange is from the client to the server, the protocol provides an exchange is from the client to the server, the protocol provides an
optional initial response field, and the client uses this field, the optional initial response field, and the client uses this field, the
exchange is shortened by one round-trip: exchange is shortened by one round-trip:
C: Request authentication exchange + Initial response C: Request authentication exchange + Initial response
skipping to change at page 8, line 36 skipping to change at page 8, line 36
<additional challenge/response messages> <additional challenge/response messages>
S: Additional data challenge S: Additional data challenge
C: Empty Response C: Empty Response
S: Outcome of authentication exchange S: Outcome of authentication exchange
3.1. Mechanism Naming 3.1. Mechanism Naming
SASL mechanisms are named by character strings, from 1 to 20 SASL mechanisms are named by character strings, from 1 to 20
characters in length, consisting of ASCII [ASCII] uppercase letters, characters in length, consisting of ASCII [ASCII] uppercase letters,
digits, hyphens, and/or underscores. In the following Augmented digits, hyphens, and/or underscores. In the following Augmented
Backus-Naur Form (ABNF) [ABNF] grammar, the <sasl-mech> production Backus-Naur Form (ABNF) [RFC4234] grammar, the <sasl-mech> production
defines the syntax of a SASL mechanism name. defines the syntax of a SASL mechanism name.
sasl-mech = 1*20mech-char sasl-mech = 1*20mech-char
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _ ; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _
; from ASCII character set. ; from ASCII character set.
UPPER-ALPHA = %x41-5A ; A-Z (uppercase only) UPPER-ALPHA = %x41-5A ; A-Z (uppercase only)
DIGIT = %x30-39 ; 0-9 DIGIT = %x30-39 ; 0-9
HYPHEN = %x2D ; hyphen (-) HYPHEN = %x2D ; hyphen (-)
skipping to change at page 9, line 18 skipping to change at page 9, line 18
Commonly, a protocol will specify that the server advertises supported Commonly, a protocol will specify that the server advertises supported
and available mechanisms to the client via some facility provided by and available mechanisms to the client via some facility provided by
the protocol and the client will then select the "best" mechanism from the protocol and the client will then select the "best" mechanism from
this list which its supports and finds suitable. this list which its supports and finds suitable.
It is noted that the mechanism negotiation is not protected by the It is noted that the mechanism negotiation is not protected by the
subsequent authentication exchange and hence is subject to downgrade subsequent authentication exchange and hence is subject to downgrade
attacks if not protected by other means. attacks if not protected by other means.
To detect downgrade attacks, a protocol may allow the client to To detect downgrade attacks, a protocol can allow the client to
discover available mechanism subsequent to the authentication exchange discover available mechanisms subsequent to the authentication
and installation of data security layers with at least integrity exchange and installation of data security layers with at least data
protection. This allows the client to detect changes to the list of integrity protection. This allows the client to detect changes to the
mechanisms supported by the server. list of mechanisms supported by the server.
3.3. Request Authentication Exchange 3.3. Request Authentication Exchange
The authentication exchange is initiated by the client by requesting The authentication exchange is initiated by the client by requesting
authentication via a mechanism it specifies. The client sends a authentication via a mechanism it specifies. The client sends a
message that contains the name of the mechanism to the server. The message that contains the name of the mechanism to the server. The
particulars of the message are protocol specific. particulars of the message are protocol specific.
It is noted that the name of the mechanism is not protected by the It is noted that the name of the mechanism is not protected by the
mechanism, and hence subject to alteration by an attacker if not mechanism, and hence subject to alteration by an attacker if not
skipping to change at page 11, line 19 skipping to change at page 11, line 19
At the conclusion of the authentication exchange, the server sends a At the conclusion of the authentication exchange, the server sends a
message, the particulars of which are protocol specific, to the client message, the particulars of which are protocol specific, to the client
indicating the outcome of the exchange. indicating the outcome of the exchange.
The outcome is not successful if The outcome is not successful if
- the authentication exchange failed for any reason, - the authentication exchange failed for any reason,
- the clients credentials could not be verified, - the clients credentials could not be verified,
- the server cannot associate an identity with the client's - the server cannot associate an identity with the client's
credentials, credentials,
- the client-provided authorization identity string is malformed, - the client-provided authorization identity string is malformed,
- the identity associated with the client's credentials are not - the identity associated with the client's credentials is not
authorized to act as the requested authorization identity, authorized to act as the requested authorization identity,
- the negotiated security layer (or lack thereof) is not suitable, - the negotiated security layer (or lack thereof) is not suitable,
or or
- the server is not willing to provide service to the client for any - the server is not willing to provide service to the client for any
reason. reason.
The protocol may include an optional additional data field in this The protocol may include an optional additional data field in this
outcome message. This field can only include additional data when the outcome message. This field can only include additional data when the
outcome is successful. outcome is successful.
If the outcome is successful and a security layer was negotiated, this If the outcome is successful and a security layer was negotiated, this
layer is then installed. If the outcome is unsuccessful, or a layer is then installed. If the outcome is unsuccessful, or a
security layer was not negotiated, any existing security is left in security layer was not negotiated, any existing security is left in
place. place.
The outcome message provided by the server can provide a way for the
client to distinguish between errors which are best dealt with by re-
prompting the user for her credentials, errors which are best dealt
with by telling the user to try again later, and errors where the user
must contact a system administrator for resolution (see The SYS and
AUTH POP Response Codes [RFC3206] specification for an example). This
distinction is particularly useful during scheduled server maintenance
periods as it reduces support costs. It is also important that the
server can be configured such that the outcome message will not
distinguish between a valid user with invalid credentials and an
invalid user.
3.7. Security Layers 3.7. Security Layers
SASL mechanisms may offer a wide range of services in security layers. SASL mechanisms may offer a wide range of services in security layers.
Typical services include data integrity and data confidentiality. Typical services include data integrity and data confidentiality.
SASL mechanisms which do not provide a security layer are treated as SASL mechanisms which do not provide a security layer are treated as
negotiating no security layer. negotiating no security layer.
If use of a security layer is negotiated in the authentication If use of a security layer is negotiated in the authentication
protocol exchange, the layer is installed by the server after protocol exchange, the layer is installed by the server after
indicating the outcome of the authentication exchange and installed by indicating the outcome of the authentication exchange and installed by
the client upon receipt the outcome indication. In both cases, the the client upon receipt the outcome indication. In both cases, the
layer is installed before transfer of further protocol data. The layer is installed before transfer of further protocol data. The
precise position that the layer takes effect in the protocol data precise position that the layer takes effect in the protocol data
skipping to change at page 12, line 25 skipping to change at page 12, line 37
connection SHOULD be closed gracefully. connection SHOULD be closed gracefully.
Each buffer of protected data is transferred over the underlying Each buffer of protected data is transferred over the underlying
transport connection as a sequence of octets prepended with a four transport connection as a sequence of octets prepended with a four
octet field in network byte order that represents the length of the octet field in network byte order that represents the length of the
buffer. The length of the protected data buffer MUST be no larger buffer. The length of the protected data buffer MUST be no larger
than the maximum size the other side expects. Upon the receipt of a than the maximum size the other side expects. Upon the receipt of a
length field whose value is greater than maximum size, the receiver length field whose value is greater than maximum size, the receiver
SHOULD close the connection, as this might be a sign of an attack. SHOULD close the connection, as this might be a sign of an attack.
The maximum size for each side expects is fixed by the mechanism, The maximum size each side expects is fixed by the mechanism, either
either through negotiation or by its specification. through negotiation or by its specification.
3.8. Multiple Authentications 3.8. Multiple Authentications
Unless explicitly permitted in the protocol (as stated in the Unless explicitly permitted in the protocol (as stated in the
protocol's technical specification), only one successful SASL protocol's technical specification), only one successful SASL
authentication exchange may occur in a protocol session. In this authentication exchange may occur in a protocol session. In this
case, once an authentication exchange has successfully completed, case, once an authentication exchange has successfully completed,
further attempts to initiate an authentication exchange fail. further attempts to initiate an authentication exchange fail.
Where multiple successful SASL authentication exchanges are permitted Where multiple successful SASL authentication exchanges are permitted
skipping to change at page 14, line 21 skipping to change at page 14, line 33
messages with an empty additional data are distinguished from messages with an empty additional data are distinguished from
messages with no additional data. This field MUST be capable of messages with no additional data. This field MUST be capable of
carrying arbitrary sequences of octets (including zero length carrying arbitrary sequences of octets (including zero length
sequences and sequences containing zero-valued octets). sequences and sequences containing zero-valued octets).
4) Prescribe the syntax and semantics of non-empty authorization 4) Prescribe the syntax and semantics of non-empty authorization
identity strings (see Section 3.4.1). identity strings (see Section 3.4.1).
In order to avoid interoperability problems due to differing In order to avoid interoperability problems due to differing
normalizations, the protocol specification MUST detail precisely normalizations, the protocol specification MUST detail precisely
the how and where (client or server) non-\mpty authorization the how and where (client or server) non-empty authorization
identity strings are prepared, including all normalizations, for identity strings are prepared, including all normalizations, for
comparison and other applicable functions to ensure proper comparison and other applicable functions to ensure proper
function. function.
Specifications are encouraged to prescribe use of existing Specifications are encouraged to prescribe use of existing
authorization identity forms as well as existing string authorization identity forms as well as existing string
representations, such as simple user names [RFC4013]. representations, such as simple user names [RFC4013].
Where the specification does not precisely prescribe how identities Where the specification does not precisely prescribe how identities
in SASL relate to identities used elsewhere in the protocol, for in SASL relate to identities used elsewhere in the protocol, for
skipping to change at page 15, line 5 skipping to change at page 15, line 19
client to abort an on-going authentication exchange by initiating a client to abort an on-going authentication exchange by initiating a
new authentication exchange. Protocols which do not support new authentication exchange. Protocols which do not support
multiple authentications may require the client to close the multiple authentications may require the client to close the
connection and start over to abort an on-going authentication connection and start over to abort an on-going authentication
exchange. exchange.
Protocols typically allow the server to abort on-going Protocols typically allow the server to abort on-going
authentication exchanges by returning a non-successful outcome authentication exchanges by returning a non-successful outcome
message. message.
6) Identify precisely where newly negotiated security layers starts to 6) Identify precisely where newly negotiated security layers start to
take effect, in both directions (see Section 3.7). take effect, in both directions (see Section 3.7).
Typically, specifications require security layer to start taking Typically, specifications require security layer to start taking
effect, in data being sent by the server, on the first octet effect, in data being sent by the server, on the first octet
following the outcome message and, in data being sent by the following the outcome message and, in data being sent by the
client, on the first octet sent after receipt of the outcome client, on the first octet sent after receipt of the outcome
message. message.
7) If the protocol supports other layered security services, such as 7) If the protocol supports other layered security services, such as
Transport Layer Security (TLS) [RFC2246], the specification MUST Transport Layer Security (TLS) [RFC2246], the specification MUST
skipping to change at page 16, line 6 skipping to change at page 16, line 21
- detailing how authentication identities (which are - detailing how authentication identities (which are
mechanism-specific) and authorization identities (which are mechanism-specific) and authorization identities (which are
protocol-specific) relate to each other, and protocol-specific) relate to each other, and
- detailing which mechanisms are applicable to the protocol. - detailing which mechanisms are applicable to the protocol.
5. Mechanism Requirements 5. Mechanism Requirements
SASL mechanism specifications MUST supply the following information: SASL mechanism specifications MUST supply the following information:
1) The name of the mechanism (see Section 3.1). This name MUST be 1) The name of the mechanism (see Section 3.1). This name MUST be
registered as discussed in Section 8.1. registered as discussed in Section 7.1.
2) A definition of the server-challenges and client-responses of the 2) A definition of the server-challenges and client-responses of the
authentication exchange, as well as: authentication exchange, as well as:
a) An indication whether the client is expected to send data first. a) An indication whether the client is expected to send data first.
If so, when the client does not send data first, the initial
challenge MUST be specified as being an empty challenge.
b) An indication whether the server is expected to provide b) An indication whether the server is expected to provide
additional data when indicating a successful outcome. If so, if additional data when indicating a successful outcome. If so, if
the server sends the additional data as a challenge, the the server sends the additional data as a challenge, the
specification MUST indicate the response to this challenge is an specification MUST indicate the response to this challenge is an
empty response. empty response.
SASL mechanisms SHOULD be designed to minimize the number of SASL mechanisms SHOULD be designed to minimize the number of
challenges and responses necessary to complete the exchange. challenges and responses necessary to complete the exchange.
skipping to change at page 17, line 20 skipping to change at page 17, line 33
SASL mechanisms SHOULD be protocol neutral. SASL mechanisms SHOULD be protocol neutral.
SASL mechanisms SHOULD reuse existing credential and identity forms, SASL mechanisms SHOULD reuse existing credential and identity forms,
as well as associated syntaxes and semantics. as well as associated syntaxes and semantics.
SASL mechanisms SHOULD use UTF-8 transformation format [RFC3629] for SASL mechanisms SHOULD use UTF-8 transformation format [RFC3629] for
encoding Unicode [Unicode] code points for transfer. encoding Unicode [Unicode] code points for transfer.
In order to avoid interoperability problems due to differing In order to avoid interoperability problems due to differing
normalizations, when a mechanism calls for character data (other than normalizations, when a mechanism calls for character data (other than
the authorization identity string) is to be used as input to a the authorization identity string) to be used as input to a
cryptographic and/or comparison function, the specification MUST cryptographic and/or comparison function, the specification MUST
detail precisely how and where (client or server) the character data detail precisely how and where (client or server) the character data
is to be prepared, including all normalizations, for input into the is to be prepared, including all normalizations, for input into the
function to ensure proper operation. function to ensure proper operation.
For simple user names and/or passwords in authentication credentials, For simple user names and/or passwords in authentication credentials,
SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation
algorithm), SHOULD be specified as the preparation algorithm. algorithm), SHOULD be specified as the preparation algorithm.
The mechanism SHOULD NOT use the authorization identity string in The mechanism SHOULD NOT use the authorization identity string in
skipping to change at page 17, line 46 skipping to change at page 18, line 14
different authorization identity strings which are semantically different authorization identity strings which are semantically
equivalent, use of authorization identity strings in generation of equivalent, use of authorization identity strings in generation of
cryptographic keys and hashes will likely lead to interoperability and cryptographic keys and hashes will likely lead to interoperability and
other problems. other problems.
6. Security Considerations 6. Security Considerations
Security issues are discussed throughout this memo. Security issues are discussed throughout this memo.
Many existing SASL mechanisms do not provide adequate protection Many existing SASL mechanisms do not provide adequate protection
against passive attacks, let alone active attacks, against the against passive attacks, let alone active attacks, in the
authentication exchange. Many existing SASL mechanisms do not offer authentication exchange. Many existing SASL mechanisms do not offer
any security layers. It is hoped that future SASL mechanisms will security layers. It is hoped that future SASL mechanisms will provide
provide strong protection against passive and active attacks in the strong protection against passive and active attacks in the
authentication exchange, as well as security layers with strong basis authentication exchange, as well as security layers with strong basic
data security features (e.g., data integrity and data confidentiality) data security features (e.g., data integrity and data confidentiality)
services. It is also hoped that future mechanisms will provide more services. It is also hoped that future mechanisms will provide more
advance data security services like re-keying (see Section 6.1). advanced data security services like re-keying (see Section 6.3).
Regardless, the SASL framework is suspectable to downgrade attacks. Regardless, the SASL framework is suspectable to downgrade attacks.
Section 6.1 offers a variety of approaches for preventing or detecting Section 6.1.2 offers a variety of approaches for preventing or
these attacks. In some cases, it is appropriate to use data integrity detecting these attacks. In some cases, it is appropriate to use data
protective services (e.g., TLS) external to SASL to protect against integrity protective services external to SASL (e.g., TLS [TLS]) to
downgrade attacks in SASL. This is especially true when the protect against downgrade attacks in SASL. Use of external protective
mechanisms available to the client do not themselves offer adequate security services is also important when the mechanisms available do
integrity or confidentiality protection of the authentication exchange not themselves offer adequate integrity and/or confidentiality
and/or protocol data. protection of the authentication exchange and/or protocol data.
6.1. Active Attacks 6.1. Active Attacks
6.1.1. Man-in-the-middle Attacks 6.1.1. Hijack Attacks
When the client selects a SASL security layer with at least integrity When the client selects a SASL security layer with at least integrity
protection, this protects against an active attacker hijacking the protection, this protect serves as a counter-measure against an active
connection and modifying protocol data sent after the authentication attacker hijacking the connection and modifying protocol data sent
exchange. In this case, it is important that any security-sensitive after establishment of the security layer. Implementations should
protocol negotiations be performed after the security layer is close the connection when the security services in an SASL security
installed. Protocols should be designed such that negotiations layer report protocol data report lack of data integrity.
performed prior to the installation should be either ignored or
revalidated once installation is complete. Negotiation of the SASL
mechanism is a security-sensitive negotiations.
When a server or client negotiates the authentication mechanisms 6.1.2. Downgrade Attacks
It is important that any security-sensitive protocol negotiations be
performed after installation of security layer with data integrity
protection. Protocols should be designed such that negotiations
performed prior to this installation should be revalidated after
installation is complete. Negotiation of the SASL mechanism is
security-sensitive.
When a client negotiates the authentication mechanism with the server
and/or other security features, it is possible for an active attacker and/or other security features, it is possible for an active attacker
to cause a party to use the least secure security services available. to cause a party to use the least secure security services available.
For instance, an attacker can modify the server-advertised mechanism For instance, an attacker can modify the server-advertised mechanism
list or can modify client-advertised security feature list within a list or can modify client-advertised security feature list within a
mechanism response. To protect against this sort of attack, mechanism response. To protect against this sort of attack,
implementations should not advertise mechanisms and/or features which implementations should not advertise mechanisms and/or features which
cannot meet their minimum security requirements, should not enter into cannot meet their minimum security requirements, should not enter into
or continue authentication exchanges which cannot meet their minimum or continue authentication exchanges which cannot meet their minimum
security requirements, and should verify that completed authentication security requirements, and should verify that completed authentication
exchanges result in security services that meet their minimum security exchanges result in security services that meet their minimum security
requirements. Note that each endpoint needs to independently verify requirements. Note that each endpoint needs to independently verify
that its security requirements are met. that its security requirements are met.
In order to detect downgrade attacks to the least (or less) secure In order to detect downgrade attacks to the least (or less) secure
mechanism supported, the client may discover the SASL mechanisms the mechanism supported, the client may discover the SASL mechanisms the
server makes available both before the SASL authentication exchange server makes available both before the SASL authentication exchange
and after the negotiated SASL security layer (with at least integrity and after the negotiated SASL security layer (with at least data
protection) has been installed through the protocol's mechanism integrity protection) has been installed through the protocol's
discovery facility. If the client finds that the integrity protected mechanism discovery facility. If the client finds that the integrity
list (the list obtained after the security layer was installed) protected list (the list obtained after the security layer was
contains a stronger mechanism than those in the previously obtained installed) contains a stronger mechanism than those in the previously
list, the client should assume the previously obtained list was obtained list, the client should assume the previously obtained list
modified by an attacker. was modified by an attacker and should close the underlying transport
connection.
The client's initiation of the SASL exchange, including the the
selection of a SASL mechanism, is done in the clear and may be
modified by an active attacker. It is important for any new SASL
mechanisms to be designed such that an active attacker cannot obtain
an authentication with weaker security properties by modifying the
SASL mechanism name and/or the challenges and responses.
When use of a security layer is negotiated by the authentication The client's initiation of the SASL exchange, including the selection
protocol exchange, the receiver should handle gracefully any protected of a SASL mechanism, is done in the clear and may be modified by an
data buffer larger than the defined/negotiated maximal size. In active attacker. It is important for any new SASL mechanisms to be
particular, it must not blindly allocate the amount of memory designed such that an active attacker cannot obtain an authentication
specified in the buffer size field, as this might cause the "out of with weaker security properties by modifying the SASL mechanism name
memory" condition. If the receiver detects a large block, it SHOULD and/or the challenges and responses.
close the connection.
Distributed server implementations need to be careful in how they Multi-level negotiation of security features is prone to downgrade
trust other parties. In particular, authentication secrets should attack. Protocol designers should avoid offering higher level
only be disclosed to other parties that are trusted to manage and use negotiation of security features in protocols (e.g., above SASL
those secrets in manner acceptable to disclosing party. Applications mechanism negotiation) and mechanism designers should avoid lower
using SASL assume that SASL security layers providing data level negotiation of security features in mechanisms (e.g., below SASL
confidentiality are secure even when an attacker chooses the text to mechanism negotiation).
be protected by the security layer. Similarly applications assume
that the SASL security layer is secure even if the attacker can
manipulate the cipher-text output of the security layer. New SASL
mechanisms are expected to meet these assumptions.
6.1.2. Replay Attacks 6.1.3. Replay Attacks
Some mechanisms may be subject to replay attacks unless protected by Some mechanisms may be subject to replay attacks unless protected by
external data security services (e.g., TLS). external data security services (e.g., TLS).
6.1.3. Truncation Attacks 6.1.4. Truncation Attacks
Most existing SASL security layers to not, themselves, offer Most existing SASL security layers do not themselves offer protection
protection against truncation attack. In a truncation attack, the against truncation attack. In a truncation attack, the active
active attacker causes the protocol session to be closed, causing a attacker causes the protocol session to be closed, causing a
truncation of the possibly integrity protected data stream that leads truncation of the possibly integrity protected data stream that leads
to behavior of one or both the protocol peers that inappropriately to behavior of one or both the protocol peers that inappropriately
benefits the attacker. Truncation attacks are fairly easy to defend benefits the attacker. Truncation attacks are fairly easy to defend
against in connection-oriented application-level protocols. A against in connection-oriented application-level protocols. A
protocol can defend against these attacks simply by ensuring that each protocol can defend against these attacks by ensuring that each
information exchange has a clear final result and that each protocol information exchange has a clear final result and that each protocol
session has a graceful closure mechanism, and that these are integrity session has a graceful closure mechanism, and that these are integrity
protected. protected.
6.1.5. Other Active Attacks
When use of a security layer is negotiated by the authentication
protocol exchange, the receiver should handle gracefully any protected
data buffer larger than the defined/negotiated maximal size. In
particular, it must not blindly allocate the amount of memory
specified in the buffer size field, as this might cause the "out of
memory" condition. If the receiver detects a large block, it should
close the connection.
6.2. Passive Attacks 6.2. Passive Attacks
Many mechanisms are subject to various passive attacks, including Many mechanisms are subject to various passive attacks, including
simple eavesdropping of unprotected credential information in simple eavesdropping of unprotected credential information as well as
mechanisms, such as PLAIN, to online and offline dictionary attacks. online and offline dictionary attacks of protected credential
information.
6.3. Re-keying 6.3. Re-keying
The secure or administratively permitted lifetimes of SASL mechanisms' The secure or administratively permitted lifetimes of SASL mechanisms'
security layers are finite. Cryptographic keys weaken as they are security layers are finite. Cryptographic keys weaken as they are
used and as time passes; the more time and/or cipher-text that a used and as time passes; the more time and/or cipher-text that a
cryptanalyst has after the first use of the a key, the easier it is cryptanalyst has after the first use of the a key, the easier it is
for the cryptanalyst to mount attacks on the key. for the cryptanalyst to mount attacks on the key.
Administrative limits on security layers lifetime may take the form of Administrative limits on a security layer's lifetime may take the form
time limits expressed in X.509 certificates, Kerberos V tickets, or in of time limits expressed in X.509 certificates, Kerberos V tickets, or
directories, and are often desired. In practice one likely effect of in directories, and are often desired. In practice one likely effect
administrative security layers lifetime limits is that applications of administrative lifetime limits is that applications may find that
may find that security layers stop working in the middle of security layers stop working in the middle of application protocol
application protocol operation, such as, perhaps, during large data operation, such as, perhaps, during large data transfers. As the
transfers. As the result of this the connection will be closed (see result of this the connection will be closed (see Section 3.7), which
Section 3.7), which will result in unpleasant user experience. will result in unpleasant user experience.
Re-keying (key renegotiation process) is a way of addressing the Re-keying (key renegotiation process) is a way of addressing the
weakening of cryptographic keys. SASL framework does not itself weakening of cryptographic keys. SASL framework does not itself
provide for re-keying. SASL mechanisms may. Designers of future SASL provide for re-keying, SASL mechanisms may. Designers of future SASL
mechanisms should consider providing re-keying services. mechanisms should consider providing re-keying services.
Applications that wish to re-key SASL security layers where the Applications that wish to re-key SASL security layers where the
mechanism does not provide for re-keying should reauthenticate the mechanism does not provide for re-keying should reauthenticate the
same IDs and replace the expired or soon-to-expire security layers. same IDs and replace the expired or soon-to-expire security layers.
This approach requires support for reauthentication in the application This approach requires support for reauthentication in the application
protocols (see Section 3.8). protocols (see Section 3.8).
6.5. Other Considerations 6.4. Other Considerations
Protocol designers and implementors should understand the security Protocol designers and implementors should understand the security
considerations of mechanisms so they may select mechanisms which are considerations of mechanisms so they may select mechanisms which are
applicable to their needs. applicable to their needs.
Multi-level negotiation of security features is prone to downgrade Distributed server implementations need to be careful in how they
attack. Protocol designers should avoid offering higher level trust other parties. In particular, authentication secrets should
negotiation of security features in protocols (e.g., above SASL only be disclosed to other parties that are trusted to manage and use
mechanism negotiation) and mechanism designers should avoid lower those secrets in manner acceptable to disclosing party. Applications
level negotiation of security features in mechanisms (e.g., below SASL using SASL assume that SASL security layers providing data
mechanism negotiation). confidentiality are secure even when an attacker chooses the text to
be protected by the security layer. Similarly applications assume
that the SASL security layer is secure even if the attacker can
manipulate the cipher-text output of the security layer. New SASL
mechanisms are expected to meet these assumptions.
Unicode security considerations [UTR36] apply to authorization Unicode security considerations [UTR36] apply to authorization
identity strings, and well as UTF-8 [RFC3629] security considerations identity strings, and well as UTF-8 [RFC3629] security considerations
where UTF-8 is used. SASLprep [RFC4013] and StringPrep [RFC3454] where UTF-8 is used. SASLprep [RFC4013] and StringPrep [RFC3454]
security considerations also apply where used. security considerations also apply where used.
7. IANA Considerations 7. IANA Considerations
7.1. SASL Mechanism Registry 7.1. SASL Mechanism Registry
SASL mechanism registry is maintained by IANA. The registry is SASL mechanism registry is maintained by IANA. The registry is
currently available at currently available at
<http://www.iana.org/assignments/sasl-mechanisms>. <http://www.iana.org/assignments/sasl-mechanisms>.
It is requested update this registry to reflect that this document It is requested that this registry be updated to reflect that this
provides the definitive technical specification for SASL and that this document provides the definitive technical specification for SASL and
section provides the registration procedures for this registry. that this section provides the registration procedures for this
registry.
7.1.1. Registration Procedure 7.1.1. Registration Procedure
Registration of a SASL mechanism is requested by filling in the Registration of a SASL mechanism is requested by filling in the
following template: following template:
Subject: Registration of SASL mechanism X Subject: Registration of SASL mechanism X
Family of SASL mechanisms: (YES or NO) Family of SASL mechanisms: (YES or NO)
skipping to change at page 22, line 4 skipping to change at page 22, line 30
Published specification (recommended): Published specification (recommended):
Person & email address to contact for further information: Person & email address to contact for further information:
Intended usage: (One of COMMON, LIMITED USE or OBSOLETE) Intended usage: (One of COMMON, LIMITED USE or OBSOLETE)
Owner/Change controller: Owner/Change controller:
Note: (Any other information that the author deems interesting may Note: (Any other information that the author deems interesting may
be added here .) be added here .)
and sending it via electronic mail to <iana@iana.org>. and sending it via electronic mail to <iana@iana.org>.
IANA has the right to reject obviously bogus registrations, but will IANA has the right to reject obviously bogus registrations, but will
perform no review of claims made in the registration form. IANA will perform no review of claims made in the registration form. IANA will
register new values on a First Come First Served basis, as defined in register new values on a First Come First Served basis, as defined in
BCP 64 [RFC2434]. BCP 64 [RFC2434].
There is no naming convention for SASL mechanisms; any name that There is no naming convention for SASL mechanisms; any name that
conforms to the syntax of a SASL mechanism name can be registered. conforms to the syntax of a SASL mechanism name can be registered.
However an IETF Standards Track document may reserve a portion of the However, future specifications may reserve a portion of the SASL
SASL mechanism namespace ("family of SASL mechanisms") for its own mechanism namespace ("family of SASL mechanisms") for its own use,
use, amending the registration rules for that portion of the detailing the registration rules for that portion of the namespace.
namespace. Each family of SASL mechanisms MUST be identified by a Each family of SASL mechanisms MUST be identified by a prefix.
prefix.
While the registration procedures do not require expert review, While the registration procedures do not require expert review,
authors of SASL mechanisms are encouraged to seek community review and authors of SASL mechanisms are encouraged to seek community review and
comment whenever that is feasible. Authors may seek community review comment whenever that is feasible. Authors may seek community review
by posting a specification of their proposed mechanism as an by posting a specification of their proposed mechanism as an
Internet-Draft. SASL mechanisms intended for widespread use should be Internet-Draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate. standardized through the normal IETF process, when appropriate.
7.1.2. Comments on SASL Mechanism Registrations 7.1.2. Comments on SASL Mechanism Registrations
Comments on registered SASL mechanisms should first be sent to the Comments on registered SASL mechanisms should first be sent to the
"owner" of the mechanism and/or to the SASL WG mailing list. "owner" of the mechanism and/or to the SASL WG mailing list.
Submitters of comments may, after a reasonable attempt to contact the Submitters of comments may, after a reasonable attempt to contact the
owner, request IANA to attach their comment to the SASL mechanism owner, request IANA to attach their comment to the SASL mechanism
registration itself by sending mail to <iana@iana.org>. At IANA sole registration itself by sending mail to <iana@iana.org>. At IANA's
discretion, IANA may attach the comment to the registration SASL sole discretion, IANA may attach the comment to the SASL mechanism's
mechanism. registration.
7.1.3. Change Control 7.1.3. Change Control
Once a SASL mechanism registration has been published by IANA, the Once a SASL mechanism registration has been published by IANA, the
author may request a change to its definition. The change request author may request a change to its definition. The change request
follows the same procedure as the registration request. follows the same procedure as the registration request.
The owner of a SASL mechanism may pass responsibility for the SASL The owner of a SASL mechanism may pass responsibility for the SASL
mechanism to another person or agency by informing IANA; this can be mechanism to another person or agency by informing IANA; this can be
done without discussion or review. done without discussion or review.
skipping to change at page 23, line 17 skipping to change at page 23, line 42
SASL mechanism registrations may not be deleted; mechanisms which are SASL mechanism registrations may not be deleted; mechanisms which are
no longer believed appropriate for use can be declared OBSOLETE by a no longer believed appropriate for use can be declared OBSOLETE by a
change to their "intended usage" field; such SASL mechanisms will be change to their "intended usage" field; such SASL mechanisms will be
clearly marked in the lists published by IANA. clearly marked in the lists published by IANA.
The IESG is considered to be the owner of all SASL mechanisms which The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track. are on the IETF standards track.
7.2. Registration Changes 7.2. Registration Changes
It is requested that IANA updates the SASL mechanisms registry as It is requested that IANA update the SASL mechanisms registry as
follows: follows:
1) Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism 1) Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
registrations to OBSOLETE. registrations to OBSOLETE.
2) Change the "Published specification" of the EXTERNAL mechanism to 2) Change the "Published specification" of the EXTERNAL mechanism to
this document as indicated below: this document as indicated below:
Subject: Updated Registration of SASL mechanism EXTERNAL Subject: Updated Registration of SASL mechanism EXTERNAL
Family of SASL mechanisms: NO Family of SASL mechanisms: NO
SASL mechanism name: EXTERNAL SASL mechanism name: EXTERNAL
Security considerations: See RFC XXXX, section 9. Security considerations: See A.3 of RFC XXXX
Published specification (optional, recommended): RFC XXXX Published specification (optional, recommended): RFC XXXX
Person & email address to contact for further information: Person & email address to contact for further information:
Alexey Melnikov <Alexey.Melnikov@isode.com> Alexey Melnikov <Alexey.Melnikov@isode.com>
Intended usage: COMMON Intended usage: COMMON
Owner/Change controller: IESG <iesg@ietf.org> Owner/Change controller: IESG <iesg@ietf.org>
Note: Updates existing entry for EXTERNAL Note: Updates existing entry for EXTERNAL
8. References 8. References
[[Note to the RFC Editor: please replace the citation tags used in [[Note to the RFC Editor: please replace the citation tags used in
skipping to change at page 24, line 20 skipping to change at page 24, line 45
[RFC3454] Hoffman, P. and M. Blanchet, "Preparation of [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of
Internationalized Strings ('stringprep')", RFC 3454, Internationalized Strings ('stringprep')", RFC 3454,
December 2002. December 2002.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629 (also STD 63), November 2003. 10646", RFC 3629 (also STD 63), November 2003.
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User
Names and Passwords", RFC 4013, February 2005. Names and Passwords", RFC 4013, February 2005.
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", draft-crocker-abnf-rfc2234bis, a
work in progress.
[ASCII] Coded Character Set--7-bit American Standard Code for [ASCII] Coded Character Set--7-bit American Standard Code for
Information Interchange, ANSI X3.4-1986. Information Interchange, ANSI X3.4-1986.
[Unicode] The Unicode Consortium, "The Unicode Standard, Version [Unicode] The Unicode Consortium, "The Unicode Standard, Version
3.2.0" is defined by "The Unicode Standard, Version 3.0" 3.2.0" is defined by "The Unicode Standard, Version 3.0"
(Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
as amended by the "Unicode Standard Annex #27: Unicode as amended by the "Unicode Standard Annex #27: Unicode
3.1" (http://www.unicode.org/reports/tr27/) and by the 3.1" (http://www.unicode.org/reports/tr27/) and by the
"Unicode Standard Annex #28: Unicode 3.2" "Unicode Standard Annex #28: Unicode 3.2"
(http://www.unicode.org/reports/tr28/). (http://www.unicode.org/reports/tr28/).
skipping to change at page 24, line 45 skipping to change at page 25, line 18
[CharModel] Whistler, K. and M. Davis, "Unicode Technical Report [CharModel] Whistler, K. and M. Davis, "Unicode Technical Report
#17, Character Encoding Model", UTR17, #17, Character Encoding Model", UTR17,
<http://www.unicode.org/unicode/reports/tr17/>, August <http://www.unicode.org/unicode/reports/tr17/>, August
2000. 2000.
[Glossary] The Unicode Consortium, "Unicode Glossary", [Glossary] The Unicode Consortium, "Unicode Glossary",
<http://www.unicode.org/glossary/>. <http://www.unicode.org/glossary/>.
8.2. Informative References 8.2. Informative References
[RFC2244] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997.
[RFC2246] Dierks, T. and, C. Allen, "The TLS Protocol Version [RFC2246] Dierks, T. and, C. Allen, "The TLS Protocol Version
1.0", RFC 2246, January 1999. 1.0", RFC 2246, January 1999.
[RFC2401] Kent, S., and R. Atkinson, "Security Architecture for
the Internet Protocol", RFC 2401, November 1998.
[RFC3548] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC3548] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 3548, July 2003. Encodings", RFC 3548, July 2003.
[RFC2401] Kent, S., and R. Atkinson, "Security Architecture for [TLS] Dierks, T. and, E. Rescorla, "The TLS Protocol Version
the Internet Protocol", RFC 2401, November 1998. 1.1", draft-ietf-tls-rfc2246-bis-xx.txt, a work in
progress.
[SASL-GSSAPI] Melnikov, A. (Editor), "SASL GSSAPI mechanisms", [SASL-GSSAPI] Melnikov, A. (Editor), "SASL GSSAPI mechanisms",
draft-ietf-sasl-gssapi-XX.txt, a work in progress. draft-ietf-sasl-gssapi-XX.txt, a work in progress.
[UTR36] Davis, M., "(Draft) Unicode Technical [UTR36] Davis, M., "(Draft) Unicode Technical
Report #36, Character Encoding Model", UTR17, Report #36, Character Encoding Model", UTR17,
<http://www.unicode.org/unicode/reports/tr36/>, February <http://www.unicode.org/unicode/reports/tr36/>, February
2005. 2005.
9. Editors' Address 9. Editors' Address
skipping to change at page 26, line 9 skipping to change at page 26, line 28
The following individuals contributed significantly to this revision: The following individuals contributed significantly to this revision:
Abhijit Menon-Sen, Hallvard B Furuseth, Jeffrey Hutzelman, John Myers, Abhijit Menon-Sen, Hallvard B Furuseth, Jeffrey Hutzelman, John Myers,
Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim Alsop, 'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim Alsop,
and Tony Hansen. and Tony Hansen.
Appendix A. The SASL EXTERNAL Mechanism Appendix A. The SASL EXTERNAL Mechanism
This appendix is normative. This appendix is normative.
The EXTERNAL mechanism allows a client to request the server use The EXTERNAL mechanism allows a client to request the server to use
credentials established by means external to the mechanism to credentials established by means external to the mechanism to
authenticate the client. The external means may be, for instance, IP authenticate the client. The external means may be, for instance, IP
Security [RFC2401] or TLS [RFC2246] services. In absence of some Security [RFC2401] or TLS [RFC2246] services. In absence of some
apriori agreement between the client and the server, the client cannot apriori agreement between the client and the server, the client cannot
make any assumption as to what external means the server has used to make any assumption as to what external means the server has used to
obtain the client's credentials, nor make an assumption as to the form obtain the client's credentials, nor make an assumption as to the form
of credentials. For example, the client cannot assume the server will of credentials. For example, the client cannot assume the server will
use the credentials the client has established via TLS. use the credentials the client has established via TLS.
A.1. EXTERNAL Technical Specification A.1. EXTERNAL Technical Specification
skipping to change at page 26, line 39 skipping to change at page 27, line 13
string. string.
The client is expected to send data first in the authentication The client is expected to send data first in the authentication
exchange. Where the client does not provide an initial response data exchange. Where the client does not provide an initial response data
in its request to initiate the authentication exchange, the server is in its request to initiate the authentication exchange, the server is
to respond to the request with an empty initial challenge and then the to respond to the request with an empty initial challenge and then the
client is to provide its initial response. client is to provide its initial response.
The client sends the initial response containing the UTF-8 [RFC3629] The client sends the initial response containing the UTF-8 [RFC3629]
encoding of the requested authorization identity string. This encoding of the requested authorization identity string. This
response is non-empty when the client is requesting to act as identity response is non-empty when the client is requesting to act as the
represented by the (non-empty) string. This response is empty when identity represented by the (non-empty) string. This response is
the client is requesting to act as the identity the server associated empty when the client is requesting to act as the identity the server
with its authentication credentials. associated with its authentication credentials.
The syntax of the initial response is specified as a value of the The syntax of the initial response is specified as a value of the
<extern-initial-resp> production detailed below using the Augmented <extern-initial-resp> production detailed below using the Augmented
Backus-Naur Form (ABNF) [RFC2234] notation. Backus-Naur Form (ABNF) [RFC4234] notation.
external-initial-resp = authz-id-string external-initial-resp = authz-id-string
authz-id-string = *( UTF8-char-no-nul ) authz-id-string = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
UTF8-1-no-nul = %x01-7F UTF8-1-no-nul = %x01-7F
where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined
in [RFC3629]. in [RFC3629].
There are no additional challenges and responses. There are no additional challenges and responses.
Hence, the server is to return the outcome of the authentication Hence, the server is to return the outcome of the authentication
exchange. exchange.
The exchange fails if The exchange fails if
- the client has not established its credentials via external means, - the client has not established its credentials via external means,
skipping to change at page 27, line 16 skipping to change at page 27, line 39
There are no additional challenges and responses. There are no additional challenges and responses.
Hence, the server is to return the outcome of the authentication Hence, the server is to return the outcome of the authentication
exchange. exchange.
The exchange fails if The exchange fails if
- the client has not established its credentials via external means, - the client has not established its credentials via external means,
- the client's credentials are inadequate, - the client's credentials are inadequate,
- The client provided an empty authorization identity string and the - The client provided an empty authorization identity string and the
server unwilling or unable to associate an authorization identity server is unwilling or unable to associate an authorization identity
with the clients credentials, with the client's credentials,
- The client provided a non-empty authorization identity string which - The client provided a non-empty authorization identity string which
is invalid per the syntax requirements of the applicable application is invalid per the syntax requirements of the applicable application
protocol specification, protocol specification,
- The client provided a non-empty authorization identity string - The client provided a non-empty authorization identity string
representing an identity which the client is not allowed to act as, representing an identity which the client is not allowed to act as,
or or
- the server is unwilling or unable to provide service to the client - the server is unwilling or unable to provide service to the client
for any other reason. for any other reason.
Otherwise the exchange is successful. When indicating a successful Otherwise the exchange is successful. When indicating a successful
outcome, additional data is not provided. outcome, additional data is not provided.
A.2. SASL EXTERNAL Examples A.2. SASL EXTERNAL Examples
This section provides examples of EXTERNAL authentication exchanges. This section provides examples of EXTERNAL authentication exchanges.
The examples are intended to help the readers under the above text. The examples are intended to help the readers under the above text.
The examples are not definitive. The Application Configuration The examples are not definitive. The Application Configuration
Access Protocol (ACAP) [RFC2244] is used in the examples. Access Protocol (ACAP) [RFC2244] is used in the examples.
The first example shows use of EXTERNAL with an empty authorization The first example shows use of EXTERNAL with an empty authorization
identity. In this example, the initial response is not sent the identity. In this example, the initial response is not sent in the
client's request to initiate authentication exchange. client's request to initiate authentication exchange.
S: * ACAP (SASL "DIGEST-MD5") S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now" S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer> <TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL") S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" C: a002 AUTHENTICATE "EXTERNAL"
S: + "" S: + ""
C: + "" C: + ""
skipping to change at page 28, line 4 skipping to change at page 28, line 25
S: * ACAP (SASL "DIGEST-MD5") S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now" S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer> <TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL") S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" C: a002 AUTHENTICATE "EXTERNAL"
S: + "" S: + ""
C: + "" C: + ""
S: a002 OK "Authenticated" S: a002 OK "Authenticated"
In second example shows use of EXTERNAL with an authorization identity In second example shows use of EXTERNAL with an authorization identity
of "fred@example.com". In this example, the initial response is sent of "fred@example.com". In this example, the initial response is sent
with the clients request to initiate the authentication exchange. with the client's request to initiate the authentication exchange.
This saves a round-trip. This saves a round-trip.
S: * ACAP (SASL "DIGEST-MD5") S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now" S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer> <TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL") S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" {16+} C: a002 AUTHENTICATE "EXTERNAL" {16+}
C: fred@example.com C: fred@example.com
S: a002 NO "Cannot assume requested authorization identity" S: a002 NO "Cannot assume requested authorization identity"
skipping to change at page 28, line 37 skipping to change at page 29, line 13
This appendix is non-normative. This appendix is non-normative.
The material in RFC 2222 was significantly rewritten in the production The material in RFC 2222 was significantly rewritten in the production
of this document. of this document.
RFC 2222, by not stating the authorization identity string was a RFC 2222, by not stating the authorization identity string was a
string of Unicode characters, let alone character data, implied the string of Unicode characters, let alone character data, implied the
authorization identity string was a string of octets. authorization identity string was a string of octets.
- The authorization identity string is now defined as a string of - The authorization identity string is now defined as a string of
Unicode characters. The NUL (U+0000) is prohibited. While protocol Unicode characters. The NUL (U+0000) character is prohibited.
specifications are responsible for defining the authorization While protocol specifications are responsible for defining the
identity form, as well as the Unicode string syntax and related authorization identity form, as well as the Unicode string syntax
semantics, mechanism specifications are responsible for defining how and related semantics, mechanism specifications are responsible for
the Unicode string is carried in the authentication exchange. defining how the Unicode string is carried in the authentication
exchange.
- Deleted "If so, when the client does not send data first, the
initial challenge MUST be specified as being an empty challenge."
The following technical change was made to the EXTERNAL mechanism: The following technical change was made to the EXTERNAL mechanism:
- The authorization identity string is to be UTF-8 encoded. - The authorization identity string is to be UTF-8 encoded.
It is noted that protocol and mechanism specification requirements It is noted that protocol and mechanism specification requirements
have been significant tightened. Existing protocol and mechanism have been significant tightened. Existing protocol and mechanism
specifications will need to be updated to meet these requirements. specifications will need to be updated to meet these requirements.
Intellectual Property Rights Intellectual Property Rights
 End of changes. 54 change blocks. 
136 lines changed or deleted 161 lines changed or added

This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/