| blob | f06b540b4543294f276de4fd6e3b60aa8b7c9d20 |
7 Network Working Group Robert Siemborski
8 INTERNET-DRAFT Carnegie Mellon University
9 Intended Category: Proposed Standard April, 2004
12 POP3 SASL Authentication Mechanism
14 <draft-siemborski-rfc1734bis-03.txt>
17 Status of this Memo
18 This document is an Internet-Draft and is in full conformance with
19 all provisions of Section 10 of RFC2026.
21 Internet-Drafts are working documents of the Internet Task Force
22 (IETF), its areas, and its working groups. Note that other groups
23 may also distribute working documents as Internet-Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six
26 months and may be updated, replaced, or obsoleted by other documents
27 at any time. It is inappropriate to use Internet Drafts as
28 reference material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 Distribution of this memo is unlimited.
38 Abstract
40 This document defines a profile of the Simple Authentication and
41 Security Layer (SASL) for the Post Office Protocol (POP3). This
42 extension allows a POP3 client to indicate an authentication
43 mechanism to the server, perform an authentication protocol
44 exchange, and optionally negotiate a security layer for subsequent
45 protocol interactions during this session.
47 In order to consolidate all of the authentication related
48 information for POP3 into a single document, this document obsoletes
49 RFC 1734 and RFC 3206, replacing them as a Proposed Standard. It
50 also updates information contained in Section 6.3 and Section 8 of
51 RFC 2449.
58 Siemborski Expires October, 2004 [Page 1]
64 POP3 SASL Authentication Mechanism April, 2004
67 1. How to Read This Document
69 The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
70 NOT", "RECOMMENDED", and "MAY" in this document are to be
71 interpreted as defined in "Key words for use in RFCs to Indicate
72 Requirement Levels" [KEYWORDS]
74 In examples, "C:" and "S:" indicate lines sent by the client and
75 server respectively.
77 2. Introduction
79 The [POP3] AUTH command [POP3-AUTH] in has suffered several problems
80 in its specification. The first is that it was very similar to a
81 [SASL] framework, but pre-dated the initial SASL specification. It
82 was therefore missing some key components, such as a way to list the
83 available authentication mechanisms.
85 Later, [POP3-EXT] attempted to remedy this situation by adding the
86 CAPA command and allowing an initial client response to the AUTH
87 command, however problems in the clarity of the specification of how
88 the initial client response was to be handled remained.
90 Additionally, there is yet another document, [POP3-CODES], that
91 provides additional response codes that are useful during
92 authentication. Together, this means creating a full POP3 AUTH
93 implementaiton requires an understanding of material in atleast six
94 different documents.
96 This document attempts to combine all of the POP3 SASL
97 authentication related details into a single document, in addition
98 to clarifying and updating the older specifications where
99 appropriate.
101 3. The SASL Capability
103 This section supercedes the definition of the SASL Capability in
104 section 6.3 of [POP3-EXT].
106 CAPA tag:
107 SASL
109 Arguments:
110 Supported SASL Mechanisms
112 Standard Commands Affected
113 None
118 Siemborski Expires October, 2004 [Page 3]
124 POP3 SASL Authentication Mechanism April, 2004
127 Announced states / possible differences:
128 both / no
130 Commands valid in states:
131 AUTHORIZATION
133 Specification Reference:
134 This Document, [SASL]
136 Discussion
137 The SASL capability permits the use of the AUTH command (as
138 defined in section 4 of this document) to begin a [SASL]
139 negotiation. The arguments to the SASL capability is a space-
140 separated list of SASL mechanisms which are supported.
142 If a server either does not support the CAPA command or does not
143 advertise the SASL capability, clients SHOULD NOT attempt the
144 AUTH command. If a client does attempt the AUTH command in such
145 a situation, it MUST NOT supply the client initial response
146 parameter (for backwards compatibility with [POP3-AUTH]).
148 Note that the list of available mechanisms MAY change after a
149 successful STLS command [POP3-TLS]. Additionally,
150 implementations MAY choose to omit the SASL capability after a
151 successful AUTH command has been completed.
153 Example
155 S: +OK pop.example.com BlurdyBlurp POP3 server ready
156 C: CAPA
157 S: +OK List of capabilities follows
158 S: SASL KERBEROS_V4 GSSAPI ANONYMOUS
159 S: STLS
160 S: IMPLEMENTATION BlurdyBlurp POP3 server
161 S: .
164 4. The AUTH Command
166 AUTH mechanism [initial-response]
168 Arguments:
169 mechanism: A string identifying a [SASL] authentication
170 mechanism.
172 initial-response: An optional initial client response. If
173 present, this response MUST be encoded as specified in Section
174 3 of [BASE64].
178 Siemborski Expires October, 2004 [Page 4]
184 POP3 SASL Authentication Mechanism April, 2004
187 Restrictions:
188 After an AUTH command has been successfully completed, no more
189 AUTH commands may be issued in the same session. After a
190 successful AUTH command completes, a server MUST reject any
191 further AUTH commands with a -ERR reply.
193 The AUTH command may only be given during the AUTHORIZATION
194 state.
196 Discussion:
197 The AUTH command initiates a [SASL] authentication exchange
198 between the client and the server. The client identifies the
199 SASL mechanism to use with the first parameter of the AUTH
200 command. If the server supports the requested authentication
201 mechanism, it performs the SASL exchange to authenticate the
202 user. Optionally, it also negotiates a security layer for
203 subsequent protocol interactions during this session. If the
204 requested authentication mechanism is not supported, the
205 server rejects the AUTH command with a -ERR reply.
207 The authentication protocol exchange consists of a series of
208 server challenges and client responses that are specific to
209 the chosen [SASL] mechanism.
211 A server challenge is sent as a line consisting of a "+"
212 character followed by a single space and a string encoded as
213 specified in Section 3 of [BASE64]. This challenge MUST NOT
214 contain any text other than the BASE64 encoded challenge.
216 A client response consists of a line containing a string
217 encoded as defined in Section 3 of [BASE64]. If the client
218 wishes to cancel the authentication exchange, it issues a line
219 with a single "*". If the server receives such a response, it
220 MUST reject the AUTH command by sending a -ERR reply.
222 The optional initial response argument to the AUTH command is
223 used to save a round trip when using authentication mechanisms
224 that support an initial client response. If the initial
225 response argument is omitted and the chosen mechanism requires
226 an initial client response, the server MUST proceed as defined
227 in section 5.1 of [SASL]. In POP3, a server challenge with no
228 data is defined as line with only a "+" followed by a single
229 space. It MUST NOT contain any other data.
231 For the purposes of the initial client response, the line
232 length limitation defined in [POP3-EXT] still applies. If a
233 client initial send would cause the AUTH command to exceed
234 this length, the client MUST NOT use the initial response
238 Siemborski Expires October, 2004 [Page 5]
244 POP3 SASL Authentication Mechanism April, 2004
247 parameter (and instead proceed as defined in section 5.1 of
248 [SASL]).
250 If the client needs to send a zero-length initial response,
251 the client MUST transmit the response as a single equals sign
252 ("="). This indicates that the response is present, but
253 contains no data.
255 If the client uses an initial-response argument to the AUTH
256 command with a SASL mechanism that does not support an initial
257 client send, the server MUST reject the AUTH command with a
258 -ERR reply.
260 If the server cannot [BASE64] decode any client response, it
261 MUST reject the AUTH command with a -ERR reply. If the client
262 cannot BASE64 decode any of the server's challenges, it MUST
263 cancel the authentication using the "*" response. In
264 particular, servers and clients MUST reject (and not ignore)
265 any character not explicitly allowed by the BASE64 alphabet,
266 and MUST reject any sequence of BASE64 characters that
267 contains the pad character ('=') anywhere other than the end
268 of the string (e.g. "=AAA" and "AAA=BBB" are not allowed).
270 Note that these [BASE64] strings (excepting the initial client
271 response) may be of arbitrarily length. Clients and servers
272 MUST be able to handle the maximum encoded size of challenges
273 and responses generated by their supported authentication
274 mechanisms. This requirement is independent of any line
275 length limitations the client or server may have in other
276 parts of its protocol implementation.
278 If the server is unable to authenticate the client, it MUST
279 reject the AUTH command with a -ERR reply. Should the client
280 successfully complete the exchange, the server issues a +OK
281 reply. Additionally, upon success, the POP3 session enters
282 the TRANSACTION state.
284 The authorization identity generated by this [SASL] exchange
285 is a simple username, and MUST use the [SASLprep] profile of
286 the [StringPrep] algorithm to prepare these names for
287 matching. If preparation of the authorization identity fails
288 or results in an empty string (unless it was transmitted as
289 the empty string), the server MUST fail the authentication.
291 If a security layer is negotiated during the SASL exchange, it
292 takes effect for the client on the octet immediately following
293 the CRLF that concludes the last response generated by the
294 client. For the server, it takes effect immediately following
298 Siemborski Expires October, 2004 [Page 6]
304 POP3 SASL Authentication Mechanism April, 2004
307 the CRLF of its success reply.
309 When a security layer takes effect, the server MUST discard
310 any knowledge previously obtained from the client, which was
311 not obtained from the SASL negotiation itself. Likewise, the
312 client MUST discard any knowledge obtained from the server,
313 such as the list of available POP3 service extensions. After
314 a security layer is established, the server SHOULD NOT
315 advertise either the SASL or the STLS extension.
317 When both [TLS] and SASL security layers are in effect, the
318 TLS encoding MUST be applied after the SASL encoding,
319 regardless of the order in which the layers were negotiated.
321 The service name specified by this protocol's profile of SASL
322 is "pop".
324 If an AUTH command fails, the client may try another
325 authentication mechanism or present different credentials by
326 issuing another AUTH command (or by using one of the other
327 [POP3] authentication mechanisms). Likewise, the server MUST
328 behave as if the client had not issued the AUTH command.
330 To ensure interoperability, client and server implementations
331 of this extension MUST implement the [DIGEST-MD5] SASL
332 mechanism.
335 4.1. Formal Syntax
337 The following syntax specification uses the Augmented Backus-Naur
338 Form notation as specified in [ABNF].
340 Except as noted otherwise, all alphabetic characters are case-
341 insensitive. The use of upper or lower case characters to define
342 token strings is for editorial clarity only. Implementations MUST
343 accept these strings in a case-insensitive fashion.
346 UPALPHA = %x41-5A ;; Uppercase: A-Z
348 LOALPHA = %x61-7A ;; Lowercase: a-z
350 ALPHA = UPALPHA / LOALPHA ;; case insensitive
352 DIGIT = %x30-39 ;; Digits 0-9
354 AUTH_CHAR = ALPHA / DIGIT / "-" / "_"
358 Siemborski Expires October, 2004 [Page 7]
364 POP3 SASL Authentication Mechanism April, 2004
367 auth_type = 1*20AUTH_CHAR
369 auth_command = "AUTH" SPACE auth_type [SPACE (base64 / "=")]
370 *(CRLF [base64]) CRLF
372 base64 = base64_terminal /
373 ( 1*(4base64_CHAR) [base64_terminal] )
375 base64_char = UPALPHA / LOALPHA / DIGIT / "+" / "/"
376 ;; Case-sensitive
378 base64_terminal = (2base64_char "==") / (3base64_char "=")
380 continue_req = "+" SPACE [base64] CRLF
382 CR = %x0C ;; ASCII CR, carriage return
384 CRLF = CR LF
386 LF = %x0A ;; ASCII LF, line feed
388 SPACE = %x20 ;; ASCII SP, space
391 4.2. Examples
393 Here is an example of a client attempting AUTH PLAIN under TLS and
394 making use of the initial client response:
396 S: +OK pop.example.com BlurdyBlurp POP3 server ready
397 C: CAPA
398 S: +OK List of capabilities follows
399 S: SASL KERBEROS_V4 GSSAPI ANONYMOUS
400 S: STLS
401 S: IMPLEMENTATION BlurdyBlurp POP3 server
402 S: .
403 C: STLS
404 S: +OK Begin TLS negotiation now
405 ... TLS negotiation proceeds, further commands protected by TLS layer ...
406 C: CAPA
407 S: +OK List of capabilities follows
408 S: SASL PLAIN KERBEROS_V4 GSSAPI ANONYMOUS
409 S: IMPLEMENTATION BlurdyBlurp POP3 server
410 S: .
411 C: AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
412 S: +OK Maildrop locked and ready
414 Here is another client that is attempting AUTH PLAIN under a TLS
418 Siemborski Expires October, 2004 [Page 8]
424 POP3 SASL Authentication Mechanism April, 2004
427 layer, this time without the initial response. Parts of the
428 negotiation before the TLS layer was established have been omitted:
430 ... TLS negotiation proceeds, further commands protected by TLS layer ...
431 C: CAPA
432 S: +OK List of capabilities follows
433 S: SASL PLAIN KERBEROS_V4 GSSAPI ANONYMOUS
434 S: IMPLEMENTATION BlurdyBlurp POP3 server
435 S: .
436 C: AUTH PLAIN
437 (note that there is a space following the '+' on the following line)
438 S: +
439 C: dGVzdAB0ZXN0AHRlc3Q=
440 S: +OK Maildrop locked and ready
442 Here is an example using a mechanism which does not support an
443 initial client send, and includes server challenges:
445 S: +OK pop.example.com BlurdyBlurp POP3 server ready
446 C: CAPA
447 S: +OK List of capabilities follows
448 S: SASL KERBEROS_V4 GSSAPI ANONYMOUS
449 S: STLS
450 S: IMPLEMENTATION BlurdyBlurp POP3 server
451 S: .
452 C: AUTH KERBEROS_V4
453 S: + ezLUFA==
454 (the following lines are broken for editorial clarity only)
455 C: BAYFQU5EUkVXLkNNVS5FRFUAOCCXeMiVyFe9K6Nwne7+sPLgIoF9YQ5ePfxUsMlJAf
456 C7aoNySU8nrqS9m8JAddsUeuyc5HFXXovaKLrZNo2bTLH0Lyolwy0W9ryJDojbKmHy
457 zSMqFsGD4EL0
458 S: + Z74fTwDw7KQ=
459 C: vSAF7ha6qotK2UHUgKlsEA==
460 S: +OK Maildrop locked and ready
461 ... at this point a security layer has been established and additional
462 commands and responses proceed within it ...
465 5. Extended POP3 Response Codes
467 This section defines four POP3 response codes which can be used to
468 determine the reason for a failed login (provided that the server
469 advertises the RESP-CODES capability [POP3-EXT]). These definitions
470 supercede those in [POP3-EXT] and [POP3-CODES].
472 It is RECOMMENDED that server applications use these codes when
473 possible to allow clients a straightforward, interoperable way to
474 determine the cause of an authentication failure (as opposed to
478 Siemborski Expires October, 2004 [Page 9]
484 POP3 SASL Authentication Mechanism April, 2004
487 parsing error text).
489 5.1. The LOGIN-DELAY Response Code
491 This occurs on an -ERR response to an AUTH, USER (see note), PASS or
492 APOP command and indicates that the user has logged in recently and
493 will not be allowed to login again until the login delay period has
494 expired.
496 Please see the Security Considerations section of this document for
497 an important note about returning this code in response to the USER
498 command.
500 5.2. The IN-USE Response Code
502 This occurs on an -ERR response to an AUTH, APOP, or PASS command.
503 It indicates the authentication was successful, but the user's
504 maildrop is currently in use (probably by another POP3 client).
506 5.3. The AUTH Response Code
508 The AUTH response code informs the client that there is a problem
509 with the user's credentials. This might be an incorrect password,
510 an unknown user name, an expired account, an attempt to authenticate
511 in violation of policy (such as from an invalid location or during
512 an unauthorized time), or some other problem.
514 The AUTH response code is valid with an -ERR response to any
515 authentication command including AUTH, USER (see the note in the
516 Security Considerations section of this document), PASS, or APOP.
518 Servers which include the AUTH response code with any authentication
519 failure SHOULD support the CAPA command [POP3-EXT] and SHOULD
520 include the AUTH-RESP-CODE capability (defined in the next section)
521 in the CAPA response. AUTH-RESP-CODE assures the client that only
522 errors with the AUTH code are caused by credential problems.
524 5.3.1. The AUTH-RESP-CODE Capability
526 CAPA tag:
527 AUTH-RESP-CODE
529 Arguments:
530 none
532 Added commands:
533 none
538 Siemborski Expires October, 2004 [Page 10]
544 POP3 SASL Authentication Mechanism April, 2004
547 Standard commands affected:
548 none
550 Announced states / possible differences:
551 both / no
553 Commands valid in states:
554 n/a
556 Specification reference:
557 this document
559 Discussion:
560 The AUTH-RESP-CODE capability indicates that the server includes
561 the AUTH response code with any authentication error caused by a
562 problem with the user's credentials.
564 5.4. The SYS Response Code
566 The SYS response code announces that a failure is due to a system
567 error, as opposed to the user's credentials or an external
568 condition. It is hierarchical, with two possible second-level
569 codes: TEMP and PERM. (Case is not significant at any level of the
570 hierarchy.)
572 SYS/TEMP indicates a problem which is likely to be temporary in
573 nature, and therefore there is no need to alarm the user, unless the
574 failure persists. Examples might include a central resource which
575 is currently locked or otherwise temporarily unavailable,
576 insufficient free disk or memory, etc.
578 SYS/PERM is used for problems which are unlikely to be resolved
579 without intervention. It is appropriate to alert the user and
580 suggest that the organization's support or assistance personnel be
581 contacted. Examples include corrupted mailboxes, system
582 configuration errors, etc.
584 The SYS response code is valid with an -ERR response to any command.
586 6. Security Considerations
588 Security issues are discussed throughout this memo.
590 Before the [SASL] negotiation has begun, any protocol interactions
591 are performed in the clear and may be modified by an active
592 attacker. For this reason, clients and servers MUST discard any
593 knowledge obtained prior to the start of the SASL negotiation upon
594 the establishment of a security layer.
598 Siemborski Expires October, 2004 [Page 11]
604 POP3 SASL Authentication Mechanism April, 2004
607 Servers MAY implement a policy whereby the connection is dropped
608 after a number of failed authentication attempts. If they do so,
609 they SHOULD NOT drop the connection until atleast 3 attempts to
610 authenticate have failed.
612 Implementations MUST support a configuration where [SASL] mechanisms
613 that are vulnerable to passive eavesdropping attacks (such as
614 [PLAIN]) are not advertised or used without the presence of an
615 external security layer such as [TLS].
617 Returning the LOGIN-DELAY or AUTH response codes to the USER command
618 avoids the work of authenticating the user but is likely to reveal
619 information to the client about the existence of the account in
620 question. Unless the server is operating in an environment where
621 user names are not secret (for example, many popular email clients
622 advertise the POP server and user name in an outgoing mail header),
623 or where server access is restricted, or the server can verify that
624 the connection is to the same user, the the server SHOULD NOT issue
625 this response code to the USER command. The server still saves the
626 cost of opening the maildrop, which in some environments is the most
627 expensive step.
629 7. IANA Considerations
631 This document requests that the IANA update the entry for the "pop"
632 SASL protocol name to point at this document.
634 This document requests that the IANA update the entry for the SASL
635 POP3 capability to be as defined in Section 3 of this document.
637 This document requests that the IANA update the entry for the LOGIN-
638 DELAY, IN-USE, AUTH, SYS/TEMP, and SYS/PERM POP3 response codes to
639 this document.
641 This document requests that the IANA update the entry for the AUTH-
642 RESP-CODE capability to be as defined in Section 5.3.1 of this
643 document.
645 8. Protocol Actions
647 [RFC Editor: Remove this section before publication]
649 This document obsoletes RFC 1734 and replaces it as a Proposed
650 Standard. By moving RFC 1734 to Historic, RFC 1731 can also be
651 moved to Historic (as RFC 1734 was the last document to have a
652 normative reference).
654 This document obsoletes RFC 3206 and replaces it as a Proposed
658 Siemborski Expires October, 2004 [Page 12]
664 POP3 SASL Authentication Mechanism April, 2004
667 Standard.
669 It also updates information contained in Section 6.3 and Section 8
670 of RFC 2449.
672 9. Intellectual Property Rights
674 The IETF takes no position regarding the validity or scope of any
675 intellectual property or other rights that might be claimed to
676 pertain to the implementation or use of the technology described in
677 this document or the extent to which any license under such rights
678 might or might not be available; neither does it represent that it
679 has made any effort to identify any such rights. Information on the
680 IETF's procedures with respect to rights in standards-track and
681 standards-related documentation can be found in BCP-11. Copies of
682 claims of rights made available for publication and any assurances
683 of licenses to be made available, or the result of an attempt made
684 to obtain a general license or permission for the use of such
685 proprietary rights by implementors or users of this specification
686 can be obtained from the IETF Secretariat.
688 The IETF invites any interested party to bring to its attention any
689 copyrights, patents or patent applications, or other proprietary
690 rights which may cover technology that may be required to practice
691 this standard. Please address the information to the IETF Executive
692 Director.
694 10. Copyright
696 Copyright (C) The Internet Society (2003). All Rights Reserved.
698 This document and translations of it may be copied and furnished to
699 others, and derivative works that comment on or otherwise explain it
700 or assist in its implementation may be prepared, copied, published
701 and distributed, in whole or in part, without restriction of any
702 kind, provided that the above copyright notice and this paragraph
703 are included on all such copies and derivative works. However, this
704 document itself may not be modified in any way, such as by removing
705 the copyright notice or references to the Internet Society or other
706 Internet organizations, except as needed for the purpose of
707 developing Internet standards in which case the procedures for
708 copyrights defined in the Internet Standards process must be
709 followed, or as required to translate it into languages other than
710 English.
712 This document and the information contained herein is provided on an
713 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
714 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
718 Siemborski Expires October, 2004 [Page 13]
724 POP3 SASL Authentication Mechanism April, 2004
727 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
728 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
729 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
778 Siemborski Expires October, 2004 [Page 14]
784 POP3 SASL Authentication Mechanism April, 2004
787 11. References
789 The following documents contain normative definitions or
790 specifications that are necessary for correct understanding of this
791 protocol:
793 [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
794 Encodings", RFC 3548, July 2003.
796 [DIGEST-MD5]
797 Leach, P., Melnikov, A., and Newman C., "Using Digest
798 Authentication as a SASL Mechanism", draft-ietf-sasl-
799 rfc2831bis-*.txt, a work in progress.
801 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
802 Requirement Levels", BCP 14, RFC 2119, March 1997
804 [POP3] Myers, J. and Rose, M., "Post Office Protocol - Version 3",
805 STD 53, RFC 1939, May 1996.
807 [POP3-EXT] Gellens, R., Newman, C., and Lundblade, L., "POP3 Extension
808 Mechanism", RFC 2449, November 1998.
810 [POP3-TLS] Newman, C., "Using TLS with IMAP, POP3, and ACAP", RFC 2595,
811 June 1999.
813 [SASL] Melnikov, A., "Simple Authentication and Security Layer
814 (SASL)", draft-ietf-sasl-rfc2222bis-*.txt, a work in
815 progress.
817 [SASLprep] Zeilega, K., "SASLprep: Stringprep profile for user names
818 and passwords", draft-ietf-sasl-saslprep-*.txt, a work in
819 progress
821 [StringPrep]
822 Hoffman, P. and Blanchet, M., "Preparation of
823 Internationalized Strings ("stringprep")", draft-hoffman-
824 rfc3454bis-*.txt, a work in progress
826 The following references are for informational purposes only:
828 [PLAIN] Zeilenga, K., "The Plain SASL Mechanism", draft-ietf-sasl-
829 plain-*.txt, a work in progress.
831 [POP3-AUTH] Myers, J., "POP3 AUTHentication Command", RFC 1734, January
832 1994.
834 [POP3-CODES]
838 Siemborski Expires October, 2004 [Page 15]
844 POP3 SASL Authentication Mechanism April, 2004
847 Gellens, R., "The SYS and AUTH POP Response Codes", RFC
848 3206, February 2002.
850 [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
851 2246, January 1999.
853 12. Changes From RFC 1734, RFC 2449, and RFC 3206
855 1. The SASL-based semantics defined in RFC 2449 are now
856 normative for the AUTH extension.
858 2. Clarifications and examples of the proper behavior of
859 initial client response handling.
861 3. Minimum requirement of support for DIGEST-MD5.
863 4. Clarify ordering of TLS and SASL security layers.
865 5. Update references to newer versions of various
866 specifications.
868 6. Clarify that the mechanism list can change.
870 7. Add the use of the SASLprep profile for preparing
871 authorization identities.
873 8. General other editorial clarifications.
875 9. Consolidation of all applicable information into a
876 single document.
878 13. Author's Address:
880 Robert Siemborski
881 Carnegie Mellon, Andrew Systems Group
882 Cyert Hall 207
883 5000 Forbes Avenue
884 Pittsburgh, PA 15213
885 +1 412 268 7456
886 rjs3+@andrew.cmu.edu
888 14. Acknowledgments:
890 The author would like to acknowledge the contributions of John
891 Myers, Randall Gellens, Chris Newman, Laurence Lundblade, and other
892 contributors to RFC 1734, RFC 2554, and RFC 3206, on which this
893 document draws heavily.
898 Siemborski Expires October, 2004 [Page 16]
904 POP3 SASL Authentication Mechanism April, 2004
907 The author would also like to thank Ken Murchison, Alexey Melnikov,
908 and Mark Crispin for the time they devoted to reviewing early drafts
909 of this document.
958 Siemborski Expires October, 2004 [Page 17]
964 POP3 SASL Authentication Mechanism April, 2004
967 Table of Contents
970 1. How to Read This Document . . . . . . . . . . . . . . . . . . . . 3
971 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
972 3. The SASL Capability . . . . . . . . . . . . . . . . . . . . . . . 3
973 4. The AUTH Command . . . . . . . . . . . . . . . . . . . . . . . . 4
974 4.1. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 7
975 4.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
976 5. Extended POP3 Response Codes . . . . . . . . . . . . . . . . . . 9
977 5.1. The LOGIN-DELAY Response Code . . . . . . . . . . . . . . . . . 10
978 5.2. The IN-USE Response Code . . . . . . . . . . . . . . . . . . . 10
979 5.3. The AUTH Response Code . . . . . . . . . . . . . . . . . . . . 10
980 5.3.1. The AUTH-RESP-CODE Capability . . . . . . . . . . . . . . . . 10
981 5.4. The SYS Response Code . . . . . . . . . . . . . . . . . . . . . 11
982 6. Security Considerations . . . . . . . . . . . . . . . . . . . . . 11
983 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . . 12
984 8. Protocol Actions . . . . . . . . . . . . . . . . . . . . . . . . 12
985 9. Intellectual Property Rights . . . . . . . . . . . . . . . . . . 13
986 10. Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
987 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
988 12. Changes From RFC 1734, RFC 2449, and RFC 3206 . . . . . . . . . 16
989 13. Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16
990 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 16
1018 Siemborski Expires October, 2004 [Page 1]