Simple Authentication and Security Layer (sasl)

Last Modified: 2008-10-28

Additional information is available at tools.ietf.org/wg/sasl

Chair(s):

  • Kurt Zeilenga <kurt.zeilenga@isode.com>

  • Tom Yu <tlyu@mit.edu>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Pasi Eronen <pasi.eronen@nokia.com>

    Security Area Advisor:

  • Pasi Eronen <pasi.eronen@nokia.com>

    Mailing Lists:

    General Discussion: ietf-sasl@imc.org
    To Subscribe: ietf-sasl-request@imc.org
    In Body: subscribe
    Archive: http://www.imc.org/ietf-sasl/mail-archive/

    Description of Working Group:

    The Simple Authentication and Security Layer [RFC4422] provides key
    security services to a number of application protocols including BEEP,
    IMAP, LDAP, POP, and SMTP. The purpose of this working group is to
    shepherd SASL, including select SASL mechanisms, through the Internet
    Standards process.

    This group will work to progress the SASL Technical Specification
    toward Draft Standard.

    The group has determined that DIGEST-MD5 [RFC2831] is not suitable for
    progression on the Standards Track due to interoperability,
    internationalization, and security concerns. The group will deliver a
    technical specification for a suitable password-based challenge/
    response replacement mechanism for Standard Track consideration.

    The replacement mechanism is expected to be "better than" DIGEST-MD5
    from a number of perspectives including interoperability,
    internationalization, and security. The replacement mechanism is not
    expected to (but may) provide a security layer itself, instead relying
    on security services provided at a lower layer (e.g., TLS) and channel
    bindings. The WG is expected to strike a consensus-supported balance
    between the many qualities desired in the replacement. Desired
    qualities include (but are not limited to) negotiated key hardening
    iteration count, downgrade attack protection, and mutual authentication.
    The group intends to consider a number of approaches, including
    draft-newman-auth-scram and draft-josefsson-password-auth, as input.
    Additionally, the WG will deliver a document summarizing its
    DIGEST-MD5 concerns and requesting RFC 2831 be moved to Historic
    status. This document will be based upon draft-ietf-sasl-digest-to-
    historic.

    This group will deliver a revised Technical Specification suitable for
    publication as Proposed Standard for the GSS-API family of SASL
    mechanisms. This work will be based upon draft-ietf-sasl-gs2.

    The group will produce a successor document for the CRAM-MD5
    specification, RFC 2195. The outcome can be a Standards Track
    specification replacing RFC 2195, an Informational document moving RFC
    2195 to Historic, or an Informational document that documents existing
    implementation practice.

    The following areas are not within the scope of work of this WG:

    - new features,

    - SASL Mechanisms not specifically mentioned above, and

    - SASL "profiles".

    However, the SASL WG is an acceptable forum for review of SASL-related
    submissions produced by others as long as such review does not impede
    progress on the WG objectives listed above.

    Goals and Milestones:

    Done  Submit revised SASL (+ EXTERNAL) I-D
    Done  Submit revised SASL ANONYMOUS I-D
    Done  Submit revised SASL PLAIN I-D
    Done  Submit revised SASL CRAM-MD5 I-D
    Done  Submit revised SASL DIGEST-MD5 I-D
    Done  Submit revised SASL GSSAPI I-D
    Done  Submit SASL (+ EXTERNAL) to the IESG for consideration as a Proposed Standard
    Done  Submit GSSAPI to IESG for consideration as a Proposed Standard
    Done  Initial I-D for RFC4422bis
    Done  Initial I-D for DIGEST-MD5 to Historic
    Done  WGLC I-D for DIGEST-MD5 to Historic
    Done  Initial DIGEST-MD5 replacement I-D
    Done  Initial GS2 I-D
    Nov 2008  Initial RFC4422bis implementation report
    Nov 2008  Reach consensus on CRAM-MD5 successor approach (and update milestones accordingly)
    Dec 2008  WGLC RFC4422bis and implementation report I-D
    Jan 2009  WGLC DIGEST-MD5 replacement I-D
    Jan 2009  WGLC GS2 I-D

    Internet-Drafts:

    Moving DIGEST-MD5 to Historic (13499 bytes)
    Simple Authentication and Security Layer (SASL) (72113 bytes)
    CRAM-MD5 to Historic (10473 bytes)

    Request For Comments:

    SASLprep: Stringprep profile for user names and passwords (RFC 4013) (13051 bytes)
    Simple Authentication and Security Layer (SASL) (RFC 4422) (73206 bytes) obsoletes RFC 2222
    Anonymous Simple Authentication and Security Layer (SASL) Mechanism (RFC 4505) (16599 bytes) obsoletes RFC 2245
    The PLAIN Simple Authentication and Security Layer (SASL) Mechanism (RFC 4616) (20270 bytes) updates RFC 2595
    The Kerberos V5 ( (RFC 4752) (22133 bytes) obsoletes RFC 2222
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.