idnits 2.17.1 draft-ietf-eai-pop-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 25, 2009) is 5297 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4646 (Obsoleted by RFC 5646) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) ** Obsolete normative reference: RFC 5335 (Obsoleted by RFC 6532) -- Obsolete informational reference (is this intentional?): RFC 4952 (Obsoleted by RFC 6530) -- Obsolete informational reference (is this intentional?): RFC 5504 (Obsoleted by RFC 6530) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gellens 3 Internet-Draft QUALCOMM Incorporated 4 Intended status: Experimental C. Newman 5 Expires: April 28, 2010 Sun Microsystems 6 October 25, 2009 8 POP3 Support for UTF-8 9 draft-ietf-eai-pop-09.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on April 28, 2010. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 This specification extends the Post Office Protocol version 3 (POP3) 58 to support un-encoded international characters in user names, 59 passwords, mail addresses, message headers, and protocol-level 60 textual error strings. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 1.1. Conventions Used in this Document . . . . . . . . . . . . 3 66 1.2. Change History . . . . . . . . . . . . . . . . . . . . . . 4 67 1.2.1. Changes from -08 to -09 . . . . . . . . . . . . . . . 4 68 1.2.2. Changes from -07 to -08 . . . . . . . . . . . . . . . 4 69 1.2.3. Changes from -06 to -07 . . . . . . . . . . . . . . . 5 70 1.2.4. Changes from -05 to -06 . . . . . . . . . . . . . . . 5 71 1.2.5. Changes from -04 to -05 . . . . . . . . . . . . . . . 6 72 1.2.6. Changes from -03 to -04 . . . . . . . . . . . . . . . 6 73 1.2.7. Changes from -02 to -03 . . . . . . . . . . . . . . . 6 74 1.2.8. Changes from -01 to -02 . . . . . . . . . . . . . . . 7 75 1.2.9. Changes from -00 to -01 . . . . . . . . . . . . . . . 7 76 1.2.10. Changes from draft-newman-ima-pop . . . . . . . . . . 7 77 1.3. Open Issues . . . . . . . . . . . . . . . . . . . . . . . 8 78 2. LANG Capability . . . . . . . . . . . . . . . . . . . . . . . 8 79 3. UTF8 Capability . . . . . . . . . . . . . . . . . . . . . . . 10 80 3.1. The UTF8 Command . . . . . . . . . . . . . . . . . . . . . 11 81 3.2. USER Argument to UTF8 Capability . . . . . . . . . . . . . 13 82 4. Issues with UTF-8 Header maildrop . . . . . . . . . . . . . . 13 83 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 84 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 85 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 86 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14 87 7.2. Informative References . . . . . . . . . . . . . . . . . . 15 88 Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 16 89 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 16 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 92 1. Introduction 94 This document forms part of the Email Address Internationalization 95 (EAI) experiment described in the EAI Framework [RFC4952] document 96 (for background, please see the charter of the EAI working group) and 97 should be evaluated within the context of EAI. As part of the 98 overall EAI work, email messages may be transmitted and delivered 99 containing un-encoded UTF-8 characters, and mail drops accessed using 100 POP3 [RFC1939] might natively store UTF-8. 102 This specification extends POP3 [RFC1939] using the POP3 Extension 103 Mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers 104 as described in Internationalized Email Headers [RFC5335]. It also 105 adds a mechanism to support login names outside the ASCII character 106 set, and a mechanism to support UTF-8 protocol-level error strings in 107 a language appropriate for the user. 109 This document updates POP3 [RFC1939], and the fact that an 110 Experimental specification updates a Standards-Track specification 111 means that people who participate in the experiment have to consider 112 the standard updated. Note that, as an Experimental document, there 113 is no "Updates" header. If and when a version of this document moves 114 to the standards track, an "Updates: 1939" header should be added. 116 Within this specification, the term down-conversion refers to the 117 process of modifying a message containing UTF8 headers [RFC5335] or 118 body parts with 8bit content-transfer-encoding as defined in MIME 119 section 2.8 [RFC2045] into conforming 7-bit Internet Message Format 120 [RFC5322] with Message Header Extensions for Non-ASCII Text [RFC2047] 121 and other 7-bit encodings. Down-conversion is specified by 122 Downgrading mechanism for Email Address Internationalization 123 [RFC5504]. 125 1.1. Conventions Used in this Document 127 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 128 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 129 document are to be interpreted as described in "Key words for use in 130 RFCs to Indicate Requirement Levels" [RFC2119]. 132 The formal syntax uses the Augmented Backus-Naur Form (ABNF) 133 [RFC5234] notation including the core rules defined in Appendix B of 134 RFC 5234. 136 In examples, "C:" and "S:" indicate lines sent by the client and 137 server respectively. If a single "C:" or "S:" label applies to 138 multiple lines, then the line breaks between those lines are for 139 editorial clarity only and are not part of the actual protocol 140 exchange. 142 Note that examples always use 7-bit ASCII characters due to 143 limitations of this document format; in particular, some examples for 144 the "LANG" command may appear silly as a result. 146 1.2. Change History 148 This section describes the change history of this Internet draft and 149 will be removed when/if this is published as an RFC. 151 1.2.1. Changes from -08 to -09 153 o Added new paragraph to start of Introduction to more clearly 154 explain this document within the larger EAI context. 156 o Added informative reference to EAI Framework (RFC 4952). 158 o Removed "Updates: 1939" header and added a note that one should be 159 added if and when it is published on the standards track. 161 o Added clarifying text that the "language range" argument of RFC 162 4647 is the "Basic Language Range". 164 1.2.2. Changes from -07 to -08 166 o Changed wording on applying SASLprep to APOP digest inputs. 168 o Added mandatory rejection of user names or passwords which fail to 169 comply with formal syntax of RFC 3629. 171 o Added text that, when applying SASLprep, servers MUST reject user 172 names or passwords which contain characters listed in section 2.3 173 of RFC 4013. 175 o Added normative reference to RFC 3629. 177 o Changed SASLprep language so that both clients and servers MUST 178 apply SASLprep to user names and passwords used to compute APOP 179 digest, and servers SHOULD apply SASLprep to arguments of USER and 180 PASS. 182 o Fixed typo ("ACII" instead of "ASCII"). 184 o Clarified that size doesn't include byte-stuffing. 186 o Added explanation to Introduction regarding updating RFC 1939. 188 o Added more prominent text on examples which are silly because they 189 use 7-bit ASCII. 191 o Replaced French examples with Spanish to try and make them 192 slightly less embarrassing. 194 o Replaced French-Canadian (fr-ca) example with Swedish, to try and 195 avoid accented characters. Also added Swedish to language 196 listing. 198 o Added "Examples" to LANG command examples. 200 o Added introductory text to sections on LANG and UTF8 capability 201 tags. 203 1.2.3. Changes from -06 to -07 205 o Added discussion about accuracy of size. 207 o Added mention of potential buffer overflow problems because of 208 inaccurate sizes to the Security Considerations. 210 o Added informative reference to SASL for POP3 (RFC 5034). 212 o Removed text making changes to AUTH, as this is handled by POP3 213 SASL. 215 o Fixed typo ("depricated" instead of "deprecated"). 217 o Reworded Design Rationale appendix. 219 1.2.4. Changes from -05 to -06 221 o Removed LIST and TOP as possible arguments to the UTF8 tag in the 222 CAPA response. 224 o Clarified that the UTF8 command has no parameters. 226 o Changed "arguments" to "arguments with CAPA tag" to clarify that 227 these are possible arguments to the tag in the CAPA response and 228 not command parameters. 230 o Clarified use of "argument" to refer to CAPA tag and "parameter" 231 to refer to commands. 233 o Clarified that free-form text is non-standard. 235 o Removed open issue (downgrading). 237 o Added discussion of downgrading to Appendix A. 239 o Updated downgrade reference to RFC 5504. 241 o Tweaked RFC 2119 text to satisfy I-D nit checker. 243 1.2.5. Changes from -04 to -05 245 o Downgrading is back to an informative, not normative reference, 246 and is suggested as a good idea but explicitly not required. 248 o Language listing now specifies that the human-readable description 249 of a language is in the language itself. 251 o Updated 2822 reference to 5322, made text "Internet Message 252 Format". 254 o Updated reference to utf8headers draft to RFC5335. 256 o Updated reference to RFC4234 to RFC5234. 258 1.2.6. Changes from -03 to -04 260 o Specified that it is an error to issue STLS after UTF8. 262 o Removed prior open issues. 264 o Downgrading added as open issue. 266 1.2.7. Changes from -02 to -03 268 o Updated references. 270 o Replaced US-ASCII with ASCII. 272 o Added comment to language listing failure example. 274 o Replaced RET8, LST8, and TOP8 commands with a single mode-switch 275 UTF8 command issued before authentication. This simplifies the 276 protocol, and allows servers to optionally down-convert a cache of 277 the maildrop prior to issuing the +OK response entering 278 TRANSACTION state. 280 o Removed most up-conversion material. 282 o Removed definition of up-conversion. 284 o Removed IMAP4 reference. 286 o Added AUTH command to those affected by UTF8 capability. 288 o Removed LST8 and TOP8 capability parameters and commands. 290 o Removed NO-RETR capability. POP servers are now unconditionally 291 required to support down-conversion of UTF8-native maildrops. 293 o Added sentence about modifying authentication code to Security 294 Considerations. 296 o eai-downgrade draft is now normative and required. 298 o Deleted references to RFCs 1341, 1847, 2049, 2183, 3501, 3516, and 299 3490. 301 1.2.8. Changes from -01 to -02 303 o Minor grammatical tweaks. 305 o Add passwords to Abstract. 307 o Removed new editor's name from Acknowledgments. 309 1.2.9. Changes from -00 to -01 311 o Update references 313 1.2.10. Changes from draft-newman-ima-pop 315 o Change title to make this a WG document. 317 o Add LANG command and extension. 319 o Rename RET8 capability to UTF8 and add sub-sections for arguments. 321 o Add TOP8 command. 323 o Add definition of up-conversion and down-conversion. 325 o Some grammar fix-ups and section re-ordering based on RFC editor 326 style. 328 1.3. Open Issues 330 1. none 332 2. LANG Capability 334 Per the POP3 Extension Mechanism [RFC2449], this document adds a new 335 capability response tag to indicate support for a new command: LANG. 336 The capability tag and new command are described below. 338 CAPA tag: 339 LANG 341 Arguments with CAPA tag: 342 none 344 Added Commands: 345 LANG 347 Standard commands affected: 348 All 350 Announced states / possible differences: 351 both / no 353 Commands valid in states: 354 AUTHENTICATION, TRANSACTION 356 Specification reference: 357 this document 359 Discussion: 361 POP3 allows most +OK and -ERR server responses to include human- 362 readable text that in some cases needs to be presented to the user. 363 But that text is limited to ASCII by the POP3 specification 364 [RFC1939]. The LANG capability and command permit a POP3 client to 365 negotiate which language the server should use when sending human- 366 readable text. 368 A server that advertises the LANG extension MUST use the language 369 "i-default" as described in [RFC2277] as its default language until 370 another supported language is negotiated by the client. A server 371 MUST include "i-default" as one of its supported languages. 373 The LANG command requests that human-readable text included in all 374 subsequent +OK and -ERR responses be localized to a language matching 375 the language range argument (the "Basic Language Range" as described 376 by [RFC4647]). If the command succeeds, the server returns a +OK 377 response followed by a single space, the exact language tag selected, 378 another space, and the rest of the line is human-readable text in the 379 appropriate language. This and subsequent protocol-level human 380 readable text is encoded in the UTF-8 charset. 382 If the command fails, the server returns an -ERR response and 383 subsequent human-readable response text continues to use the language 384 that was previously active (typically i-default). 386 The special "*" language range argument indicates a request to use a 387 language designated as preferred by the server administrator. The 388 preferred language MAY vary based on the currently active user. 390 If no argument is given and the POP3 server issues a positive 391 response, then the response given is multi-line. After the initial 392 +OK, for each language tag the server supports, the POP3 server 393 responds with a line for that language. This line is called a 394 "language listing". 396 In order to simplify parsing, all POP3 servers are required to use a 397 certain format for language listings. A language listing consists of 398 the language tag [RFC4646] of the message, optionally followed by a 399 single space and a human readable description of the language in the 400 language itself, using the UTF-8 charset. 402 Examples: 404 < Note that some examples do not include the correct character 405 accents due to limitations of this document format. > 407 < The server defaults to using English i-default responses until 408 the client explicitly changes the language. > 410 C: USER karen 411 S: +OK Hello, karen 412 C: PASS password 413 S: +OK karen's maildrop contains 2 messages (320 octets) 415 < Client requests deprecated MUL language. Server replies 416 with -ERR response > 418 C: LANG MUL 419 S: -ERR invalid language MUL 421 < A LANG command with no parameters is a request for 422 a language listing. > 423 C: LANG 424 S: +OK Language listing follows: 425 S: en English 426 S: en-boont English Boontling dialect 427 S: de Deutsch 428 S: it Italiano 429 S: es Espanol 430 S: sv Svenska 431 S: i-default Default language 432 S: . 434 < A request for a language listing might fail > 436 C: LANG 437 S: -ERR Server is unable to list languages 439 < Once the client changes the language, all responses will be in 440 that language starting with the response to the LANG command. 442 C: LANG es 443 S: +OK es Idioma cambiado 445 < If a server does not support the requested primary language, 446 responses will continue to be returned in the current language 447 the server is using. > 449 C: LANG uga 450 S: -ERR es Idioma <> no es conocido 452 C: LANG sv 453 S: +OK sv Kommandot "LANG" lyckades 455 C: LANG * 456 S: +OK es Idioma cambiado 458 Examples 460 3. UTF8 Capability 462 Per the POP3 Extension Mechanism [RFC2449], this document adds a new 463 capability response tag to indicate support for new server 464 functionality including a new command, UTF8. The capability tag and 465 new command and functionality are described below. 467 CAPA tag: 468 UTF8 470 Arguments with CAPA tag: 471 USER 473 Added Commands: 474 UTF8 476 Standard commands affected: 477 USER, PASS, APOP, LIST, TOP, RETR 479 Announced states / possible differences: 480 both / no 482 Commands valid in states: 483 AUTHORIZATION 485 Specification reference: 486 this document 488 Discussion: 490 This capability adds the "UTF8" command to POP3. The UTF8 command 491 switches the session from ASCII to UTF8 mode. 493 3.1. The UTF8 Command 495 The UTF8 command enables UTF8 mode. The UTF8 command has no 496 parameters. 498 Maildrops can natively store UTF8 or be limited to ASCII. UTF8 mode 499 has no effect on messages in an ASCII-only maildrop. Messages in 500 native-UTF8 maildrops can be ASCII or UTF8 using internationalized 501 headers [RFC5335] and/or 8bit content-transfer-encoding as defined in 502 MIME section 2.8 [RFC2045]. In UTF8 mode, both UTF8 and ASCII 503 messages are sent to the client as-is (without conversion). When not 504 in UTF8 mode, UTF8 messages in a native UTF8 maildrop MUST be down- 505 converted (downgraded) to comply with unextended POP and Internet 506 Mail Format. POP servers (unlike SMTP and Submit servers) are not 507 required to use Downgrading mechanism for Email Address 508 Internationalization [RFC5504]. 510 Discussion: The main argument against a single required mechanism for 511 downgrade by a POP server is that the only clients that have any use 512 for a standardized downgraded message (because they wish to interpret 513 downgrade headers, for example) are ones that can support UTF8 and 514 hence will issue the UTF8 command in the first place. The counter 515 argument to this is that non-UTF8 clients might be upgraded in the 516 future; it's desirable for an upgraded client to be capable of 517 interpreting prior downgraded messages in the local mail store, which 518 is most likely if the messages were downgraded using one standardized 519 procedure. 521 Therefore, while POP servers are not required to use the Downgrading 522 mechanism for Email Address Internationalization [RFC5504], there are 523 advantages to them doing so. 525 Note that even in UTF8 mode, MIME binary content-transfer-encoding is 526 still not permitted. 528 The octet count (size) of a message reported in a response to the 529 LIST command SHOULD match the actual number of octets sent in a RETR 530 response (not counting byte-stuffing). Sizes reported elsewhere, 531 such as in STAT responses and non-standardized free-form text in 532 positive status indicators (following "+OK") need not be accurate, 533 but it is preferable if they are. 535 Discussion: Mail stores are either ASCII or native UTF-8, and clients 536 either issue the UTF8 command or not. The message needs converting 537 only when it is native UTF8 and the client has not issued the UTF8 538 command, in which case the server must downconvert it. The 539 downconverted message may be larger. The server may choose various 540 strategies regarding downconversion, which include when to 541 downconvert, whether to cache or store the downconverted form of a 542 message (and if so, for how long), and whether to calculate or retain 543 the size of a downconverted message independently of the 544 downconverted content. If the server does not have immediate access 545 to the accurate downconverted size, it may be faster to estimate 546 rather than calculate it. Servers are expected to normally follow 547 the RFC 1939 [RFC1939] text on using the "exact size" in a scan 548 listing, but there may be situations with maildrops containing very 549 large numbers of messages in which this might be a problem. If the 550 server does estimate, reporting a scan listing size smaller than what 551 it turns out to be could be a problem for some clients. In summary, 552 it is better for servers to report accurate sizes, but if not, high 553 guesses are better than small ones. Some POP servers include the 554 message size in the non-standardized text response following "+OK" 555 (the 'text' production of RFC 2449 [RFC2449]), in a RETR or TOP 556 response (possibly because some examples in POP3 [RFC1939] do so). 557 There has been at least one known case of a client relying on this to 558 know when it had received all of the message rather than following 559 the POP3 [RFC1939] rule of looking for a line consisting of a 560 termination octet (".") and a CRLF pair. While any such client is 561 non-compliant, if a server does include the size in such text, it is 562 better if it is accurate. 564 Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8; 565 servers MAY (but are not required to) enforce this by rejecting with 566 an "-ERR" response an STLS command issued subsequent to a successful 567 UTF8 command. (Because this is a protocol error as opposed to a 568 failure based on conditions, an extended response code [RFC2449] is 569 not specified.) 571 3.2. USER Argument to UTF8 Capability 573 If the USER argument is included with this capability, it indicates 574 that the server accepts UTF-8 user names and passwords. 576 Servers which include the USER argument in the UTF8 capability 577 response SHOULD apply SASLprep [RFC4013] to the arguments of the USER 578 and PASS commands. 580 A client or server that supports APOP and permits UTF-8 in user names 581 or passwords MUST apply SASLprep [RFC4013] to the user name and 582 password used to compute the APOP digest. 584 When applying SASLprep [RFC4013], servers MUST reject UTF-8 user 585 names or passwords which contain a Unicode character listed in 586 section 2.3 of SASLprep [RFC4013]. 588 The client does not need to issue the UTF8 command prior to using 589 UTF8 in authentication. However, clients MUST NOT use UTF8 in USER, 590 PASS, or APOP commands unless the USER argument is included in the 591 UTF8 capability response. 593 The server MUST reject UTF-8 user names or passwords which fail to 594 comply with the formal syntax in UTF-8 [RFC3629]. 596 Use of UTF8 in the AUTH command is governed by the POP3 SASL 597 [RFC5034] mechanism. 599 4. Issues with UTF-8 Header maildrop 601 When a POP3 server uses a UTF8-native maildrop, it is the 602 responsibility of the server to comply with the POP3 base 603 specification [RFC1939] and Internet Message Format [RFC5322] when 604 not in UTF8 mode. Mechanisms for 7-bit downgrading to help comply 605 with the standards are described in Downgrading mechanism for Email 606 Address Internationalization [RFC5504]. 608 5. IANA Considerations 610 This adds two new capabilities ("UTF8" and "LANG") to the POP3 611 capability registry [RFC2449]. 613 6. Security Considerations 615 The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013] 616 apply to this specification, particularly with respect to use of 617 UTF-8 in user names and passwords. 619 The "LANG *" command can reveal the existence and preferred language 620 of a user to an active attacker probing the system if the active 621 language changes in response to the USER, PASS, or APOP commands 622 prior to validating the user's credentials. Servers MUST implement a 623 configuration to prevent this exposure. 625 It is possible for a man-in-the-middle attacker to insert a LANG 626 command in the command stream thus making protocol-level diagnostic 627 responses unintelligible to the user. A mechanism to integrity 628 protect the session, such as TLS [RFC2595] can be used to defeat such 629 attacks. 631 Modifying server authentication code (in this case, to support UTF8) 632 needs to be done with care to avoid introducing vulnerabilities (for 633 example, in string parsing). 635 The UTF8 Command (Section 3.1) description contains a discussion on 636 reporting inaccurate sizes. An additional risk to doing so is that, 637 if a client allocates buffers based on the reported size, it may 638 overrun the buffer, crash, or have other problems if the message data 639 is larger than reported. 641 7. References 643 7.1. Normative References 645 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 646 STD 53, RFC 1939, May 1996. 648 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 649 Extensions (MIME) Part One: Format of Internet Message 650 Bodies", RFC 2045, November 1996. 652 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 653 Part Three: Message Header Extensions for Non-ASCII Text", 654 RFC 2047, November 1996. 656 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 657 Requirement Levels", BCP 14, RFC 2119, March 1997. 659 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 660 Languages", BCP 18, RFC 2277, January 1998. 662 [RFC2449] Gellens, R., Newman, C., and L. Lundblade, "POP3 Extension 663 Mechanism", RFC 2449, November 1998. 665 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 666 October 2008. 668 [RFC4646] Phillips, A. and M. Davis, "Tags for Identifying 669 Languages", BCP 47, RFC 4646, September 2006. 671 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 672 BCP 47, RFC 4647, September 2006. 674 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 675 10646", STD 63, RFC 3629, November 2003. 677 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names 678 and Passwords", RFC 4013, February 2005. 680 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 681 Specifications: ABNF", STD 68, RFC 5234, January 2008. 683 [RFC5335] Abel, Y., "Internationalized Email Headers", RFC 5335, 684 September 2008. 686 7.2. Informative References 688 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", 689 RFC 2595, June 1999. 691 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for 692 Internationalized Email", RFC 4952, July 2007. 694 [RFC5034] Siemborski, R. and A. Menon-Sen, "The Post Office Protocol 695 (POP3) Simple Authentication and Security Layer (SASL) 696 Authentication Mechanism", RFC 5034, July 2007. 698 [RFC5504] Fujiwara, K. and Y. Yoneya, "Downgrading Mechanism for 699 Email Address Internationalization", RFC 5504, March 2009. 701 Appendix A. Design Rationale 703 This non-normative section discusses the reasons behind some of the 704 design choices in the above specification. 706 Having servers perform up-conversion so that, at a minimum, RFC2047- 707 encoded words are decoded into UTF8 is tempting, since this is an 708 area that clients often fail to correctly implement. However, after 709 much discussion the group felt that the benefits did not justify the 710 burden. 712 Due to interoperability problems with RFC 2047 and limited deployment 713 of RFC 2231, it is hoped these 7-bit encoding mechanisms can be 714 deprecated in the future when UTF-8 header support becomes prevalent. 716 USER is optional because the implementation burden of SASLprep 717 [RFC4013] is not well understood and mandating such support in all 718 cases could negatively impact deployment. 720 While it is possible to provide useful examples for language 721 negotiation without support for non-ASCII characters, it is difficult 722 to provide useful examples for commands specifically designed to use 723 the UTF-8 charset un-encoded when the document format is limited to 724 ASCII. As a result, there are no plans to provide examples for that 725 part of the specification as long as this remains an experimental 726 proposal. However, implementers of this specification are encouraged 727 to provide examples to the document author for a future revision. 729 While down-conversion of native-UTF8 messages is mandatory in the 730 absence of the UTF8 command, servers are not required to do so as 731 specified in Downgrading Mechanism [RFC5504]. As clients are 732 upgraded with UTF8 support and the ability to intelligently handle 733 (e.g., display and reply to) UTF8 messages that were downgraded in 734 transit, it is better if they are also able to handle messages in the 735 local mail store that were downgraded by the POP server. This is 736 more likely if the POP server downgrades messages using the same 737 mechanism as an SMTP server. 739 Appendix B. Acknowledgments 741 Thanks to John Klensin, Tony Hansen and other EAI working group 742 participants who provided helpful suggestions and interesting debate 743 that improved this specification. 745 Authors' Addresses 747 Randall Gellens 748 QUALCOMM Incorporated 749 5775 Morehouse Drive 750 San Diego, CA 92651 751 US 753 Email: rg+ietf@qualcomm.com 755 Chris Newman 756 Sun Microsystems 757 800 Royal Oaks 758 Monrovia, CA 91016-6347 759 US 761 Email: chris.newman@sun.com