INTERNET-DRAFT Y. Deion LinuxMagic Intended Status: Standards Track Expires May 19, 2018 November 19, 2018 IMAP Service Extension for Client Identity Abstract This document defines an Internet Message Access Protocol (IMAP) service extension called "CLIENTID" which provides a method for clients to indicate an identity to the server. This identity is an additional token that may be used for security and/or informational purposes, and with it a server may optionally apply heuristics using this token. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Yu, Deion Expires May 19, 2018 [Page 1] INTERNET-DRAFT IMAP Client Identity November 19, 2018 Table of Contents 1. Introduction ................................................. 2 2. Conventions Used in This Document ............................ 3 3. CLIENTID ..................................................... 3 3.1. CLIENTID Command ......................................... 3 3.2. CLIENTID Arguments ....................................... 3 3.3. Advertising the CLIENTID capability ....................... 4 3.4. Restrictions on the CLIENTID command ...................... 4 4. Formal Syntax ................................................ 4 5. Discussion ................................................... 5 5.1. Applying heuristics to CLIENTID ........................... 5 5.2. Utility of CLIENTID ....................................... 5 5.3. Use Cases of CLIENTID ..................................... 6 5.4. Other IMAP Client Identifiers ............................. 6 5.5. Future Considerations ..................................... 7 6. Client Identity Types ........................................ 7 7. Examples ..................................................... 8 7.1. UUID as Client Identity .................................. 8 7.2. Malformed CLIENTID Command ............................... 8 7.3. Client Identity Without a TLS/SSL Session ................ 9 7.4. Client Identity Leading to Rejection ..................... 9 8. Security Considerations ...................................... 9 9. IANA Considerations .......................................... 10 10. References ................................................... 10 10.1. Normative References ..................................... 10 Contributors ..................................................... 10 Authors' Addresses ............................................... 10 1. Introduction The [IMAP] protocol and its extensions describe methods whereby an client may provide identity and/or authentication information to an IMAP server. However, these existing methods are subject to limitations and none offer a way to identify the IMAP client with absolute confidence. This document defines an IMAP service extension to provide an additional identity token which can represent the IMAP client with a higher degree of certainty when accessing the IMAP server. Typically IMAP clients enter the authenticated state by using either the AUTHENTICATE or LOGIN command. IMAP servers are often subject to malicious clients attempting to use authorization credentials and/or identities not intended for their use (e.g. stolen credentials or brute force attacks). When such an attack is attempted, the IMAP server may be unable to identify the impersonation and restrict such an unintended use by someone other than the authorized user or said credentials. While there are ways to identify the source of the IMAP client such as its IP address, it would be useful if there was an additional way to uniquely identify the client in a method solely available across an encrypted channel. Using the CLIENTID extension, an IMAP client can provide an additional identity token to the server called its "client identity". Yu, Deion Expires May 19, 2018 [Page 2] INTERNET-DRAFT IMAP Client Identity November 19, 2018 The client identity can provide unique characteristics about the client accessing the IMAP service and may be combined with existing identification mechanisms in order to identify the client. An IMAP server may then apply additional security policies using this identity such as restricting use of the service to clients presenting recognized client identities or only allowing use of authorized identities that match previously established client identities. The CLIENTID extension is present in any IMAP implementation that returns "CLIENTID" as one of the supported capabilities to the CAPABILITY command. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. Formal syntax is specified using [ABNF]. Example lines prefaced by "C:" are sent by the client and ones prefaced by "S:" by the server. "Connection" refers to the entire sequence of client/server interaction from the initial establishment of the network connection until its termination. 3. CLIENTID 3.1. CLIENTID Command Arguments: client identity type client identity token Responses: no specific responses for this command Result: OK - clientid completed, client identity stored BAD - command unknown or arguments invalid Note that a valid CLIENTID command will never return the NO result because heuristics MUST NOT be applied to the CLIENTID arguments at this stage. Instead the client identity information SHOULD be stored and passed along to any and all [SASL] authentication mechanisms. 3.2. CLIENTID Arguments The CLIENTID command takes the following two arguments: 1. client identity type: A string identifying the identity type the client is providing. It MUST be between 1 and 16 alphanumeric characters. 2. client identity token: A string identifying the client. It MUST be between 1 and 128 printable characters. Yu, Deion Expires May 19, 2018 [Page 3] INTERNET-DRAFT IMAP Client Identity November 19, 2018 The IMAP server MUST reject any CLIENTID command with badly formatted arguments. The IMAP server MUST accept the arguments from a valid CLIENTID command and SHOULD store it at the minimum for the remaining duration of the IMAP connection. 3.3. Advertising the CLIENTID capability The CLIENTID capability is used to tell the IMAP client that the IMAP server supports the CLIENTID extension. However, certain conditions MUST be met before the IMAP server advertises the CLIENTID capability. 1. The IMAP server and IMAP client MUST negotiate encryption via STARTTLS/SSL or some other secure mechanism. 2. The IMAP server MUST be in the non-authenticated state. 3. The IMAP server MUST have the CLIENTID extension support enabled. While all the conditions are met, the IMAP server MUST advertise the CLIENTID capability in all proceeding CAPABILITY commands. 3.4. Restrictions on the CLIENTID command Under certain circumstances, the use of the CLIENTID command will be restricted: 1. Before the CLIENTID capability has been advertised, the IMAP server MUST reject any issued CLIENTID commmand and the IMAP client MUST NOT issue the CLIENTID command. 2. Outside of the non-authenticated state, the IMAP server MUST reject any CLIENTID command issued by the IMAP client and the IMAP client MUST NOT issue the CLIENTID command. 3. Once a valid CLIENTID command has been issued, the IMAP server MUST reject any further CLIENTID command issued by the IMAP client and the IMAP client MUST NOT issue any subsequent CLIENTID commands. 4. Formal Syntax The following syntax specification uses the Augmented Backus-Naur Form notation as specified in [ABNF]. [IMAP] defines the non-terminals "capability" and "command-nonauth". Except as noted otherwise, all alphabetic characters are case- insensitive. The use of upper or lower case characters to define token strings is for editorial clarity only. Implementations MUST accept these strings in a case-insensitive fashion. capability =/ "CLIENTID" command-nonauth =/ client-id Yu, Deion Expires May 19, 2018 [Page 4] INTERNET-DRAFT IMAP Client Identity November 19, 2018 client-id = "CLIENTID" SP client-id-type SP client-id-token client-id-type = 1*16 ALPHA / DIGIT ;; alphanumeric client-id-token = 1*128 VCHAR ;; any printable US-ASCII character 5. Discussion 5.1. Applying heuristics to CLIENTID This section discusses the possible heuristics that can be applied to the information that is presented via the CLIENTID command. This information includes whether a valid CLIENTID command was issued, the client identity type and the client identity token. 1. The IMAP server MAY choose to require that a successful CLIENTID command be issued or that a particular client identity type be presented. 2. The IMAP server MAY reject any CLIENTID command with a client identity type that is not recognized by the IMAP server. 3. The IMAP server MAY reject any CLIENTID command with a client identity type that is not supported by the IMAP server. 4. An IMAP server MAY reject any CLIENTID command that contains a client identity type or client identity token that the server chooses not to accept for any reason such as by policy. 5. An IMAP server MAY reject any CLIENTID command that contains a client identity type or client identity that the server has chosen to disable or revoke use of either temporarily or permanently. The IMAP server SHOULD only ever reject an IMAP client based on CLIENTID information during or after the authentication process/handler. In the interest of limiting the amount of information being revealed, the rejection message SHOULD be as generic as possible and SHOULD NOT reveal any information on the heuristics. Even if the client identity type and/or client identity token are not recognized, supported or permitted by the server and/or the owner of the authentication credentials, the presented information may still be useful for analysis. 5.2. Utility of CLIENTID Regardless of how much it is frowned upon, common authorization information like the username and password pair are reused across multiple web services. When this authorization is compromised on a single web service, malicious actors usually also gain access to other web services. Based on this information alone, the utility of CLIENTID as an additional layer of authentication that is only Yu, Deion Expires May 19, 2018 [Page 5] INTERNET-DRAFT IMAP Client Identity November 19, 2018 available across an encrypted channel becomes more apparent. The utility of CLIENTID may be seen by considering the following: 1. An IMAP client may utilize the same IMAP server with multiple different authorized identities, so an identity that persists across authorized identities is lacking. 2. An authorized identity may make use of multiple discrete devices over different IMAP sessions, so an identity persisting on one device is lacking. 3. Existing identity information available from the connection such as network address or IP changes frequently as devices are becoming more mobile in nature. 4. Individual IMAP services have no method to determine if devices types should be permitted e.g. private IMAP services that do not persist across different connections. 5. There is no method for legacy authentication methods to associate a given set of authentication tokens to an individual and or that individuals registered devices. 5.3. Use Cases of CLIENTID With CLIENTID the IMAP server has additional information it may use in its interactions with the client. It may: 1. Restrict use of an authorization tokens to a set of client identities, thereby offering an added level of security. For example the use of an authorization token may only be accompanied by a specified set of CLIENTID tokens and/or types. 2. Identify that the same CLIENTID token is used to access multiple authorized identities, and restrict access to the IMAP service. For example a malicious client that has attempted to gain access using multiple authorization tokens may be identified through its unusual behavior. 3. Retain knowledge of CLIENTID tokens previously presented with specific authorization credentials, and if the token has not been previously seen, restrict access to the IMAP service. 4. Require that the IMAP client present a token such as a license key established outside of the IMAP session in order to make use of any authorized identity. 5. Apply different security policies to clients that provide a CLIENTID token versus those which do not. For example, provide clients providing such an identity with additional trust. 5.4. Other IMAP Client Identifiers The [IMAP] protocol and its extensions describe methods whereby an Yu, Deion Expires May 19, 2018 [Page 6] INTERNET-DRAFT IMAP Client Identity November 19, 2018 IMAP client may provide identity information to an IMAP server. Some of these identitiers are listed for contrast: 1. The client connection provides a source IP address associated with the IMAP session. This may be accompanied by a PTR record and/or GeoIP information. 2. The AUTHENTICATE and LOGIN command allows the client to present a user and/or password/authentication mechanism for an IMAP session. 5.5. Future Considerations In the future there may be a demand for being able to provide multiple CLIENTID commands with different client identity types. 6. Client Identity Types This document does not specify any CLIENTID identity type that MUST be supported. Some examples of identity type are UUID, LICENSE, DEVICE_ID, MAC and COOKIE. To start with certain types such as UUID and LICENSE SHOULD be supported. It is intended that any CLIENTID type be accepted but in the future standards on types may be set but a IMAP server SHOULD NOT reject an unidentified CLIENTID type, except for specific policy use cases. It is envisioned that in the future it will be useful to propose identity types to support. 1. UUID UUID is a common practice to represent either a individual user, hardware device or software installation associated with a specific individual. The support of UUID enables existing UUID implementations to be used to semi-uniquely identify a device associated with an individual. 2. LICENSE An IMAP client may find it useful to identify the license key of software it is using. Such licenses are typically crafted such that they are unique and useful to identify a software installation. 3. DEVICE_ID Many hardware devices are designed to be used by a single individual and already have an associated hardware device id. 4. MAC The MAC address is not always available or consistent. However, for certain use cases the MAC may be the only information available to specify a specific device. Yu, Deion Expires May 19, 2018 [Page 7] INTERNET-DRAFT IMAP Client Identity November 19, 2018 5. COOKIE While not guranteed to be consistent many web applications are designed to access IMAP directly and may need to have a semi-unique identifier available as part of the web based transaction. This document recommends that an IMAP server handle any given client identity type from a CLIENTID command in one or more of the following manners. 1. Handled but treat as not presented 2. Store in session but treat as not presented (useful for debugging) 3. System log 4. User log 5. Use for authentication 6. Use for alert when authentication fails 7. Use for alert when authentication succeeds 8. Unused 7. Examples 7.1. UUID as Client Identity C: [connection established over a plaintext connection] C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 STARTTLS AUTH=GSSAPI LOGINDISABLED S: a001 OK CAPABILITY completed C: a002 STARTTLS S: a002 OK STARTLS completed C: a003 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=GSSAPI AUTH=PLAIN CLIENTID S: a003 OK CAPABILITY completed C: a004 CLIENTID UUID 23bf83be-aad7-46aa-9e0f-39191ccf402f S: a004 OK CLIENTID completed C: a005 LOGIN joe password S: a005 OK LOGIN completed 7.2. Malformed CLIENTID Command C: [connection established over a plaintext connection] C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 STARTTLS AUTH=GSSAPI LOGINDISABLED S: a001 OK CAPABILITY completed C: a002 STARTTLS S: a002 OK STARTLS completed C: a003 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=GSSAPI AUTH=PLAIN CLIENTID S: a003 OK CAPABILITY completed C: a004 CLIENTID UUID S: a004 BAD Error in IMAP command received by server Yu, Deion Expires May 19, 2018 [Page 8] INTERNET-DRAFT IMAP Client Identity November 19, 2018 The IMAP server rejects the CLIENTID command as it is not well formed due to there being only a single parameter provided. 7.3. Client Identity without TLS/SSL Session C: [connection established over a plaintext connection] C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 STARTTLS AUTH=GSSAPI LOGINDISABLED S: a001 OK CAPABILITY completed C: a002 CLIENTID UUID 23bf83be-aad7-46aa-9e0f-39191ccf402f S: a002 BAD Unknown IMAP command received by server The IMAP server rejects use of the CLIENTID command as the CLIENTID capability had not been advertised because no encryption was negotiated between the IMAP server and IMAP client. 7.4. Client Identity Leading to Rejection C: [connection established over a plaintext connection] C: a001 CAPABILITY S: * CAPABILITY IMAP4rev1 STARTTLS AUTH=GSSAPI LOGINDISABLED S: a001 OK CAPABILITY completed C: a002 STARTTLS S: a002 OK STARTLS completed C: a003 CAPABILITY S: * CAPABILITY IMAP4rev1 AUTH=GSSAPI AUTH=PLAIN CLIENTID S: a003 OK CAPABILITY completed C: a004 CLIENTID UUID 23bf83be-aad7-46aa-9e0f-39191ccf402f S: a004 OK CLIENTID completed C: a005 LOGIN joe password S: a005 BAD Failed to authenticate The IMAP server rejects use of the system during the LOGIN command after deciding that the provided client identity does not establish sufficient privileges. Note that the error message that's returned to the client is very generic and does not reveal any information about CLIENTID and/or the existence of 'joe' and/or the validity of the password. 8. Security Considerations As this extension provides an additional means of communicating information from a client to a server it is clear there is additional information divulged to the server. This may have privacy considerations depending on the client identity type or its contents. For example, it may reveal a MAC address of the device used to communicate with a server that would not previously have been revealed. While it has been useful to use identifier such as email address for authentication it is easy for these authetication tokens to be shared and/or reused and/or be publically available for other purposes. An IMAP server and or its operators SHOULD not share any CLIENTID information presented with a third party as it may represent or be linked to an individual and SHOULD never be shared in Yu, Deion Expires May 19, 2018 [Page 9] INTERNET-DRAFT IMAP Client Identity November 19, 2018 association with authentication tokens. As well, while this service extension requires that the identity information only be transmitted over an encrypted channel to reduce the risk of eavesdropping, it does not specify any policies or practices required in the establishment of such a channel, and so it is the responsibility of the client and the server to determine that the communication medium meets their requirements. 9. IANA Considerations The IANA is requested to add CLIENTID to the "IMAP 4 Capabilities" registry, http://www.iana.org/assignments/imap4-capabilities. 10. References 10.1. Normative References [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. [IMAP] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1", RFC 3501, March 2003. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [SASL] Myers, J., "Simple Authentication and Security Layer (SASL)", RFC 2222, October 1997. [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999. Contributors Michael Peddemors LinuxMagic Authors' Addresses Deion Yu LinuxMagic #405 - 860 Homer St. Vancouver, British Columbia CA V6B 2W5 EMail: deiony@linuxmagic.com Yu, Deion Expires May 19, 2018 [Page 10]