idnits 2.17.1 draft-ietf-eai-pop-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC1939, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC1939, updated by this document, for RFC5378 checks: 1995-05-15) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 23, 2009) is 5421 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 4646 (Obsoleted by RFC 5646) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) ** Obsolete normative reference: RFC 5335 (Obsoleted by RFC 6532) -- Obsolete informational reference (is this intentional?): RFC 5504 (Obsoleted by RFC 6530) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gellens 3 Internet-Draft QUALCOMM Incorporated 4 Updates: 1939 (if approved) C. Newman 5 Intended status: Experimental Sun Microsystems 6 Expires: December 25, 2009 June 23, 2009 8 POP3 Support for UTF-8 9 draft-ietf-eai-pop-06.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on December 25, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This specification extends the Post Office Protocol version 3 (POP3) 48 to support un-encoded international characters in user names, 49 passwords, mail addresses, message headers, and protocol-level 50 textual error strings. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 1.1. Conventions Used in this Document . . . . . . . . . . . . 3 56 1.2. Change History . . . . . . . . . . . . . . . . . . . . . . 3 57 1.2.1. Changes from -05 to -06 . . . . . . . . . . . . . . . 3 58 1.2.2. Changes from -04 to -05 . . . . . . . . . . . . . . . 4 59 1.2.3. Changes from -03 to -04 . . . . . . . . . . . . . . . 4 60 1.2.4. Changes from -02 to -03 . . . . . . . . . . . . . . . 4 61 1.2.5. Changes from -01 to -02 . . . . . . . . . . . . . . . 5 62 1.2.6. Changes from -00 to -01 . . . . . . . . . . . . . . . 5 63 1.2.7. Changes from draft-newman-ima-pop . . . . . . . . . . 5 64 1.3. Open Issues . . . . . . . . . . . . . . . . . . . . . . . 6 65 2. LANG Capability . . . . . . . . . . . . . . . . . . . . . . . 6 66 3. UTF8 Capability . . . . . . . . . . . . . . . . . . . . . . . 8 67 3.1. The UTF8 Command . . . . . . . . . . . . . . . . . . . . . 9 68 3.2. USER Argument to UTF8 Capability . . . . . . . . . . . . . 10 69 4. Issues with UTF-8 Header maildrop . . . . . . . . . . . . . . 10 70 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 71 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 72 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 7.1. Normative References . . . . . . . . . . . . . . . . . . . 11 74 7.2. Informative References . . . . . . . . . . . . . . . . . . 12 75 Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 12 76 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 13 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 79 1. Introduction 81 This specification extends POP3 [RFC1939] using the POP3 Extension 82 Mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers 83 as described in Internationalized Email Headers [RFC5335]. It also 84 adds a mechanism to support login names outside the ASCII character 85 set, and a mechanism to support UTF-8 protocol-level error strings in 86 a language appropriate for the user. 88 Within this specification, the term down-conversion refers to the 89 process of modifying a message containing UTF8 headers [RFC5335] or 90 body parts with 8bit content-transfer-encoding as defined in MIME 91 section 2.8 [RFC2045] into conforming 7-bit Internet Message Format 92 [RFC5322] with Message Header Extensions for Non-ASCII Text [RFC2047] 93 and other 7-bit encodings. Down-conversion is specified by 94 Downgrading mechanism for Email Address Internationalization 95 [RFC5504]. 97 1.1. Conventions Used in this Document 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in "Key words for use in 102 RFCs to Indicate Requirement Levels" [RFC2119]. 104 The formal syntax uses the Augmented Backus-Naur Form (ABNF) 105 [RFC5234] notation including the core rules defined in Appendix B of 106 RFC 5234. 108 In examples, "C:" and "S:" indicate lines sent by the client and 109 server respectively. If a single "C:" or "S:" label applies to 110 multiple lines, then the line breaks between those lines are for 111 editorial clarity only and are not part of the actual protocol 112 exchange. 114 1.2. Change History 116 This section describes the change history of this Internet draft and 117 will be removed when/if this is published as an RFC. 119 1.2.1. Changes from -05 to -06 121 o Removed LIST and TOP as possible arguments to the UTF8 tag in the 122 CAPA response. 124 o Clarified that the UTF8 command has no parameters. 126 o Changed "arguments" to "arguments with CAPA tag" to clarify that 127 these are possible arguments to the tag in the CAPA response and 128 not command parameters. 130 o Clarified use of "argument" to refer to CAPA tag and "parameter" 131 to refer to commands. 133 o Clarified that free-form text is non-standard. 135 o Removed open issue (downgrading). 137 o Added discussion of downgrading to Appendix A. 139 o Updated downgrade reference to RFC 5504. 141 o Tweaked RFC 2119 text to satisfy I-D nit checker. 143 1.2.2. Changes from -04 to -05 145 o Downgrading is back to an informative, not normative reference, 146 and is suggested as a good idea but explicitly not required. 148 o Language listing now specifies that the human-readable description 149 of a language is in the language itself. 151 o Updated 2822 reference to 5322, made text "Internet Message 152 Format". 154 o Updated reference to utf8headers draft to RFC5335. 156 o Updated reference to RFC4234 to RFC5234. 158 1.2.3. Changes from -03 to -04 160 o Specified that it is an error to issue STLS after UTF8. 162 o Removed prior open issues. 164 o Downgrading added as open issue. 166 1.2.4. Changes from -02 to -03 168 o Updated references. 170 o Replaced US-ASCII with ASCII. 172 o Added comment to language listing failure example. 174 o Replaced RET8, LST8, and TOP8 commands with a single mode-switch 175 UTF8 command issued before authentication. This simplifies the 176 protocol, and allows servers to optionally down-convert a cache of 177 the maildrop prior to issuing the +OK response entering 178 TRANSACTION state. 180 o Removed most up-conversion material. 182 o Removed definition of up-conversion. 184 o Removed IMAP4 reference. 186 o Added AUTH command to those affected by UTF8 capability. 188 o Removed LST8 and TOP8 capability parameters and commands. 190 o Removed NO-RETR capability. POP servers are now unconditionally 191 required to support down-conversion of UTF8-native maildrops. 193 o Added sentence about modifying authentication code to Security 194 Considerations. 196 o eai-downgrade draft is now normative and required. 198 o Deleted references to RFCs 1341, 1847, 2049, 2183, 3501, 3516, and 199 3490. 201 1.2.5. Changes from -01 to -02 203 o Minor grammatical tweaks. 205 o Add passwords to Abstract. 207 o Removed new editor's name from Acknowledgments. 209 1.2.6. Changes from -00 to -01 211 o Update references 213 1.2.7. Changes from draft-newman-ima-pop 215 o Change title to make this a WG document. 217 o Add LANG command and extension. 219 o Rename RET8 capability to UTF8 and add sub-sections for arguments. 221 o Add TOP8 command. 223 o Add definition of up-conversion and down-conversion. 225 o Some grammar fix-ups and section re-ordering based on RFC editor 226 style. 228 1.3. Open Issues 230 1. none 232 2. LANG Capability 234 CAPA tag: 235 LANG 237 Arguments with CAPA tag: 238 none 240 Added Commands: 241 LANG 243 Standard commands affected: 244 All 246 Announced states / possible differences: 247 both / no 249 Commands valid in states: 250 AUTHENTICATION, TRANSACTION 252 Specification reference: 253 this document 255 Discussion: 257 POP3 allows most +OK and -ERR server responses to include human- 258 readable text that in some cases needs to be presented to the user. 259 But that text is limited to ASCII by the POP3 specification 260 [RFC1939]. The LANG capability and command permit a POP3 client to 261 negotiate which language the server should use when sending human- 262 readable text. 264 A server that advertises the LANG extension MUST use the language 265 "i-default" as described in [RFC2277] as its default language until 266 another supported language is negotiated by the client. A server 267 MUST include "i-default" as one of its supported languages. 269 The LANG command requests that human-readable text included in all 270 subsequent +OK and -ERR responses be localized to a language matching 271 the language range argument as described by [RFC4647]. If the 272 command succeeds, the server returns a +OK response followed by a 273 single space, the exact language tag selected, another space, and the 274 rest of the line is human-readable text in the appropriate language. 275 This and subsequent protocol-level human readable text is encoded in 276 the UTF-8 charset. 278 If the command fails, the server returns an -ERR response and 279 subsequent human-readable response text continues to use the language 280 that was previously active (typically i-default). 282 The special "*" language range argument indicates a request to use a 283 language designated as preferred by the server administrator. The 284 preferred language MAY vary based on the currently active user. 286 If no argument is given and the POP3 server issues a positive 287 response, then the response given is multi-line. After the initial 288 +OK, for each language tag the server supports, the POP3 server 289 responds with a line for that language. This line is called a 290 "language listing". 292 In order to simplify parsing, all POP3 servers are required to use a 293 certain format for language listings. A language listing consists of 294 the language tag [RFC4646] of the message, optionally followed by a 295 single space and a human readable description of the language in the 296 language itself, using the UTF-8 charset. 298 < The server defaults to using English i-default responses until 299 the client explicitly changes the language. > 301 C: USER karen 302 S: +OK Hello, karen 303 C: PASS password 304 S: +OK karen's maildrop contains 2 messages (320 octets) 306 < Client requests depricated MUL language. Server replies 307 with -ERR response > 309 C: LANG MUL 310 S: -ERR invalid language MUL 312 < A LANG command with no parameters is a request for 313 a language listing. > 315 C: LANG 316 S: +OK Language listing follows: 318 S: en English 319 S: en-boont English Boontling dialect 320 S: de Deutsch 321 S: it Italiano 322 S: i-default Default language 323 S: . 325 < A request for a language listing might fail > 327 C: LANG 328 S: -ERR Server is unable to list languages 330 < Once the client changes the language, all responses will be in 331 that language starting with the response to the LANG command. 332 Note: the example does not include the correct character accents 333 due to limitations of this document format. > 335 C: LANG fr 336 S: +OK fr La Language commande a ete execute avec success 338 < If a server does not support the requested primary language, 339 responses will continue to be returned in the current language 340 the server is using. > 342 C: LANG uga 343 S: -ERR Ce Language n'est pas supporte 345 C: LANG fr-ca 346 S: +OK fr La Language commande a ete execute avec success 348 C: LANG * 349 S: +OK fr La Language commande a ete execute avec success 351 Examples 353 3. UTF8 Capability 355 CAPA tag: 356 UTF8 358 Arguments with CAPA tag: 359 USER 361 Added Commands: 362 UTF8 364 Standard commands affected: 365 AUTH, USER, PASS, APOP, LIST, TOP, RETR 367 Announced states / possible differences: 368 both / no 370 Commands valid in states: 371 AUTHORIZATION 373 Specification reference: 374 this document 376 Discussion: 378 This capability adds the "UTF8" command to POP3. The UTF8 command 379 switches the session from ASCII to UTF8 mode. 381 3.1. The UTF8 Command 383 The UTF8 command enables UTF8 mode. The UTF8 command has no 384 parameters. 386 Maildrops can natively store UTF8 or be limited to ASCII. UTF8 mode 387 has no effect on messages in an ACII-only maildrop. Messages in 388 native-UTF8 maildrops can be ASCII or UTF8 using internationalized 389 headers [RFC5335] and/or 8bit content-transfer-encoding as defined in 390 MIME section 2.8 [RFC2045]. In UTF8 mode, both UTF8 and ASCII 391 messages are sent to the client as-is (without conversion). When not 392 in UTF8 mode, UTF8 messages in a native UTF8 maildrop MUST be down- 393 converted (downgraded) to comply with unextended POP and Internet 394 Mail Format. POP servers (unlike SMTP and Submit servers) are not 395 required to use Downgrading mechanism for Email Address 396 Internationalization [RFC5504]. 398 Discussion: The main argument against a single required mechanism for 399 downgrade by a POP server is that the only clients that have any use 400 for a standardized downgraded message (because they wish to interpret 401 downgrade headers, for example) are ones that can support UTF8 and 402 hence will issue the UTF8 command in the first place. The counter 403 argument to this is that non-UTF8 clients might be upgraded in the 404 future; it's desirable for an upgraded client to be capable of 405 interpreting prior downgraded messages in the local mail store, which 406 is most likely if the messages were downgraded using one standardized 407 procedure. 409 Therefore, while POP servers are not required to use the Downgrading 410 mechanism for Email Address Internationalization [RFC5504], there are 411 advantages to them doing so. 413 Note that even in UTF8 mode, MIME binary content-transfer-encoding is 414 still not permitted. 416 The octet count (size) of a message reported in a response to the 417 LIST command SHOULD match the actual number of octets sent in a RETR 418 response. Sizes reported elsewhere, such as in STAT responses and 419 non-standardized free-form text in positive status indicators 420 (following "+OK") need not be accurate, but it is preferable if they 421 are. 423 Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8; 424 servers MAY (but are not required to) enforce this by rejecting with 425 an "-ERR" response an STLS command issued subsequent to a successful 426 UTF8 command. (Because this is a protocol error as opposed to a 427 failure based on conditions, an extended response code [RFC2449] is 428 not specified.) 430 3.2. USER Argument to UTF8 Capability 432 If the USER argument is included with this capability, it indicates 433 that the server accepts UTF-8 user names and passwords and applies 434 SASLprep [RFC4013] to the arguments of the AUTH, USER, PASS and APOP 435 commands. A client that supports APOP and permits UTF-8 in user 436 names or passwords MUST also implement SASLprep [RFC4013] on the user 437 name and password used to compute the APOP digest. 439 The client does not need to issue the UTF8 command prior to using 440 UTF8 in authentication. However, clients MUST NOT use UTF8 in USER, 441 PASS, or APOP commands unless the USER argument is included with the 442 UTF8 capability. 444 Use of UTF8 in the AUTH command is governed by the SASL mechanism. 446 4. Issues with UTF-8 Header maildrop 448 When a POP3 server uses a UTF8-native maildrop, it is the 449 responsibility of the server to comply with the POP3 base 450 specification [RFC1939] and Internet Message Format [RFC5322] when 451 not in UTF8 mode. Mechanisms for 7-bit downgrading to help comply 452 with the standards are described in Downgrading mechanism for Email 453 Address Internationalization [RFC5504]. 455 5. IANA Considerations 457 This adds two new capabilities ("UTF8" and "LANG") to the POP3 458 capability registry [RFC2449]. 460 6. Security Considerations 462 The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013] 463 apply to this specification, particularly with respect to use of 464 UTF-8 in user names and passwords. 466 The "LANG *" command can reveal the existence and preferred language 467 of a user to an active attacker probing the system if the active 468 language changes in response to the USER, PASS, or APOP commands 469 prior to validating the user's credentials. Servers MUST implement a 470 configuration to prevent this exposure. 472 It is possible for a man-in-the-middle attacker to insert a LANG 473 command in the command stream thus making protocol-level diagnostic 474 responses unintelligible to the user. A mechanism to integrity 475 protect the session, such as TLS [RFC2595] can be used to defeat such 476 attacks. 478 Modifying server authentication code (in this case, to support UTF8) 479 needs to be done with care to avoid introducing vulnerabilities (for 480 example, in string parsing). 482 7. References 484 7.1. Normative References 486 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol - Version 3", 487 STD 53, RFC 1939, May 1996. 489 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 490 Extensions (MIME) Part One: Format of Internet Message 491 Bodies", RFC 2045, November 1996. 493 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 494 Part Three: Message Header Extensions for Non-ASCII Text", 495 RFC 2047, November 1996. 497 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 498 Requirement Levels", BCP 14, RFC 2119, March 1997. 500 [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and 501 Languages", BCP 18, RFC 2277, January 1998. 503 [RFC2449] Gellens, R., Newman, C., and L. Lundblade, "POP3 Extension 504 Mechanism", RFC 2449, November 1998. 506 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 507 October 2008. 509 [RFC4646] Phillips, A. and M. Davis, "Tags for Identifying 510 Languages", BCP 47, RFC 4646, September 2006. 512 [RFC4647] Phillips, A. and M. Davis, "Matching of Language Tags", 513 BCP 47, RFC 4647, September 2006. 515 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 516 10646", STD 63, RFC 3629, November 2003. 518 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names 519 and Passwords", RFC 4013, February 2005. 521 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 522 Specifications: ABNF", STD 68, RFC 5234, January 2008. 524 [RFC5335] Abel, Y., "Internationalized Email Headers", RFC 5335, 525 September 2008. 527 7.2. Informative References 529 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", 530 RFC 2595, June 1999. 532 [RFC5504] Fujiwara, K. and Y. Yoneya, "Downgrading Mechanism for 533 Email Address Internationalization", RFC 5504, March 2009. 535 Appendix A. Design Rationale 537 This non-normative section discusses the reasons behind some of the 538 design choices in the above specification. 540 Having servers perform up-conversion so that, at a minimum, RFC2047- 541 encoded words are decoded into UTF8 is tempting, since this is an 542 area that clients often fail to correctly implement. However, 543 modifying messages breaks digital signatures, and would require 544 servers to support arbitrary charset conversion. 546 USER is optional because the implementation burden of SASLprep 547 [RFC4013] is not well understood and mandating such support in all 548 cases could negatively impact deployment. 550 Due to interoperability problems with RFC 2047 and limited deployment 551 of RFC 2231, it is hoped these 7-bit encoding mechanisms can be 552 deprecated in the future when UTF-8 header support becomes prevalent. 554 While it is possible to provide useful examples for language 555 negotiation without support for non-ASCII characters, it is difficult 556 to provide useful examples for commands specifically designed to use 557 the UTF-8 charset un-encoded when the document format is limited to 558 ASCII. As a result, there are no plans to provide examples for that 559 part of the specification as long as this remains an experimental 560 proposal. However, implementers of this specification are encouraged 561 to provide examples to the document author for a future revision. 563 While down-conversion of native-UTF8 messages is mandatory in the 564 absence of the UTF8 command, servers are not required to do so as 565 specified in Downgrading Mechanism [RFC5504]. As clients are 566 upgraded with UTF8 support and the ability to intelligently handle 567 (e.g., display and reply to) UTF8 messages that were downgraded in 568 transit, it is better if they are also able to handle messages in the 569 local mail store that were downgraded by the POP server. This is 570 more likely if the POP server downgrades messages using the same 571 mechanism as an SMTP server. 573 Appendix B. Acknowledgments 575 Thanks to John Klensin, Tony Hansen and other EAI working group 576 participants who provided helpful suggestions and interesting debate 577 that improved this specification. 579 Authors' Addresses 581 Randall Gellens 582 QUALCOMM Incorporated 583 5775 Morehouse Drive 584 San Diego, CA 92651 585 US 587 Email: rg+ietf@qualcomm.com 589 Chris Newman 590 Sun Microsystems 591 800 Royal Oaks 592 Monrovia, CA 91016-6347 593 US 595 Email: chris.newman@sun.com