idnits 2.17.1 draft-ietf-eai-rfc5721bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. == The 'Updates: ' line in the draft header should list only the _numbers_ of the RFCs which will be updated by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 30, 2011) is 4775 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-eai-frmwrk-4952bis-10 == Outdated reference: A later version (-13) exists of draft-ietf-eai-rfc5335bis-10 ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gellens 3 Internet-Draft QUALCOMM Incorporated 4 Obsoletes: RFC5721 (if approved) C. Newman 5 Updates: RFC1939 (if approved) Oracle 6 Intended status: Standards Track J. Yao 7 Expires: October 1, 2011 CNNIC 8 K. Fujiwara 9 JPRS 10 March 30, 2011 12 POP3 Support for UTF-8 13 draft-ietf-eai-rfc5721bis-01.txt 15 Abstract 17 This specification extends the Post Office Protocol version 3 (POP3) 18 to support un-encoded international characters in user names, 19 passwords, mail addresses, message headers, and protocol-level 20 textual error strings. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on October 1, 2011. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 70 2. LANG Capability . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. UTF8 Capability . . . . . . . . . . . . . . . . . . . . . . . 6 72 3.1. The UTF8 Command . . . . . . . . . . . . . . . . . . . . . 7 73 3.2. USER Argument to UTF8 Capability . . . . . . . . . . . . . 8 74 4. Native UTF-8 Maildrops . . . . . . . . . . . . . . . . . . . . 9 75 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 76 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 77 7. Change History . . . . . . . . . . . . . . . . . . . . . . . . 10 78 7.1. draft-ietf-eai-rfc5721bis: Version 00 . . . . . . . . . . 10 79 7.2. draft-ietf-eai-rfc5721bis: Version 01 . . . . . . . . . . 10 80 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 81 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 82 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 83 Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 12 84 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 12 86 1. Introduction 88 This document forms part of the Email Address Internationalization 89 (EAI) protocols described in the EAI Framework document 90 [I-D.ietf-eai-frmwrk-4952bis]. As part of the overall EAI work, 91 email messages may be transmitted and delivered containing un-encoded 92 UTF-8 characters, and mail drops that are accessed using POP3 93 [RFC1939] might natively store UTF-8. 95 This specification extends POP3 [RFC1939] using the POP3 extension 96 mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers, 97 as described in "Internationalized Email Headers" 98 [I-D.ietf-eai-rfc5335bis]. It also adds a mechanism to support login 99 names and passwords outside the ASCII character set, and a mechanism 100 to support UTF-8 protocol-level error strings in a language 101 appropriate for the user. 103 Within this specification, the term "down-conversion" refers to the 104 process of modifying a message containing UTF-8 headers 105 [I-D.ietf-eai-rfc5335bis] or body parts with 8bit content-transfer- 106 encoding, as defined in MIME Section 2.8 [RFC2045], into conforming 107 7-bit Internet Message Format [RFC5322] with message header 108 extensions for non-ASCII text [RFC2047] and other 7-bit encodings. 109 Down-conversion is specified by "Post-delivery Message Downgrading 110 for Internationalized Email Messages" [popimap-downgrade]. 112 1.1. Conventions Used in This Document 114 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 115 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 116 document are to be interpreted as described in "Key words for use in 117 RFCs to Indicate Requirement Levels" [RFC2119]. 119 In examples, "C:" and "S:" indicate lines sent by the client and 120 server, respectively. If a single "C:" or "S:" label applies to 121 multiple lines, then the line breaks between those lines are for 122 editorial clarity only and are not part of the actual protocol 123 exchange. 125 Note that examples always use 7-bit ASCII characters due to 126 limitations of this document format; in particular, some examples for 127 the "LANG" command may appear silly as a result. 129 2. LANG Capability 131 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 132 capability response tag to indicate support for a new command: LANG. 133 The capability tag and new command are described below. 135 CAPA tag: 136 LANG 138 Arguments with CAPA tag: 139 none 141 Added Commands: 142 LANG 144 Standard commands affected: 145 All 147 Announced states / possible differences: 148 both / no 150 Commands valid in states: 151 AUTHENTICATION, TRANSACTION 153 Specification reference: 154 this document 156 Discussion: 158 POP3 allows most +OK and -ERR server responses to include human- 159 readable text that, in some cases, might be presented to the user. 160 But that text is limited to ASCII by the POP3 specification 161 [RFC1939]. The LANG capability and command permit a POP3 client to 162 negotiate which language the server should use when sending human- 163 readable text. 165 A server that advertises the LANG extension MUST use the language 166 "i-default" as described in [RFC2277] as its default language until 167 another supported language is negotiated by the client. A server 168 MUST include "i-default" as one of its supported languages. 170 The LANG command requests that human-readable text included in all 171 subsequent +OK and -ERR responses be localized to a language matching 172 the language range argument (the "Basic Language Range" as described 173 by [RFC4647]). If the command succeeds, the server returns a +OK 174 response followed by a single space, the exact language tag selected, 175 another space, and the rest of the line is human-readable text in the 176 appropriate language. This and subsequent protocol-level human- 177 readable text is encoded in the UTF-8 charset. 179 If the command fails, the server returns an -ERR response and 180 subsequent human-readable response text continues to use the language 181 that was previously active (typically i-default). 183 The special "*" language range argument indicates a request to use a 184 language designated as preferred by the server administrator. The 185 preferred language MAY vary based on the currently active user. 187 If no argument is given and the POP3 server issues a positive 188 response, then the response given is multi-line. After the initial 189 +OK, for each language tag the server supports, the POP3 server 190 responds with a line for that language. This line is called a 191 "language listing". 193 In order to simplify parsing, all POP3 servers are required to use a 194 certain format for language listings. A language listing consists of 195 the language tag [RFC5646] of the message, optionally followed by a 196 single space and a human-readable description of the language in the 197 language itself, using the UTF-8 charset. 199 Examples: 201 < Note that some examples do not include the correct character 202 accents due to limitations of this document format. > 204 < The server defaults to using English i-default responses until 205 the client explicitly changes the language. > 207 C: USER karen 208 S: +OK Hello, karen 209 C: PASS password 210 S: +OK karen's maildrop contains 2 messages (320 octets) 212 < Client requests deprecated MUL language. Server replies 213 with -ERR response. > 215 C: LANG MUL 216 S: -ERR invalid language MUL 218 < A LANG command with no parameters is a request for 219 a language listing. > 221 C: LANG 222 S: +OK Language listing follows: 223 S: en English 224 S: en-boont English Boontling dialect 225 S: de Deutsch 226 S: it Italiano 227 S: es Espanol 228 S: sv Svenska 229 S: i-default Default language 230 S: . 232 < A request for a language listing might fail. > 234 C: LANG 235 S: -ERR Server is unable to list languages 237 < Once the client changes the language, all responses will be in 238 that language, starting with the response to the LANG command. > 240 C: LANG es 241 S: +OK es Idioma cambiado 243 < If a server does not support the requested primary language, 244 responses will continue to be returned in the current language 245 the server is using. > 247 C: LANG uga 248 S: -ERR es Idioma <> no es conocido 250 C: LANG sv 251 S: +OK sv Kommandot "LANG" lyckades 253 C: LANG * 254 S: +OK es Idioma cambiado 256 3. UTF8 Capability 258 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 259 capability response tag to indicate support for new server 260 functionality, including a new command: UTF8. The capability tag and 261 new command and functionality are described below. 263 CAPA tag: 264 UTF8 266 Arguments with CAPA tag: 267 USER 269 Added Commands: 270 UTF8 272 Standard commands affected: 273 USER, PASS, APOP, LIST, TOP, RETR 275 Announced states / possible differences: 276 both / no 278 Commands valid in states: 279 AUTHORIZATION 281 Specification reference: 282 this document 284 Discussion: 286 This capability adds the "UTF8" command to POP3. The UTF8 command 287 switches the session from ASCII to UTF-8 mode. 289 3.1. The UTF8 Command 291 The UTF8 command enables UTF-8 mode. The UTF8 command has no 292 parameters. 294 Maildrops can natively store UTF-8 or be limited to ASCII. UTF-8 295 mode has no effect on messages in an ASCII-only maildrop. Messages 296 in native UTF-8 maildrops can be ASCII or UTF-8 using 297 internationalized headers [I-D.ietf-eai-rfc5335bis] and/or 8bit 298 content-transfer-encoding, as defined in MIME Section 2.8 [RFC2045]. 299 In UTF-8 mode, both UTF-8 and ASCII messages are sent to the client 300 as-is (without conversion). When not in UTF-8 mode, UTF-8 messages 301 in a native UTF-8 maildrop MUST NOT be sent to the client as-is. The 302 UTF8 Commands MAY fail. UTF-8 messages in a native UTF-8 maildrop 303 MAY be down-converted (downgraded) to comply with unextended POP and 304 Internet Mail Format without UTF-8 mode support. 306 Note that even in UTF-8 mode, MIME binary content-transfer-encoding 307 is still not permitted. 309 The octet count (size) of a message reported in a response to the 310 LIST command SHOULD match the actual number of octets sent in a RETR 311 response (not counting byte-stuffing). Sizes reported elsewhere, 312 such as in STAT responses and non-standardized, free-form text in 313 positive status indicators (following "+OK") need not be accurate, 314 but it is preferable if they are. 316 Mail stores are either ASCII or native UTF-8, and clients either 317 issue the UTF8 command or not. The message needs converting only 318 when it is native UTF-8 and the client has not issued the UTF8 319 command, in which case the server MAY choose to down-convert it. The 320 down-converted message may be larger. The server may choose various 321 strategies regarding down-conversion, which include when to down- 322 convert, whether to cache or store the down-converted form of a 323 message (and if so, for how long), and whether to calculate or retain 324 the size of a down-converted message independently of the down- 325 converted content. If the server does not have immediate access to 326 the accurate down-converted size, it may be faster to estimate rather 327 than calculate it. Servers are expected to normally follow the RFC 328 1939 [RFC1939] text on using the "exact size" in a scan listing, but 329 there may be situations with maildrops containing very large numbers 330 of messages in which this might be a problem. If the server does 331 estimate, reporting a scan listing size smaller than what it turns 332 out to be could be a problem for some clients. In summary, it is 333 better for servers to report accurate sizes, but if this is not 334 possible, high guesses are better than small ones. Some POP servers 335 include the message size in the non-standardized text response 336 following "+OK" (the 'text' production of RFC 2449 [RFC2449]), in a 337 RETR or TOP response (possibly because some examples in POP3 338 [RFC1939] do so). There has been at least one known case of a client 339 relying on this to know when it had received all of the message 340 rather than following the POP3 [RFC1939] rule of looking for a line 341 consisting of a termination octet (".") and a CRLF pair. While any 342 such client is non-compliant, if a server does include the size in 343 such text, it is better if it is accurate. 345 Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8; 346 servers MAY (but are not required to) enforce this by rejecting with 347 an "-ERR" response an STLS command issued subsequent to a successful 348 UTF8 command. (Because this is a protocol error as opposed to a 349 failure based on conditions, an extended response code [RFC2449] is 350 not specified.) 352 3.2. USER Argument to UTF8 Capability 354 If the USER argument is included with this capability, it indicates 355 that the server accepts UTF-8 user names and passwords. 357 Servers that include the USER argument in the UTF8 capability 358 response SHOULD apply SASLprep [RFC4013] to the arguments of the USER 359 and PASS commands. 361 A client or server that supports APOP and permits UTF-8 in user names 362 or passwords MUST apply SASLprep [RFC4013] to the user name and 363 password used to compute the APOP digest. 365 When applying SASLprep [RFC4013], servers MUST reject UTF-8 user 366 names or passwords that contain a Unicode character listed in Section 367 2.3 of SASLprep [RFC4013]. When applying SASLprep to the USER 368 argument, the PASS argument, or the APOP username argument, a 369 compliant server or client MUST treat them as a query string (i.e., 370 unassigned Unicode code points are allowed). When applying SASLprep 371 to the APOP password argument, a compliant server or client MUST 372 treat them as a stored string (i.e., unassigned Unicode code points 373 are prohibited). 375 The client does not need to issue the UTF8 command prior to using 376 UTF-8 in authentication. However, clients MUST NOT use UTF-8 377 characters in USER, PASS, or APOP commands unless the USER argument 378 is included in the UTF8 capability response. 380 The server MUST reject UTF-8 user names or passwords that fail to 381 comply with the formal syntax in UTF-8 [RFC3629]. 383 Use of UTF-8 characters in the AUTH command is governed by the POP3 384 SASL [RFC5034] mechanism. 386 4. Native UTF-8 Maildrops 388 When a POP3 server uses a native UTF-8 maildrop, it is the 389 responsibility of the server to comply with the POP3 base 390 specification [RFC1939] and Internet Message Format [RFC5322] when 391 not in UTF-8 mode. Mechanisms for 7-bit downgrading to help comply 392 with the standards are described in [popimap-downgrade]. 394 5. IANA Considerations 396 This specification updates two capabilities ("UTF8" and "LANG") to 397 the POP3 capability registry [RFC2449]. 399 6. Security Considerations 401 The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013] 402 apply to this specification, particularly with respect to use of 403 UTF-8 in user names and passwords. 405 The "LANG *" command might reveal the existence and preferred 406 language of a user to an active attacker probing the system if the 407 active language changes in response to the USER, PASS, or APOP 408 commands prior to validating the user's credentials. Servers MUST 409 implement a configuration to prevent this exposure. 411 It is possible for a man-in-the-middle attacker to insert a LANG 412 command in the command stream, thus making protocol-level diagnostic 413 responses unintelligible to the user. A mechanism to integrity- 414 protect the session, such as Transport Layer Security (TLS) [RFC2595] 415 can be used to defeat such attacks. 417 Modifying server authentication code (in this case, to support UTF8 418 command) needs to be done with care to avoid introducing 419 vulnerabilities (for example, in string parsing). 421 The UTF8 command description (Section 3.1) contains a discussion on 422 reporting inaccurate sizes. An additional risk to doing so is that, 423 if a client allocates buffers based on the reported size, it may 424 overrun the buffer, crash, or have other problems if the message data 425 is larger than reported. 427 7. Change History 429 7.1. draft-ietf-eai-rfc5721bis: Version 00 431 following the new charter 433 7.2. draft-ietf-eai-rfc5721bis: Version 01 435 refine the texts 437 8. References 439 8.1. Normative References 441 [I-D.ietf-eai-frmwrk-4952bis] Klensin, J. and Y. Ko, "Overview and 442 Framework for Internationalized 443 Email", 444 draft-ietf-eai-frmwrk-4952bis-10 (work 445 in progress), September 2010. 447 [I-D.ietf-eai-rfc5335bis] Yang, A. and S. Steele, 448 "Internationalized Email Headers", 449 draft-ietf-eai-rfc5335bis-10 (work in 450 progress), March 2011. 452 [RFC1939] Myers, J. and M. Rose, "Post Office 453 Protocol - Version 3", STD 53, 454 RFC 1939, May 1996. 456 [RFC2045] Freed, N. and N. Borenstein, 457 "Multipurpose Internet Mail Extensions 458 (MIME) Part One: Format of Internet 459 Message Bodies", RFC 2045, 460 November 1996. 462 [RFC2047] Moore, K., "MIME (Multipurpose 463 Internet Mail Extensions) Part Three: 464 Message Header Extensions for Non- 465 ASCII Text", RFC 2047, November 1996. 467 [RFC2119] Bradner, S., "Key words for use in 468 RFCs to Indicate Requirement Levels", 469 BCP 14, RFC 2119, March 1997. 471 [RFC2277] Alvestrand, H., "IETF Policy on 472 Character Sets and Languages", BCP 18, 473 RFC 2277, January 1998. 475 [RFC2449] Gellens, R., Newman, C., and L. 476 Lundblade, "POP3 Extension Mechanism", 477 RFC 2449, November 1998. 479 [RFC3629] Yergeau, F., "UTF-8, a transformation 480 format of ISO 10646", STD 63, 481 RFC 3629, November 2003. 483 [RFC4013] Zeilenga, K., "SASLprep: Stringprep 484 Profile for User Names and Passwords", 485 RFC 4013, February 2005. 487 [RFC4647] Phillips, A. and M. Davis, "Matching 488 of Language Tags", BCP 47, RFC 4647, 489 September 2006. 491 [RFC5322] Resnick, P., Ed., "Internet Message 492 Format", RFC 5322, October 2008. 494 [RFC5646] Phillips, A. and M. Davis, "Tags for 495 Identifying Languages", BCP 47, 496 RFC 5646, September 2009. 498 8.2. Informative References 500 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 501 and ACAP", RFC 2595, June 1999. 503 [RFC5034] Siemborski, R. and A. Menon-Sen, "The 504 Post Office Protocol (POP3) Simple 505 Authentication and Security Layer 506 (SASL) Authentication Mechanism", 507 RFC 5034, July 2007. 509 [popimap-downgrade] Fujiwara, K., "Post-delivery Message 510 Downgrading for Internationalized 511 Email Messages", 512 draft-ietf-eai-popimap-downgrade-00 513 (work in progress), October 2010. 515 Appendix A. Design Rationale 517 This non-normative section discusses the reasons behind some of the 518 design choices in the above specification. 520 Due to interoperability problems with RFC 2047 and limited deployment 521 of RFC 2231, it is hoped these 7-bit encoding mechanisms can be 522 deprecated in the future when UTF-8 header support becomes prevalent. 524 USER is optional because the implementation burden of SASLprep 525 [RFC4013] is not well understood, and mandating such support in all 526 cases could negatively impact deployment. 528 While it is possible to provide useful examples for language 529 negotiation without support for non-ASCII characters, it is difficult 530 to provide useful examples for commands specifically designed to use 531 the UTF-8 charset un-encoded when the document format is limited to 532 ASCII. As a result, there are no plans to provide examples for that 533 part of the specification as long as this remains an experimental 534 proposal. However, implementers of this specification are encouraged 535 to provide examples to the document authors for a future revision. 537 Appendix B. Acknowledgments 539 Thanks to John Klensin, Tony Hansen, and other EAI working group 540 participants who provided helpful suggestions and interesting debate 541 that improved this specification. 543 Authors' Addresses 545 Randall Gellens 546 QUALCOMM Incorporated 547 5775 Morehouse Drive 548 San Diego, CA 92651 549 US 551 EMail: rg+ietf@qualcomm.com 552 Chris Newman 553 Oracle 554 800 Royal Oaks 555 Monrovia, CA 91016-6347 556 US 558 EMail: chris.newman@oracle.com 560 Jiankang YAO 561 CNNIC 562 No.4 South 4th Street, Zhongguancun 563 Beijing 565 Phone: +86 10 58813007 566 EMail: yaojk@cnnic.cn 568 Kazunori Fujiwara 569 Japan Registry Services Co., Ltd. 570 Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda 571 Tokyo 573 Phone: +81 3 5215 8451 574 EMail: fujiwara@jprs.co.jp