idnits 2.17.1 draft-ietf-eai-rfc5721bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 11, 2011) is 4672 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-12) exists of draft-ietf-eai-frmwrk-4952bis-10 == Outdated reference: A later version (-13) exists of draft-ietf-eai-rfc5335bis-11 ** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gellens 3 Internet-Draft QUALCOMM Incorporated 4 Obsoletes: RFC5721 (if approved) C. Newman 5 Intended status: Standards Track Oracle 6 Expires: January 12, 2012 J. Yao 7 CNNIC 8 K. Fujiwara 9 JPRS 10 July 11, 2011 12 POP3 Support for UTF-8 13 draft-ietf-eai-rfc5721bis-02.txt 15 Abstract 17 This specification extends the Post Office Protocol version 3 (POP3) 18 to support un-encoded international characters in user names, 19 passwords, mail addresses, message headers, and protocol-level 20 textual strings. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 12, 2012. 39 Copyright Notice 41 Copyright (c) 2011 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 70 2. LANG Capability . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. UTF8 Capability . . . . . . . . . . . . . . . . . . . . . . . 6 72 3.1. The UTF8 Command . . . . . . . . . . . . . . . . . . . . . 7 73 3.2. USER Argument to UTF8 Capability . . . . . . . . . . . . . 8 74 4. Native UTF-8 Maildrops . . . . . . . . . . . . . . . . . . . . 9 75 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 76 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 77 7. Change History . . . . . . . . . . . . . . . . . . . . . . . . 10 78 7.1. draft-ietf-eai-rfc5721bis: Version 00 . . . . . . . . . . 10 79 7.2. draft-ietf-eai-rfc5721bis: Version 01 . . . . . . . . . . 10 80 7.3. draft-ietf-eai-rfc5721bis: Version 02 . . . . . . . . . . 10 81 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 82 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 83 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 84 Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 12 85 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 12 87 1. Introduction 89 This document forms part of the Email Address Internationalization 90 (EAI) protocols described in the EAI Framework document 91 [I-D.ietf-eai-frmwrk-4952bis]. As part of the overall EAI work, 92 email messages may be transmitted and delivered containing un-encoded 93 UTF-8 characters, and mail drops that are accessed using POP3 94 [RFC1939] might natively store UTF-8. 96 This specification extends POP3 [RFC1939] using the POP3 extension 97 mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers, 98 as described in "Internationalized Email Headers" 99 [I-D.ietf-eai-rfc5335bis]. It also adds a mechanism to support login 100 names and passwords with UTF-8 charset beyond ASCII, and a mechanism 101 to support UTF-8 charset in protocol level response strings for 102 languages beyond English. 104 Within this specification, the term "down-conversion" refers to the 105 process of modifying a message containing UTF-8 headers 106 [I-D.ietf-eai-rfc5335bis] or body parts with 8bit content-transfer- 107 encoding, as defined in MIME Section 2.8 [RFC2045], into conforming 108 7-bit Internet Message Format [RFC5322] with message header 109 extensions for non-ASCII text [RFC2047] and other 7-bit encodings. 110 Down-conversion is specified by "Post-delivery Message Downgrading 111 for Internationalized Email Messages" [popimap-downgrade]. 113 1.1. Conventions Used in This Document 115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 117 document are to be interpreted as described in "Key words for use in 118 RFCs to Indicate Requirement Levels" [RFC2119]. 120 In examples, "C:" and "S:" indicate lines sent by the client and 121 server, respectively. If a single "C:" or "S:" label applies to 122 multiple lines, then the line breaks between those lines are for 123 editorial clarity only and are not part of the actual protocol 124 exchange. 126 Note that examples always use 7-bit ASCII characters due to 127 limitations of this document format; in particular, some examples for 128 the "LANG" command may appear silly as a result. 130 2. LANG Capability 132 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 133 capability response tag to indicate support for a new command: LANG. 134 The capability tag and new command are described below. 136 CAPA tag: 137 LANG 139 Arguments with CAPA tag: 140 none 142 Added Commands: 143 LANG 145 Standard commands affected: 146 All 148 Announced states / possible differences: 149 both / no 151 Commands valid in states: 152 AUTHORIZATION, TRANSACTION 154 Specification reference: 155 this document 157 Discussion: 159 POP3 allows most +OK and -ERR server responses to include human- 160 readable text that, in some cases, might be presented to the user. 161 But that text is limited to ASCII by the POP3 specification 162 [RFC1939]. The LANG capability and command permit a POP3 client to 163 negotiate which language the server should use when sending human- 164 readable text. 166 A server that advertises the LANG extension MUST use the language 167 "i-default" as described in [RFC2277] as its default language until 168 another supported language is negotiated by the client. A server 169 MUST include "i-default" as one of its supported languages. 171 The LANG command requests that human-readable text included in all 172 subsequent +OK and -ERR responses be localized to a language matching 173 the language range argument (the "Basic Language Range" as described 174 by [RFC4647]). If the command succeeds, the server returns a +OK 175 response followed by a single space, the exact language tag selected, 176 another space, and the rest of the line is human-readable text in the 177 appropriate language. This and subsequent protocol-level human- 178 readable text is encoded in the UTF-8 charset. 180 If the command fails, the server returns an -ERR response and 181 subsequent human-readable response text continues to use the language 182 that was previously active (typically i-default). 184 The special "*" language range argument indicates a request to use a 185 language designated as preferred by the server administrator. The 186 preferred language MAY vary based on the currently active user. 188 If no argument is given and the POP3 server issues a positive 189 response, then the response given is multi-line. After the initial 190 +OK, for each language tag the server supports, the POP3 server 191 responds with a line for that language. This line is called a 192 "language listing". 194 In order to simplify parsing, all POP3 servers are required to use a 195 certain format for language listings. A language listing consists of 196 the language tag [RFC5646] of the message, optionally followed by a 197 single space and a human-readable description of the language in the 198 language itself, using the UTF-8 charset. 200 Examples: 202 < Note that some examples do not include the correct character 203 accents due to limitations of this document format. > 205 < The server defaults to using English i-default responses until 206 the client explicitly changes the language. > 208 C: USER karen 209 S: +OK Hello, karen 210 C: PASS password 211 S: +OK karen's maildrop contains 2 messages (320 octets) 213 < Client requests deprecated MUL language. Server replies 214 with -ERR response. > 216 C: LANG MUL 217 S: -ERR invalid language MUL 219 < A LANG command with no parameters is a request for 220 a language listing. > 222 C: LANG 223 S: +OK Language listing follows: 224 S: en English 225 S: en-boont English Boontling dialect 226 S: de Deutsch 227 S: it Italiano 228 S: es Espanol 229 S: sv Svenska 230 S: i-default Default language 231 S: . 233 < A request for a language listing might fail. > 235 C: LANG 236 S: -ERR Server is unable to list languages 238 < Once the client changes the language, all responses will be in 239 that language, starting with the response to the LANG command. > 241 C: LANG es 242 S: +OK es Idioma cambiado 244 < If a server does not support the requested primary language, 245 responses will continue to be returned in the current language 246 the server is using. > 248 C: LANG uga 249 S: -ERR es Idioma <> no es conocido 251 C: LANG sv 252 S: +OK sv Kommandot "LANG" lyckades 254 C: LANG * 255 S: +OK es Idioma cambiado 257 3. UTF8 Capability 259 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 260 capability response tag to indicate support for new server 261 functionality, including a new command: UTF8. The capability tag and 262 new command and functionality are described below. 264 CAPA tag: 265 UTF8 267 Arguments with CAPA tag: 268 USER 270 Added Commands: 271 UTF8 273 Standard commands affected: 274 USER, PASS, APOP, LIST, TOP, RETR 276 Announced states / possible differences: 277 both / no 279 Commands valid in states: 280 AUTHORIZATION 282 Specification reference: 283 this document 285 Discussion: 287 This capability adds the "UTF8" command to POP3. The UTF8 command 288 switches the session from ASCII to UTF-8 mode. In UTF-8 mode, it 289 means that both servers and clients can send and accept the UTF-8 290 characters. 292 3.1. The UTF8 Command 294 The UTF8 command enables UTF-8 mode. The UTF8 command has no 295 parameters. 297 Maildrops can natively store UTF-8 or be limited to ASCII. UTF-8 298 mode has no effect on messages in an ASCII-only maildrop. Messages 299 in native UTF-8 maildrops can be ASCII or UTF-8 using 300 internationalized headers [I-D.ietf-eai-rfc5335bis] and/or 8bit 301 content-transfer-encoding, as defined in MIME Section 2.8 [RFC2045]. 302 In UTF-8 mode, both UTF-8 and ASCII messages are sent to the client 303 as-is (without conversion). When not in UTF-8 mode, UTF-8 messages 304 in a native UTF-8 maildrop MUST NOT be sent to the client as-is. The 305 UTF8 Commands MAY fail. UTF-8 messages in a native UTF-8 maildrop 306 MAY be down-converted (downgraded) to comply with unextended POP and 307 Internet Mail Format without UTF-8 mode support. 309 Note that even in UTF-8 mode, MIME binary content-transfer-encoding 310 is still not permitted. 312 The octet count (size) of a message reported in a response to the 313 LIST command SHOULD match the actual number of octets sent in a RETR 314 response (not counting byte-stuffing). Sizes reported elsewhere, 315 such as in STAT responses and non-standardized, free-form text in 316 positive status indicators (following "+OK") need not be accurate, 317 but it is preferable if they were. 319 Mail stores are either ASCII or native UTF-8, and clients either 320 issue the UTF8 command or not. The message needs converting only 321 when it is native UTF-8 and the client has not issued the UTF8 322 command, in which case the server MAY choose to down-convert it. The 323 down-converted message may be larger. The server may choose various 324 strategies regarding down-conversion, which include when to down- 325 convert, whether to cache or store the down-converted form of a 326 message (and if so, for how long), and whether to calculate or retain 327 the size of a down-converted message independently of the down- 328 converted content. If the server does not have immediate access to 329 the accurate down-converted size, it may be faster to estimate rather 330 than calculate it. Servers are expected to normally follow the RFC 331 1939 [RFC1939] text on using the "exact size" in a scan listing, but 332 there may be situations with maildrops containing very large numbers 333 of messages in which this might be a problem. If the server does 334 estimate, reporting a scan listing size smaller than what it turns 335 out to be could be a problem for some clients. In summary, it is 336 better for servers to report accurate sizes, but if this is not 337 possible, high guesses are better than small ones. Some POP servers 338 include the message size in the non-standardized text response 339 following "+OK" (the 'text' production of RFC 2449 [RFC2449]), in a 340 RETR or TOP response (possibly because some examples in POP3 341 [RFC1939] do so). There has been at least one known case of a client 342 relying on this to know when it had received all of the message 343 rather than following the POP3 [RFC1939] rule of looking for a line 344 consisting of a termination octet (".") and a CRLF pair. While any 345 such client is non-compliant, if a server does include the size in 346 such text, it is better if it is accurate. 348 Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8; 349 servers MAY (but are not required to) enforce this by rejecting with 350 an "-ERR" response an STLS command issued subsequent to a successful 351 UTF8 command. (Because this is a protocol error as opposed to a 352 failure based on conditions, an extended response code [RFC2449] is 353 not specified.) 355 3.2. USER Argument to UTF8 Capability 357 If the USER argument is included with this capability, it indicates 358 that the server accepts UTF-8 user names and passwords. 360 Servers that include the USER argument in the UTF8 capability 361 response SHOULD apply SASLprep [RFC4013] to the arguments of the USER 362 and PASS commands. 364 A client or server that supports APOP and permits UTF-8 in user names 365 or passwords MUST apply SASLprep [RFC4013] to the user name and 366 password used to compute the APOP digest. 368 When applying SASLprep [RFC4013], servers MUST reject UTF-8 user 369 names or passwords that contain a Unicode character listed in Section 370 2.3 of SASLprep [RFC4013]. When applying SASLprep to the USER 371 argument, the PASS argument, or the APOP username argument, a 372 compliant server or client MUST treat them as a query string 373 [RFC3454](i.e., unassigned Unicode code points are allowed). When 374 applying SASLprep to the APOP password argument, a compliant server 375 or client MUST treat them as a stored string [RFC3454] (i.e., 376 unassigned Unicode code points are prohibited). 378 The client does not need to issue the UTF8 command prior to using 379 UTF-8 in authentication. However, clients MUST NOT use UTF-8 380 characters in USER, PASS, or APOP commands unless the USER argument 381 is included in the UTF8 capability response. 383 The server MUST reject UTF-8 user names or passwords that fail to 384 comply with the formal syntax in UTF-8 [RFC3629]. 386 Use of UTF-8 characters in the AUTH command is governed by the POP3 387 SASL [RFC5034] mechanism. 389 4. Native UTF-8 Maildrops 391 When a POP3 server uses a native UTF-8 maildrop, it is the 392 responsibility of the server to comply with the POP3 base 393 specification [RFC1939] and Internet Message Format [RFC5322] when 394 not in UTF-8 mode. Mechanisms for 7-bit downgrading to help comply 395 with the standards are described in [popimap-downgrade]. 397 5. IANA Considerations 399 This specification updates two capabilities ("UTF8" and "LANG") to 400 the POP3 capability registry [RFC2449]. 402 6. Security Considerations 404 The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013] 405 apply to this specification, particularly with respect to use of 406 UTF-8 in user names and passwords. 408 The "LANG *" command might reveal the existence and preferred 409 language of a user to an active attacker probing the system if the 410 active language changes in response to the USER, PASS, or APOP 411 commands prior to validating the user's credentials. Servers MUST 412 implement a configuration to prevent this exposure. 414 It is possible for a man-in-the-middle attacker to insert a LANG 415 command in the command stream, thus making protocol-level diagnostic 416 responses unintelligible to the user. A mechanism to integrity- 417 protect the session, such as Transport Layer Security (TLS) [RFC2595] 418 can be used to defeat such attacks. 420 Modifying server authentication code (in this case, to support UTF8 421 command) needs to be done with care to avoid introducing 422 vulnerabilities (for example, in string parsing). 424 The UTF8 command description (Section 3.1) contains a discussion on 425 reporting inaccurate sizes. An additional risk to doing so is that, 426 if a client allocates buffers based on the reported size, it may 427 overrun the buffer, crash, or have other problems if the message data 428 is larger than reported. 430 7. Change History 432 7.1. draft-ietf-eai-rfc5721bis: Version 00 434 following the new charter 436 7.2. draft-ietf-eai-rfc5721bis: Version 01 438 refine the texts 440 7.3. draft-ietf-eai-rfc5721bis: Version 02 442 update the texts based on Joseph's comments 444 8. References 446 8.1. Normative References 448 [I-D.ietf-eai-frmwrk-4952bis] Klensin, J. and Y. Ko, "Overview and 449 Framework for Internationalized 450 Email", 451 draft-ietf-eai-frmwrk-4952bis-10 (work 452 in progress), September 2010. 454 [I-D.ietf-eai-rfc5335bis] Yang, A., Steele, S., and N. Freed, 455 "Internationalized Email Headers", 456 draft-ietf-eai-rfc5335bis-11 (work in 457 progress), July 2011. 459 [RFC1939] Myers, J. and M. Rose, "Post Office 460 Protocol - Version 3", STD 53, 461 RFC 1939, May 1996. 463 [RFC2045] Freed, N. and N. Borenstein, 464 "Multipurpose Internet Mail Extensions 465 (MIME) Part One: Format of Internet 466 Message Bodies", RFC 2045, 467 November 1996. 469 [RFC2047] Moore, K., "MIME (Multipurpose 470 Internet Mail Extensions) Part Three: 471 Message Header Extensions for Non- 472 ASCII Text", RFC 2047, November 1996. 474 [RFC2119] Bradner, S., "Key words for use in 475 RFCs to Indicate Requirement Levels", 476 BCP 14, RFC 2119, March 1997. 478 [RFC2277] Alvestrand, H., "IETF Policy on 479 Character Sets and Languages", BCP 18, 480 RFC 2277, January 1998. 482 [RFC2449] Gellens, R., Newman, C., and L. 483 Lundblade, "POP3 Extension Mechanism", 484 RFC 2449, November 1998. 486 [RFC3454] Hoffman, P. and M. Blanchet, 487 "Preparation of Internationalized 488 Strings ("stringprep")", RFC 3454, 489 December 2002. 491 [RFC3629] Yergeau, F., "UTF-8, a transformation 492 format of ISO 10646", STD 63, 493 RFC 3629, November 2003. 495 [RFC4013] Zeilenga, K., "SASLprep: Stringprep 496 Profile for User Names and Passwords", 497 RFC 4013, February 2005. 499 [RFC4647] Phillips, A. and M. Davis, "Matching 500 of Language Tags", BCP 47, RFC 4647, 501 September 2006. 503 [RFC5322] Resnick, P., Ed., "Internet Message 504 Format", RFC 5322, October 2008. 506 [RFC5646] Phillips, A. and M. Davis, "Tags for 507 Identifying Languages", BCP 47, 508 RFC 5646, September 2009. 510 8.2. Informative References 512 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 513 and ACAP", RFC 2595, June 1999. 515 [RFC5034] Siemborski, R. and A. Menon-Sen, "The 516 Post Office Protocol (POP3) Simple 517 Authentication and Security Layer 518 (SASL) Authentication Mechanism", 519 RFC 5034, July 2007. 521 [popimap-downgrade] Fujiwara, K., "Post-delivery Message 522 Downgrading for Internationalized 523 Email Messages", 524 draft-ietf-eai-popimap-downgrade-00 525 (work in progress), October 2010. 527 Appendix A. Design Rationale 529 This non-normative section discusses the reasons behind some of the 530 design choices in the above specification. 532 Due to interoperability problems with RFC 2047 and limited deployment 533 of RFC 2231, it is hoped these 7-bit encoding mechanisms can be 534 deprecated in the future when UTF-8 header support becomes prevalent. 536 USER is optional because the implementation burden of SASLprep 537 [RFC4013] is not well understood, and mandating such support in all 538 cases could negatively impact deployment. 540 Appendix B. Acknowledgments 542 Thanks to John Klensin, Tony Hansen, and other EAI working group 543 participants who provided helpful suggestions and interesting debate 544 that improved this specification. 546 Authors' Addresses 548 Randall Gellens 549 QUALCOMM Incorporated 550 5775 Morehouse Drive 551 San Diego, CA 92651 552 US 554 EMail: rg+ietf@qualcomm.com 555 Chris Newman 556 Oracle 557 800 Royal Oaks 558 Monrovia, CA 91016-6347 559 US 561 EMail: chris.newman@oracle.com 563 Jiankang YAO 564 CNNIC 565 No.4 South 4th Street, Zhongguancun 566 Beijing 568 Phone: +86 10 58813007 569 EMail: yaojk@cnnic.cn 571 Kazunori Fujiwara 572 Japan Registry Services Co., Ltd. 573 Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda 574 Tokyo 576 Phone: +81 3 5215 8451 577 EMail: fujiwara@jprs.co.jp