idnits 2.17.1 draft-ietf-eai-rfc5721bis-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5721, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 12, 2012) is 4336 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2047' is defined on line 491, but no explicit reference was found in the text == Outdated reference: A later version (-12) exists of draft-ietf-eai-5738bis-03 ** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) -- Obsolete informational reference (is this intentional?): RFC 5721 (Obsoleted by RFC 6856) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Gellens 3 Internet-Draft QUALCOMM Incorporated 4 Obsoletes: 5721 (if approved) C. Newman 5 Intended status: Standards Track Oracle 6 Expires: December 14, 2012 J. Yao 7 CNNIC 8 K. Fujiwara 9 JPRS 10 June 12, 2012 12 POP3 Support for UTF-8 13 draft-ietf-eai-rfc5721bis-05.txt 15 Abstract 17 This specification extends the Post Office Protocol version 3 (POP3) 18 to support un-encoded international characters in user names, 19 passwords, mail addresses, message headers, and protocol-level 20 textual strings. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on December 14, 2012. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 This document may contain material from IETF Documents or IETF 55 Contributions published or made publicly available before November 56 10, 2008. The person(s) controlling the copyright in some of this 57 material may not have granted the IETF Trust the right to allow 58 modifications of such material outside the IETF Standards Process. 59 Without obtaining an adequate license from the person(s) controlling 60 the copyright in such materials, this document may not be modified 61 outside the IETF Standards Process, and derivative works of it may 62 not be created outside the IETF Standards Process, except to format 63 it for publication as an RFC or to translate it into languages other 64 than English. 66 Table of Contents 68 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 69 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 70 2. LANG Capability . . . . . . . . . . . . . . . . . . . . . . . 4 71 3. UTF8 Capability . . . . . . . . . . . . . . . . . . . . . . . 6 72 3.1. The UTF8 Command . . . . . . . . . . . . . . . . . . . . . 7 73 3.2. USER Argument to UTF8 Capability . . . . . . . . . . . . . 8 74 4. Native UTF-8 Maildrops . . . . . . . . . . . . . . . . . . . . 9 75 5. UTF8 Response Code . . . . . . . . . . . . . . . . . . . . . . 9 76 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 77 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 78 8. Change History . . . . . . . . . . . . . . . . . . . . . . . . 10 79 8.1. draft-ietf-eai-rfc5721bis: Version 00 . . . . . . . . . . 10 80 8.2. draft-ietf-eai-rfc5721bis: Version 01 . . . . . . . . . . 10 81 8.3. draft-ietf-eai-rfc5721bis: Version 02 . . . . . . . . . . 10 82 8.4. draft-ietf-eai-rfc5721bis: Version 03 . . . . . . . . . . 10 83 8.5. draft-ietf-eai-rfc5721bis: Version 04 . . . . . . . . . . 11 84 8.6. draft-ietf-eai-rfc5721bis: Version 05 . . . . . . . . . . 11 85 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 86 9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 87 9.2. Informative References . . . . . . . . . . . . . . . . . . 12 88 Appendix A. Design Rationale . . . . . . . . . . . . . . . . . . 12 89 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 13 91 1. Introduction 93 This document forms part of the Email Address Internationalization 94 (EAI) protocols described in the EAI Framework document [RFC6530]. 95 As part of the overall EAI work, email messages could be transmitted 96 and delivered containing un-encoded UTF-8 characters in the header 97 and/or body, and maildrops that are accessed using POP3 [RFC1939] 98 might natively store UTF-8. 100 This specification extends POP3 [RFC1939] using the POP3 extension 101 mechanism [RFC2449] to permit un-encoded UTF-8 [RFC3629] in headers, 102 and bodies (e.g., transferred using 8-bit Content Transfer Encoding) 103 as described in "Internationalized Email Headers" [RFC6532]. It also 104 adds a mechanism to support login names and passwords containing 105 UTF-8 characters, and a mechanism to support UTF-8 characters in 106 protocol level response strings as well as the ability to negotiate a 107 language for such response strings. 109 This specification also adds a new response code to indicate that a 110 message could not be returned because it requires UTF-8 mode and the 111 server is unwilling to create and deliver variant form of the message 112 discussed in Section 7 of [I-D.ietf-eai-5738bis]. 114 This specification replaces an earlier, experimental, approach to the 115 same problem RFC 5721 [RFC5721]. Section 6 of [RFC6530] describes 116 the changes in approach between RFC 5721 [RFC5721] and this 117 specification. 119 1.1. Conventions Used in This Document 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in "Key words for use in 124 RFCs to Indicate Requirement Levels" [RFC2119]. 126 In examples, "C:" and "S:" indicate lines sent by the client and 127 server, respectively. If a single "C:" or "S:" label applies to 128 multiple lines, then the line breaks between those lines are for 129 editorial clarity only and are not part of the actual protocol 130 exchange. 132 Note that examples always use 7-bit ASCII characters due to 133 limitations of this document format; Otherwise, some examples for the 134 "LANG" command may appear incorrectly as a result. 136 2. LANG Capability 138 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 139 capability response tag to indicate support for a new command: LANG. 140 The capability tag and new command are described below. 142 CAPA tag: 143 LANG 145 Arguments with CAPA tag: 146 none 148 Added Commands: 149 LANG 151 Standard commands affected: 152 All 154 Announced states / possible differences: 155 both / no 157 Commands valid in states: 158 AUTHORIZATION, TRANSACTION 160 Specification reference: 161 this document 163 Discussion: 165 POP3 allows most +OK and -ERR server responses to include human- 166 readable text that, in some cases, might be presented to the user. 167 But that text is limited to ASCII by the POP3 specification 168 [RFC1939]. The LANG capability and command permit a POP3 client to 169 negotiate which language the server uses when sending human-readable 170 text. 172 The LANG command requests that human-readable text included in all 173 subsequent +OK and -ERR responses be localized to a language matching 174 the language range argument (the "Basic Language Range" as described 175 by [RFC4647]). If the command succeeds, the server returns a +OK 176 response followed by a single space, the exact language tag selected, 177 another space, and the rest of the line is human-readable text in the 178 appropriate language. This and subsequent protocol-level human- 179 readable text is encoded in the UTF-8 charset. 181 If the command fails, the server returns an -ERR response and 182 subsequent human-readable response text continues to use the language 183 that was previously active. 185 The special "*" language range argument indicates a request to use a 186 language designated as preferred by the server administrator. The 187 preferred language MAY vary based on the currently active user. 189 If no argument is given and the POP3 server issues a positive 190 response, then the response given is multi-line. After the initial 191 +OK, for each language tag the server supports, the POP3 server 192 responds with a line for that language. This line is called a 193 "language listing". 195 In order to simplify parsing, all POP3 servers are required to use a 196 certain format for language listings. A language listing consists of 197 the language tag [RFC5646] of the message, optionally followed by a 198 single space and a human-readable description of the language in the 199 language itself, using the UTF-8 charset. There are no specific 200 listing order of languages, which may depend on configuration or 201 implementation. 203 Examples: 205 < Note that some examples do not include the correct character 206 accents due to limitations of this document format. > 208 C: USER karen 209 S: +OK Hello, karen 210 C: PASS password 211 S: +OK karen's maildrop contains 2 messages (320 octets) 213 < Client requests deprecated MUL language. Server replies 214 with -ERR response. > 216 C: LANG MUL 217 S: -ERR invalid language MUL 219 < A LANG command with no parameters is a request for 220 a language listing. > 222 C: LANG 223 S: +OK Language listing follows: 224 S: en English 225 S: en-boont English Boontling dialect 226 S: de Deutsch 227 S: it Italiano 228 S: es Espanol 229 S: sv Svenska 230 S: . 232 < A request for a language listing might fail. > 234 C: LANG 235 S: -ERR Server is unable to list languages 237 < Once the client selects the language, all responses will be in 238 that language, starting with the response to the LANG command. > 240 C: LANG es 241 S: +OK es Idioma cambiado 243 < If a server does not support the requested primary language, 244 responses will continue to be returned in the current language 245 the server is using. > 247 C: LANG uga 248 S: -ERR es Idioma <> no es conocido 250 C: LANG sv 251 S: +OK sv Kommandot "LANG" lyckades 253 C: LANG * 254 S: +OK es Idioma cambiado 256 3. UTF8 Capability 258 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 259 capability response tag to indicate support for new server 260 functionality, including a new command: UTF8. The capability tag and 261 new command and functionality are described below. 263 CAPA tag: 264 UTF8 266 Arguments with CAPA tag: 267 USER 269 Added Commands: 270 UTF8 272 Standard commands affected: 273 USER, PASS, APOP, LIST, TOP, RETR 275 Announced states / possible differences: 276 both / no 278 Commands valid in states: 279 AUTHORIZATION 281 Specification reference: 282 this document 284 Discussion: 286 This capability adds the "UTF8" command to POP3. The UTF8 command 287 switches the session from ASCII to UTF-8 mode. In UTF-8 mode, both 288 servers and clients can send and accept UTF-8 characters. 290 3.1. The UTF8 Command 292 The UTF8 command enables UTF-8 mode. The UTF8 command has no 293 parameters. 295 Maildrops can natively store UTF-8 or be limited to ASCII. UTF-8 296 mode has no effect on messages in an ASCII-only maildrop. Messages 297 in native UTF-8 maildrops can be ASCII or UTF-8 using 298 internationalized headers [RFC6532] and/or 8bit content-transfer- 299 encoding, as defined in MIME Section 2.8 [RFC2045]. In UTF-8 mode, 300 both UTF-8 and ASCII messages are sent to the client as-is (without 301 conversion). When not in UTF-8 mode, UTF-8 messages in a native 302 UTF-8 maildrop MUST NOT be sent to the client as-is. If a client 303 requests a UTF-8 message when not in UTF-8 mode, the server MUST 304 either create the message content variant (discussed in Section 7 of 305 [I-D.ietf-eai-5738bis]) it sends to the client to comply with 306 unextended POP and Internet Mail Format without UTF-8 mode support, 307 or fail the request with a -ERR response containing the UTF-8 308 response code (see section 5). The UTF8 command MAY fail. 310 Note that even in UTF-8 mode, MIME binary content-transfer-encoding 311 as defined in MIME Section 6.2 [RFC2045] is still not permitted. 313 The octet count (size) of a message reported in a response to the 314 LIST command SHOULD match the actual number of octets sent in a RETR 315 response (not counting byte-stuffing). Sizes reported elsewhere, 316 such as in STAT responses and non-standardized, free-form text in 317 positive status indicators (following "+OK") need not be accurate, 318 but it is preferable if they were. 320 Normal operation for UTF-8 maildrops will be for both servers and 321 clients to support the extension discussed in this specification. 322 Upgrading of both clients and servers is the only fully satisfactory 323 way to support the capabilities offered by the "UTF8" extension and 324 SMTPUTF8 mail more generally. Servers must, however, anticipate the 325 possibility of a client attempting to access a message that requires 326 this extension without having issued the "UTF8" command. There are 327 no completely satisfactory responses for that case other than 328 upgrading the client to support this specification. One solution, 329 unsatisfactory because the user may be confused by being able to 330 access the message through some means and not others, is that a 331 server MAY choose to reject the command to retrieve the message as 332 discussed in Section 5. Other alternatives, including the 333 possibility of creating and delivering variant form of the message, 334 are discussed in Section 7 of [I-D.ietf-eai-5738bis]. 336 Clients MUST NOT issue the STLS command [RFC2595] after issuing UTF8; 337 servers MAY (but are not required to) enforce this by rejecting with 338 an "-ERR" response an STLS command issued subsequent to a successful 339 UTF8 command. (Because this is a protocol error as opposed to a 340 failure based on conditions, an extended response code [RFC2449] is 341 not specified.) 343 3.2. USER Argument to UTF8 Capability 345 If the USER argument is included with this capability, it indicates 346 that the server accepts UTF-8 user names and passwords. 348 Servers that include the USER argument in the UTF8 capability 349 response SHOULD apply SASLprep [RFC4013] to the arguments of the USER 350 and PASS commands. 352 A client or server that supports APOP and permits UTF-8 in user names 353 or passwords MUST apply SASLprep [RFC4013] to the user name and 354 password used to compute the APOP digest. 356 When applying SASLprep [RFC4013], servers MUST reject UTF-8 user 357 names or passwords that contain a Unicode character listed in Section 358 2.3 of SASLprep [RFC4013]. When applying SASLprep to the USER 359 argument, the PASS argument, or the APOP username argument, a 360 compliant server or client MUST treat them as a query string 361 [RFC3454](i.e., unassigned Unicode code points are allowed). When 362 applying SASLprep to the APOP password argument, a compliant server 363 or client MUST treat them as a stored string [RFC3454] (i.e., 364 unassigned Unicode code points are prohibited). 366 The client does not need to issue the UTF8 command prior to using 367 UTF-8 in authentication. However, clients MUST NOT use UTF-8 368 characters in USER, PASS, or APOP commands unless the USER argument 369 is included in the UTF8 capability response. 371 The server MUST reject UTF-8 user names or passwords that fail to 372 comply with the formal syntax in UTF-8 [RFC3629]. 374 Use of UTF-8 characters in the AUTH command is governed by the POP3 375 SASL [RFC5034] mechanism. 377 4. Native UTF-8 Maildrops 379 When a POP3 server uses a native UTF-8 maildrop, it is the 380 responsibility of the server to comply with the POP3 base 381 specification [RFC1939] and Internet Message Format [RFC5322] when 382 not in UTF-8 mode. When the server is not in UTF-8 mode and the 383 message requires that mode, requests to download the message MAY be 384 rejected (as specified in the next section) or the various other 385 alternatives outlined in Section 3.1 above and in Section 7 of the 386 IMAP UTF-8 specification [draft-ietf-eai-5738bis], including creation 387 and delivery of variations on the original message, MAY be 388 considered. 390 5. UTF8 Response Code 392 Per "POP3 Extension Mechanism" [RFC2449], this document adds a new 393 response code: UTF8, described below. 395 Complete response code: 396 UTF8 398 Valid for responses: 399 -ERR 401 Valid for commands: 402 LIST, TOP, RETR 404 Response code meaning and expected client behavior: 406 The UTF8 response code indicates that a failure is due to a request 407 when not in UTF-8 mode for message content containing UTF-8 408 characters. 410 The client MAY reissue the command after entering UTF-8 mode. 412 6. IANA Considerations 414 Section 2 and 3 of this specification update two capabilities ("UTF8" 415 and "LANG") to the POP3 capability registry [RFC2449]. 417 Section 5 of this specification also adds one new response code 418 ("UTF8") to the POP3 response codes registry [RFC2449]. 420 7. Security Considerations 422 The security considerations of UTF-8 [RFC3629] and SASLprep [RFC4013] 423 apply to this specification, particularly with respect to use of 424 UTF-8 in user names and passwords. 426 The "LANG *" command might reveal the existence and preferred 427 language of a user to an active attacker probing the system if the 428 active language changes in response to the USER, PASS, or APOP 429 commands prior to validating the user's credentials. Servers are 430 strongly advised to implement a configuration to prevent this 431 exposure. 433 It is possible for a man-in-the-middle attacker to insert a LANG 434 command in the command stream, thus making protocol-level diagnostic 435 responses unintelligible to the user. A mechanism to protect the 436 integrity of the session, such as , Transport Layer Security (TLS) 437 [RFC2595] can be used to defeat such attacks. 439 Modifying server authentication code (in this case, to support UTF8 440 command) needs to be done with care to avoid introducing 441 vulnerabilities (for example, in string parsing). 443 8. Change History 445 8.1. draft-ietf-eai-rfc5721bis: Version 00 447 following the new charter 449 8.2. draft-ietf-eai-rfc5721bis: Version 01 451 refine the texts 453 8.3. draft-ietf-eai-rfc5721bis: Version 02 455 update the texts based on Joseph's comments 457 8.4. draft-ietf-eai-rfc5721bis: Version 03 459 improve the texts 461 text instructing servers to either downconvert or reject 463 new UTF-8 response code for use 465 8.5. draft-ietf-eai-rfc5721bis: Version 04 467 improve the texts 469 8.6. draft-ietf-eai-rfc5721bis: Version 05 471 updated according to jabber interim meeting result 473 updated according to john and apparea's review comments 475 9. References 477 9.1. Normative References 479 [I-D.ietf-eai-5738bis] Resnick, P., Newman, C., and S. Shen, "IMAP 480 Support for UTF-8", draft-ietf-eai-5738bis-03 481 (work in progress), December 2011. 483 [RFC1939] Myers, J. and M. Rose, "Post Office Protocol 484 - Version 3", STD 53, RFC 1939, May 1996. 486 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose 487 Internet Mail Extensions (MIME) Part One: 488 Format of Internet Message Bodies", RFC 2045, 489 November 1996. 491 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail 492 Extensions) Part Three: Message Header 493 Extensions for Non-ASCII Text", RFC 2047, 494 November 1996. 496 [RFC2119] Bradner, S., "Key words for use in RFCs to 497 Indicate Requirement Levels", BCP 14, 498 RFC 2119, March 1997. 500 [RFC2449] Gellens, R., Newman, C., and L. Lundblade, 501 "POP3 Extension Mechanism", RFC 2449, 502 November 1998. 504 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of 505 Internationalized Strings ("stringprep")", 506 RFC 3454, December 2002. 508 [RFC3629] Yergeau, F., "UTF-8, a transformation format 509 of ISO 10646", STD 63, RFC 3629, 510 November 2003. 512 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile 513 for User Names and Passwords", RFC 4013, 514 February 2005. 516 [RFC4647] Phillips, A. and M. Davis, "Matching of 517 Language Tags", BCP 47, RFC 4647, 518 September 2006. 520 [RFC5322] Resnick, P., Ed., "Internet Message Format", 521 RFC 5322, October 2008. 523 [RFC5646] Phillips, A. and M. Davis, "Tags for 524 Identifying Languages", BCP 47, RFC 5646, 525 September 2009. 527 [RFC6530] Klensin, J. and Y. Ko, "Overview and 528 Framework for Internationalized Email", 529 RFC 6530, February 2012. 531 [RFC6532] Yang, A., Steele, S., and N. Freed, 532 "Internationalized Email Headers", RFC 6532, 533 February 2012. 535 9.2. Informative References 537 [RFC2595] Newman, C., "Using TLS with IMAP, POP3 and 538 ACAP", RFC 2595, June 1999. 540 [RFC5034] Siemborski, R. and A. Menon-Sen, "The Post 541 Office Protocol (POP3) Simple Authentication 542 and Security Layer (SASL) Authentication 543 Mechanism", RFC 5034, July 2007. 545 [RFC5721] Gellens, R. and C. Newman, "POP3 Support for 546 UTF-8", RFC 5721, February 2010. 548 Appendix A. Design Rationale 550 This non-normative section discusses the reasons behind some of the 551 design choices in the above specification. 553 Due to interoperability problems with RFC 2047 and limited deployment 554 of RFC 2231, it is hoped these 7-bit encoding mechanisms can be 555 deprecated in the future when UTF-8 header support becomes prevalent. 557 USER is optional because the implementation burden of SASLprep 558 [RFC4013] is not well understood, and mandating such support in all 559 cases could negatively impact deployment. 561 Appendix B. Acknowledgments 563 Thanks to John Klensin, Joseph Yee, Tony Hansen, Alexey Melnikov and 564 other EAI working group participants who provided helpful suggestions 565 and interesting debate that improved this specification. 567 Authors' Addresses 569 Randall Gellens 570 QUALCOMM Incorporated 571 5775 Morehouse Drive 572 San Diego, CA 92651 573 US 575 EMail: rg+ietf@qualcomm.com 577 Chris Newman 578 Oracle 579 800 Royal Oaks 580 Monrovia, CA 91016-6347 581 US 583 EMail: chris.newman@oracle.com 585 Jiankang YAO 586 CNNIC 587 No.4 South 4th Street, Zhongguancun 588 Beijing 590 Phone: +86 10 58813007 591 EMail: yaojk@cnnic.cn 593 Kazunori Fujiwara 594 Japan Registry Services Co., Ltd. 595 Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda 596 Tokyo 598 Phone: +81 3 5215 8451 599 EMail: fujiwara@jprs.co.jp