idnits 2.17.1 draft-ietf-sasl-rfc2222bis-03.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity. ** The document is more than 15 pages and seems to lack a Table of Contents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 21 longer pages, the longest (page 2) being 60 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 22 pages -- Found 22 instances of the string 'FORMFEED[Page...' -- is this a case of missing nroff postprocessing? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 2003) is 7499 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SASL-GSSAPI' is mentioned on line 892, but not defined == Missing Reference: 'RFC 3501' is mentioned on line 341, but not defined ** Obsolete undefined reference: RFC 3501 (Obsoleted by RFC 9051) == Missing Reference: 'StringPrep' is mentioned on line 343, but not defined == Unused Reference: 'Stringprep' is defined on line 746, but no explicit reference was found in the text == Unused Reference: 'SASL-DIGEST' is defined on line 762, but no explicit reference was found in the text == Unused Reference: 'RFC-INSTRUCTIONS' is defined on line 778, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2234 (ref. 'ABNF') (Obsoleted by RFC 4234) -- Possible downref: Non-RFC (?) normative reference: ref. 'ASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO-10646' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode' ** Obsolete normative reference: RFC 3454 (ref. 'Stringprep') (Obsoleted by RFC 7564) -- No information found for draft-ietf-sasl-saslprep-XX - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'SASLPrep' -- No information found for draft-yergeau-rfc2279bis-XX - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'UTF-8' -- No information found for draft-ietf-sasl-rfc2831bis-XX - is the name correct? -- Obsolete informational reference (is this intentional?): RFC 2821 (ref. 'SMTP') (Obsoleted by RFC 5321) -- Obsolete informational reference (is this intentional?): RFC 2554 (ref. 'SMTP-AUTH') (Obsoleted by RFC 4954) -- Obsolete informational reference (is this intentional?): RFC 3548 (ref. 'BASE64') (Obsoleted by RFC 4648) -- Obsolete informational reference (is this intentional?): RFC 2223 (ref. 'RFC-INSTRUCTIONS') (Obsoleted by RFC 7322) Summary: 10 errors (**), 0 flaws (~~), 11 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Melnikov 3 Internet Draft Editor 4 Document: draft-ietf-sasl-rfc2222bis-03.txt October 2003 5 Expires in six months 7 Simple Authentication and Security Layer (SASL) 9 Status of this Memo 11 This document is an Internet Draft and is in full conformance with 12 all provisions of Section 10 of RFC 2026. 14 Internet Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its Areas, and its Working Groups. Note that 16 other groups may also distribute working documents as Internet 17 Drafts. Internet Drafts are draft documents valid for a maximum of 18 six months. Internet Drafts may be updated, replaced, or obsoleted 19 by other documents at any time. It is not appropriate to use 20 Internet Drafts as reference material or to cite them other than as 21 ``work in progress''. 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 A revised version of this draft document will be submitted to the RFC 30 editor as a Draft Standard for the Internet Community. Discussion 31 and suggestions for improvement are requested. Distribution of this 32 draft is unlimited. 34 When published as an RFC this document will obsolete RFC 2222. 36 Internet DRAFT SASL 18 October 2003 38 1. Abstract 40 The Simple Authentication and Security Layer (SASL) provides a method 41 for adding authentication support with an optional security layer to 42 connection-based protocols. It also describes a structure for 43 authentication mechanisms. The result is an abstraction layer 44 between protocols and authentication mechanisms such that any SASL- 45 compatible authentication mechanism can be used with any SASL- 46 compatible protocol. 48 This document describes how a SASL authentication mechanism is 49 structured, describes how a protocol adds support for SASL, defines 50 the protocol for carrying a security layer over a connection, and 51 defines the EXTERNAL SASL authentication mechanism. 53 2. Organization of this document 55 2.1. How to read this document 57 This document is written to serve two different audiences, protocol 58 designers using this specification to support authentication in their 59 protocol, and implementors of clients or servers for those protocols 60 using this specification. 62 The sections "Overview", "Authentication Mechanisms", "Protocol 63 Profile Requirements", "Specific Issues", and "Security 64 Considerations" cover issues that protocol designers need to 65 understand and address in profiling this specification for use in a 66 specific protocol. 68 Implementors of a protocol using this specification need the 69 protocol-specific profiling information in addition to the 70 information in this document. 72 2.2. Conventions used in this document 74 In examples, "C:" and "S:" indicate lines sent by the client and 75 server respectively. 77 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" 78 in this document are to be interpreted as defined in "Key words for 79 use in RFCs to Indicate Requirement Levels" [KEYWORDS]. 81 Character names in this document use the notation for code points and 82 names from the Unicode Standard [Unicode]. For example, the letter 83 "a" may be represented as either or . 85 Internet DRAFT SASL 18 October 2003 87 3. Overview 89 The Simple Authentication and Security Layer (SASL) is a method for 90 adding authentication support to connection-based protocols. 92 The SASL specification has three layers, as indicated in the diagram 93 below. At the top, a protocol definition using SASL specifies a 94 profile, including a command for identifying and authenticating a 95 user to a server and for optionally negotiating a security layer for 96 subsequent protocol interactions. At the bottom, a SASL mechanism 97 definition specifies an authentication mechanism. The SASL 98 framework, specified by this document, constrains the behavior of 99 protocol profiles and mechanisms, separating protocol from mechanism 100 and defining how they interact. 102 SMTP Protocol LDAP Protocol Etc 103 Profile Profile . . . 104 ----- | -----// 105 | // 106 SASL framework 107 / | \ 108 /----- | -----\ 109 EXTERNAL DIGEST-MD5 Etc 110 SASL mechanism SASL mechanism . . . 112 This separation between the definition of protocols and the 113 definition of authentication mechanisms is crucial. It permits an 114 authentication mechanism to be defined once, making it usable by any 115 SASL protocol profile. In many implementations, the same SASL 116 mechanism code is used for multiple protocols. 118 4. Authentication mechanisms 120 SASL mechanisms are named by strings, from 1 to 20 characters in 121 length, consisting of upper-case ASCII [ASCII] letters, digits, 122 hyphens, and/or underscores. SASL mechanism names must be registered 123 with the Internet Assigned Numbers Authority (IANA). IETF standards 124 track documents may direct the IANA to reserve a portion of the SASL 125 mechanism namespace and may specify different registration criteria 126 for the reserved portion; the GSSAPI mechanism specification [SASL- 127 GSSAPI] does this. Procedures for registering new SASL mechanisms are 128 given in the section 8. 130 The "sasl-mech" rule below defines the syntax of a SASL mechanism 131 name. This uses the Augmented Backus-Naur Form (ABNF) notation as 132 specified in [ABNF] and the ABNF core rules as specified in Appendix 133 A of the ABNF specification [ABNF]. 135 Internet DRAFT SASL 18 October 2003 137 sasl-mech = 1*20mech-char 138 mech-char = %x41-5A / DIGIT / "-" / "_" 139 ; mech names restricted to uppercase ASCII letters, 140 ; digits, "-" and "_" 142 4.1. Authentication protocol exchange 144 A SASL mechanism is responsible for conducting an authentication 145 protocol exchange. This consists of a series of server challenges 146 and client responses, the contents of which are specific to and 147 defined by the mechanism. To the protocol, the challenges and 148 responses are opaque binary tokens of arbitrary length. The 149 protocol's profile then specifies how these binary tokens are then 150 encoded for transfer over the connection. 152 After receiving an authentication command or any client response, a 153 server mechanism may issue a challenge, indicate failure, or indicate 154 completion. The server mechanism may return additional data with a 155 completion indication. The protocol's profile specifies how each of 156 these is then represented over the connection. 158 After receiving a challenge, a client mechanism may issue a response 159 or abort the exchange. The protocol's profile specifies how each of 160 these is then represented over the connection. 162 During the authentication protocol exchange, the mechanism performs 163 authentication, transmits an authorization identity (frequently known 164 as a userid) from the client to server, and negotiates the use of a 165 mechanism-specific security layer. If the use of a security layer is 166 agreed upon, then the mechanism must also define or negotiate the 167 maximum security layer buffer size that each side is able to receive. 169 4.2. Authorization identities and proxy authentication 171 An authorization identity is a string of zero or more ISO 10646 172 [ISO-10646] coded characters. The NUL character is not 173 permitted in authorization identities. The meaning of an 174 authorization identity of the empty string (zero length) is defined 175 below in this section. The authorization identity is used by the 176 server as the primary identity for making access policy decisions. 178 The character encoding scheme used (see [CHARSET-POLICY] for IETF 179 policy regarding character sets in IETF protocols) for transmitting 180 an authorization identity over protocol is specified in each 181 authentication mechanism (with the authentication mechanism's data 182 being further restricted/encoded by the protocol profile). 183 Authentication mechanisms SHOULD encode these and other strings in 185 Internet DRAFT SASL 18 October 2003 187 UTF-8 [UTF-8]. While some legacy mechanisms are incapable of 188 transmitting an authorization identity other than the empty string, 189 newly defined mechanisms are expected to be capable of carrying the 190 entire Unicode repertoire (with the exception of the NUL character). 191 An authorization identity of the empty string and an absent 192 authorization identity MUST be treated as equivalent. However, 193 mechanisms SHOULD NOT allow both. That is, a mechanism which provides 194 an optional field for an authorization identity, SHOULD NOT allow 195 that field, when present, to be empty. 197 The identity derived from the client's authentication credentials is 198 known as the "authentication identity". With any mechanism, 199 transmitting an authorization identity of the empty string directs 200 the server to derive an authorization identity from the client's 201 authentication identity. 203 If the authorization identity transmitted during the authentication 204 protocol exchange is not the empty string, this is typically referred 205 to as "proxy authentication". This feature permits agents such as 206 proxy servers to authenticate using their own credentials, yet 207 request the access privileges of the identity for which they are 208 proxying. 210 The server makes an implementation defined policy decision as to 211 whether the authentication identity is permitted to have the access 212 privileges of the authorization identity and whether the 213 authorization identity is permitted to receive service. If it is 214 not, the server indicates failure of the authentication protocol 215 exchange. 217 As a client might not have the same information as the server, 218 clients SHOULD NOT derive authorization identities from 219 authentication identities. Instead, clients SHOULD provide no (or 220 empty) authorization identity when the user has not provided an 221 authorization identity. 223 The server MUST verify that a received authorization identity is in 224 the correct form. Profiles whose authorization identities are simple 225 user names (e.g. IMAP [RFC 3501]) SHOULD use "SASLPrep" profile 226 [SASLPrep] of the "stringprep" algorithm [StringPrep] to prepare 227 these names for matching. The profiles MAY use a stringprep profile 228 that is more strict than "SASLPrep". If the preparation of the 229 authorization identity fails or results in an empty string, the 230 server MUST fail the authentication exchange. The only exception to 231 this rule is when the received authorization identity is already the 232 empty string. 234 Internet DRAFT SASL 18 October 2003 236 4.3. Security layers 238 If use of a security layer is negotiated by the authentication 239 protocol exchange, the security layer is applied to all subsequent 240 data sent over the connection (until another security layer or no 241 security layer is negotiated; see also section 6.3). The security 242 layer takes effect immediately following the last response of the 243 authentication exchange for data sent by the client and the 244 completion indication for data sent by the server. 246 Once the security layer is in effect, the protocol stream is 247 processed by the security layer into buffers of security encoded 248 data. Each buffer of security encoded data is transferred over the 249 connection as a stream of octets prepended with a four octet field in 250 network byte order that represents the length of the following 251 buffer. The length of the security encoded data buffer MUST be no 252 larger than the maximum size that was either defined in the mechanism 253 specification or negotiated by the other side during the 254 authentication protocol exchange. Upon the receipt of a data buffer 255 which is larger than the defined/negotiated maximal buffer size, the 256 receiver SHOULD close the connection. This might be a sign of an 257 attack or a buggy implementation. 259 4.4. Character string issues 261 Authentication mechanisms SHOULD encode character strings in UTF-8 262 [UTF-8] (see [CHARSET-POLICY] for IETF policy regarding character 263 sets in IETF protocols). In order to avoid noninteroperability due 264 to differing normalizations, when a mechanism specifies that a string 265 authentication identity or password used as input to a cryptographic 266 function (or used for comparison) it SHOULD specify that the string 267 first be prepared using the "SASLPrep" profile [SASLPrep] of the 268 "stringprep" algorithm [StringPrep]. There are three entities that 269 has to deal with this issue: a client (upon getting user input or 270 retrieving a value from configuration), a server (upon receiving the 271 value from the client) and a utility that is able to store 272 passwords/hashes in a database that can be later used by the server. 273 The preparation must be done by the client and the utility and may be 274 done by the server. If preparation fails or results in an empty 275 string, the entity doing the preparation SHALL fail the 276 authentication exchange. 278 5. Protocol profile requirements 280 In order to use this specification, a protocol definition MUST supply 281 the following information: 283 Internet DRAFT SASL 18 October 2003 285 A service name, to be selected from the IANA registry of "service" 286 elements for the GSSAPI host-based service name form [GSSAPI]. This 287 service name is made available to the authentication mechanism. 289 The registry is available at the URL 290 . 292 A definition of the command to initiate the authentication protocol 293 exchange. This command must have as a parameter the name of the 294 mechanism being selected by the client. 296 The command SHOULD have an optional parameter giving an initial 297 response. This optional parameter allows the client to avoid a round 298 trip when using a mechanism which is defined to have the client send 299 data first. When this initial response is sent by the client and the 300 selected mechanism is defined to have the server start with an 301 initial challenge, the command fails. See section 6.1 of this 302 document for further information. 304 A definition of the method by which the authentication protocol 305 exchange is carried out, including how the challenges and responses 306 are encoded, how the server indicates completion or failure of the 307 exchange, how the client aborts an exchange, and how the exchange 308 method interacts with any line length limits in the protocol. 310 The exchange method SHOULD allow the server to include an optional 311 data ("optional challenge") with a success notification. This allows 312 the server to avoid a round trip when using a mechanism which is 313 defined to have the server send additional data along with the 314 indication of successful completion. See section 6.2 of this 315 document for further information. 317 In addition, a protocol profile SHOULD specify a mechanism through 318 which a client may obtain the names of the SASL mechanisms available 319 to it. This is typically done through the protocol's extensions or 320 capabilities mechanism. 322 Identification of the octet where any negotiated security layer 323 starts to take effect, in both directions. 325 Specify if the protocol supports "multiple authentications" (see 326 section 6.3). 328 If both TLS and SASL security layer are allowed to be negotiated by 329 the protocol, the protocol profile MUST define in which order they 330 are applied to a cleartext data sent over the connection. 332 A protocol profile MAY further refine the definition of an 334 Internet DRAFT SASL 18 October 2003 336 authorization identity by adding additional syntactic restrictions 337 and protocol-specific semantics. A protocol profile MUST specify the 338 form of the authorization identity (since it is protocol specific, as 339 opposed to the authentication identity, which is mechanism specific) 340 and how authorization identities are to be compared. Profiles whose 341 authorization identities are simple user names (e.g. IMAP [RFC 3501]) 342 SHOULD use "SASLPrep" profile [SASLPrep] of the "stringprep" 343 algorithm [StringPrep] to prepare these names for matching. The 344 profiles MAY use a stringprep profile that is more strict than 345 SASLPrep. 347 A protocol profile SHOULD NOT attempt to amend the definition of 348 mechanisms or make mechanism-specific encodings. This breaks the 349 separation between protocol and mechanism that is fundamental to the 350 design of SASL. Likewise, SASL mechanisms SHOULD be profile neutral. 352 6. Specific issues 354 6.1. Client sends data first 356 Some mechanisms specify that the first data sent in the 357 authentication protocol exchange is from the client to the server. 359 If a protocol's profile permits the command which initiates an 360 authentication protocol exchange to contain an initial client 361 response, this parameter SHOULD be used with such mechanisms. 363 If the initial client response parameter is not given, or if a 364 protocol's profile does not permit the command which initiates an 365 authentication protocol exchange to contain an initial client 366 response, then the server issues a challenge with no data. The 367 client's response to this challenge is then used as the initial 368 client response. (The server then proceeds to send the next 369 challenge, indicates completion, or indicates failure.) 371 6.2. Server returns success with additional data 373 Some mechanisms may specify that additional data be sent to the 374 client along with an indication of successful completion of the 375 exchange. This data would, for example, authenticate the server to 376 the client. 378 If a protocol's profile does not permit this additional data to be 379 returned with a success indication, then the server issues the data 380 as a server challenge, without an indication of successful 381 completion. The client then responds with no data. After receiving 382 this empty response, the server then indicates successful completion 383 (with no additional data). 385 Internet DRAFT SASL 18 October 2003 387 Client implementors should be aware of an additional failure case 388 that might occur when the profile supports sending the additional 389 data with success. Imagine that an active attacker is trying to 390 impersonate the server and sends faked data, which should be used to 391 authenticate the server to the client, with success. (A similar 392 situation can happen when either the server and/or the client has a 393 bug and they calculate different responses.) After checking the data, 394 the client will think that the authentication exchange has failed, 395 however the server will think that the authentication exchange has 396 completed successfully. At this point the client can not abort the 397 authentication exchange, it SHOULD close the connection instead. 398 However, if the profile did not support sending of additional data 399 with success, the client could have aborted the exchange at the very 400 last step of the authentication exchange. 402 6.3. Multiple authentications 404 Unless otherwise stated by the protocol's profile, only one 405 successful SASL negotiation may occur in a protocol session. In this 406 case, once an authentication protocol exchange has successfully 407 completed, further attempts to initiate an authentication protocol 408 exchange fail. 410 If a profile explicitly permits multiple successful SASL negotiations 411 to occur, then in no case may multiple security layers be 412 simultaneously in effect. If a security layer is in effect and a 413 subsequent SASL negotiation selects a second security layer, then the 414 second security layer replaces the first. If a security layer is in 415 effect and a subsequent SASL negotiation selects no security layer, 416 the original security layer MUST be removed. The next paragraphs 417 explain why this is important. 419 Let's assume that the protected resources on a server are partitioned 420 into a set of protection spaces, each with its own authentication 421 mechanisms and/or authorization database. Let's use the term "realm" 422 to reference any such protected space. Conceptually, realm is a named 423 collection of user's accounts. For example, a proxy/frontend can use 424 different realms for different servers/backends it represents. 426 Now consider the following scenario. A client has already 427 authenticated and established a security layer with "Realm A" which 428 is managed by the server AA. Now the same client authenticates to 429 "Realm B" (managed by the server BB) without negotiating a new 430 security layer, while the security layer negotiated with "Realm A" 431 remains in effect. The server BB is now able observe how known 432 cleartext is encrypted. This scenario enables the server BB to make 433 guesses about previously observed ciphertext between the client and 434 the server AA using the server's SASL engine as an oracle. This 436 Internet DRAFT SASL 18 October 2003 438 scenario is illustrated below: 440 Internet DRAFT SASL 18 October 2003 442 +---------+ +---------+ 443 | | | | 444 | Realm B | | Realm A | 445 | | | | 446 +---------+ +---------+ 447 | ^ | 448 | : +-----------+ | 449 Traffic from | : | Encryption| | Traffic from A 450 B to client +-------->| end point |<-------+ to client 451 : | (SSL/SASL)| 452 : +-----------+ 453 : | 454 : | 455 : +---+ 456 : | | 457 : | | 458 : | | Encryption tunnel, e.g. SASL or SSL, 459 : | | between the server 460 (1) Recording +---------:| | and a single client only. 461 encrypted | | Separate tunnels to different 462 traffic between | | clients. 463 Realm A and client +---+ 464 | 465 | 466 +-----------> Traffic to clients 468 7. The EXTERNAL mechanism 470 The mechanism name associated with external authentication is 471 "EXTERNAL". 473 The client sends an initial response with the UTF-8 encoding of the 474 authorization identity. The form of the authorization identity is 475 further restricted by the application-level protocol's SASL profile. 477 The server uses information, external to SASL, to determine whether 478 the client is authorized to authenticate as the authorization 479 identity. If the client is so authorized, the server indicates 480 successful completion of the authentication exchange; otherwise the 481 server indicates failure. 483 The system providing this external information may be, for example, 484 IPSec or TLS. However, the client can make no assumptions as to what 485 information the server can use in determining client authorization. 486 E.g., just because TLS was established, doesn't mean that the server 487 will use the information provided by TLS. 489 If the client sends the empty string as the authorization identity 491 Internet DRAFT SASL 18 October 2003 493 (thus requesting that the authorization identity be derived from the 494 client's authentication credentials), the authorization identity is 495 to be derived from authentication credentials which exist in the 496 system that is providing the external authentication. 498 7.1. Formal syntax 500 The following syntax specification uses the augmented Backus-Naur 501 Form (BNF) notation as specified in [ABNF]. This uses the ABNF core 502 rules as specified in Appendix A of the ABNF specification [ABNF]. 503 Non-terminals referenced but not defined below are as defined by 504 [UTF-8]. 506 The "extern-init-resp" rule below defines the initial response sent 507 from client to server. 509 extern-init-resp = *( UTF8-char-no-nul ) 511 UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 513 UTF8-1-no-nul = %x01-7F 515 7.2. Example 517 The following is an example of an EXTERNAL authentication in the SMTP 518 protocol [SMTP]. In this example, the client is proxy 519 authenticating, sending the authorization id "fred". The server has 520 determined the client's identity through IPsec and has a security 521 policy that permits that identity to proxy authenticate as any other 522 identity. 524 To the protocol profile, the four octet sequence "fred" is an opaque 525 binary data. The SASL protocol profile for SMTP [SMTP-AUTH] specifies 526 that server challenges and client responses are encoded in BASE64 527 [BASE64]; the BASE64 encoding of "fred" is "ZnJlZA==". 529 S: 220 smtp.example.com ESMTP server ready 530 C: EHLO jgm.example.com 531 S: 250-smtp.example.com 532 S: 250 AUTH DIGEST-MD5 EXTERNAL 533 C: AUTH EXTERNAL ZnJlZA== 534 S: 235 Authentication successful. 536 8. IANA Considerations 538 Internet DRAFT SASL 18 October 2003 540 8.1. Guidelines for IANA 542 It is requested that IANA updates the SASL mechanisms registry as 543 follows: 545 Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism 546 registrations to OBSOLETE. Change the "Published specification" 547 of the EXTERNAL mechanism to this document. Updated registration 548 is provided in Section 8.6. 550 8.2. Registration procedure 552 Registration of a SASL mechanism is done by filling in the template 553 in section 8.5 and sending it via electronic mail to . 554 IANA has the right to reject obviously bogus registrations, but will 555 perform no review of claims made in the registration form. SASL 556 mechanism registrations are currently available at the URL 557 . 559 There is no naming convention for SASL mechanisms; any name that 560 conforms to the syntax of a SASL mechanism name can be registered. 561 An IETF Standards Track document may reserve a portion of the SASL 562 mechanism namespace ("family of SASL mechanisms") for its own use, 563 amending the registration rules for that portion of the namespace. 564 Each family of SASL mechanisms MUST be identified by a prefix. 566 While the registration procedures do not require it, authors of SASL 567 mechanisms are encouraged to seek community review and comment 568 whenever that is feasible. Authors may seek community review by 569 posting a specification of their proposed mechanism as an Internet- 570 Draft. SASL mechanisms intended for widespread use should be 571 standardized through the normal IETF process, when appropriate. 573 8.3. Comments on SASL mechanism registrations 575 Comments on registered SASL mechanisms should first be sent to the 576 "owner" of the mechanism and/or to the SASL WG mailing list. 577 Submitters of comments may, after a reasonable attempt to contact the 578 owner, request IANA to attach their comment to the SASL mechanism 579 registration itself. If IANA approves of this, the comment will be 580 made accessible in conjunction with the SASL mechanism registration 581 itself. 583 Internet DRAFT SASL 18 October 2003 585 8.4. Change control 587 Once a SASL mechanism registration has been published by IANA, the 588 author may request a change to its definition. The change request 589 follows the same procedure as the registration request. 591 The owner of a SASL mechanism may pass responsibility for the SASL 592 mechanism to another person or agency by informing IANA; this can be 593 done without discussion or review. 595 The IESG may reassign responsibility for a SASL mechanism. The most 596 common case of this will be to enable changes to be made to 597 mechanisms where the author of the registration has died, moved out 598 of contact or is otherwise unable to make changes that are important 599 to the community. 601 SASL mechanism registrations may not be deleted; mechanisms which are 602 no longer believed appropriate for use can be declared OBSOLETE by a 603 change to their "intended use" field; such SASL mechanisms will be 604 clearly marked in the lists published by IANA. 606 The IESG is considered to be the owner of all SASL mechanisms which 607 are on the IETF standards track. 609 8.5. Registration template 611 Subject: Registration of SASL mechanism X 613 Family of SASL mechanisms: (YES or NO) 615 SASL mechanism name (or prefix for the family): 617 Security considerations: 619 Published specification (optional, recommended): 621 Person & email address to contact for further information: 623 Intended usage: 625 (One of COMMON, LIMITED USE or OBSOLETE) 627 Owner/Change controller: 629 (Any other information that the author deems interesting may be 630 added below this line.) 632 Internet DRAFT SASL 18 October 2003 634 8.6. The EXTERNAL mechanism registration 636 It is requested that the SASL Mechanism registry [IANA-SASL] entry 637 for the EXTERNAL mechanism be updated to reflect that this document 638 now provides its technical specification. 640 Subject: Updated Registration of SASL mechanism EXTERNAL 642 Family of SASL mechanisms: NO 644 SASL mechanism name: EXTERNAL 646 Security considerations: See RFC XXXX, section 9. 648 Published specification (optional, recommended): RFC XXXX 650 Person & email address to contact for further information: 651 Alexey Melnikov 653 Intended usage: COMMON 655 Owner/Change controller: IESG 657 Note: Updates existing entry for EXTERNAL 659 9. Security considerations 661 Security issues are discussed throughout this memo. 663 The mechanisms that support integrity protection are designed such 664 that the negotiation of the security layer and authorization identity 665 is integrity protected. When the client selects a security layer 666 with at least integrity protection, this protects against an active 667 attacker hijacking the connection and modifying the authentication 668 exchange to negotiate a plaintext connection. 670 When a server or client supports multiple authentication mechanisms, 671 each of which has a different security strength, it is possible for 672 an active attacker to cause a party to use the least secure mechanism 673 supported. To protect against this sort of attack, a client or 674 server which supports mechanisms of different strengths should have a 675 configurable minimum strength that it will use. It is not sufficient 676 for this minimum strength check to only be on the server, since an 677 active attacker can change which mechanisms the client sees as being 678 supported, causing the client to send authentication credentials for 679 its weakest supported mechanism. 681 Internet DRAFT SASL 18 October 2003 683 The client's selection of a SASL mechanism is done in the clear and 684 may be modified by an active attacker. It is important for any new 685 SASL mechanisms to be designed such that an active attacker cannot 686 obtain an authentication with weaker security properties by modifying 687 the SASL mechanism name and/or the challenges and responses. 689 Any protocol interactions prior to authentication are performed in 690 the clear and may be modified by an active attacker. In the case 691 where a client selects integrity protection, it is important that any 692 security-sensitive protocol negotiations be performed after 693 authentication is complete. Protocols should be designed such that 694 negotiations performed prior to authentication should be either 695 ignored or revalidated once authentication is complete. 697 When use of a security layer is negotiated by the authentication 698 protocol exchange, the receiver should handle gracefully any security 699 encoded data buffer larger than the defined/negotiated maximal size. 700 In particular, it must not blindly allocate the amount of memory 701 specified in the buffer size field, as this might cause the "out of 702 memory" condition. If the receiver detects a large block, it SHOULD 703 close the connection. 705 "stringprep" and Unicode security considerations apply to 706 authentication identities, authorization identities and passwords. 708 The EXTERNAL mechanism provides no security protection; it is 709 vulnerable to spoofing by either client or server, active attack, and 710 eavesdropping. It should only be used when external security 711 mechanisms are present and have sufficient strength. 713 10. References 715 10.1. Normative References 717 [ABNF] Crocker, Overell, "Augmented BNF for Syntax Specifications: 718 ABNF", RFC 2234, November 1997 720 [ASCII] American National Standards Institute, "Code Extension 721 Techniques for Use with the 7-bit Coded Character Set of American 722 National Standard Code (ASCII) for Information Interchange", FIPS PUB 723 35, 1974 725 [CHARSET-POLICY] Alvestrand, "IETF Policy on Character Sets and 726 Languages", RFC 2277, January 1998 728 [GSSAPI] Linn, "Generic Security Service Application Program 729 Interface, Version 2, Update 1", RFC 2743, January 2000 731 Internet DRAFT SASL 18 October 2003 733 [ISO-10646] "Universal Multiple-Octet Coded Character Set (UCS) - 734 Architecture and Basic Multilingual Plane", ISO/IEC 10646-1 : 1993. 736 [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate 737 Requirement Levels", RFC 2119, March 1997 739 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 740 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, 741 MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the 742 "Unicode Standard Annex #27: Unicode 3.1" 743 (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard 744 Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). 746 [Stringprep] P. Hoffman, M. Blanchet, "Preparation of 747 Internationalized Strings ("stringprep")", RFC 3454, December 2002. 749 [SASLPrep] Zeilenga, K., "SASLprep: Stringprep profile for user names 750 and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt. 752 [UTF-8] Yergeau, "UTF-8, a transformation format of ISO 10646", work 753 in progress (draft-yergeau-rfc2279bis-XX) that replaces RFC 2279, 754 Janyary 1998 756 10.2. Informative References 758 <> [SASL-GSSAPI] Myers, J., "SASL GSSAPI 759 mechanisms", work in progress, draft-ietf-cat-sasl-gssapi-XX.txt, 760 September 2000 762 [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest 763 Authentication as a SASL Mechanism", work in progress, draft-ietf- 764 sasl-rfc2831bis-XX.txt, replaces RFC 2831 766 [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC 767 2444, October 1998 769 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April 770 2001 772 [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication", 773 RFC 2554, March 1999 775 [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data 776 Encodings", RFC 3548, July 2003 778 [RFC-INSTRUCTIONS] Postel, Reynolds, "Instructions to RFC Authors", 779 RFC 2223, October 1997 781 Internet DRAFT SASL 18 October 2003 783 [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) 784 MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms. 786 11. Editor's Address 788 Alexey Melnikov 789 Isode 791 Email: Alexey.Melnikov@isode.com 793 12. Acknowledgments 795 This document is a revision of RFC 2222 written by John G. Myers. He 796 also contributed significantly to this revision. 798 Magnus Nystrom provided the ASCII art used in Section 6.3. 800 Definition of realm was extracted from RFC 2617 ("HTTP 801 Authentication: Basic and Digest Access Authentication"). 803 Contributions of many members of the SASL mailing list are gratefully 804 acknowledged, in particular Kurt D. Zeilenga, Peter Saint-Andre, Rob 805 Siemborski, Jeffrey Hutzelman and Hallvard B Furuseth for 806 proofreading the document and various editorial suggestions. 808 13. Full Copyright Statement 810 Copyright (C) The Internet Society (2003). All Rights Reserved. 812 This document and translations of it may be copied and furnished to 813 others, and derivative works that comment on or otherwise explain it 814 or assist in its implementation may be prepared, copied, published 815 and distributed, in whole or in part, without restriction of any 816 kind, provided that the above copyright notice and this paragraph are 817 included on all such copies and derivative works. However, this 818 document itself may not be modified in any way, such as by removing 819 the copyright notice or references to the Internet Society or other 820 Internet organizations, except as needed for the purpose of 821 developing Internet standards in which case the procedures for 822 copyrights defined in the Internet Standards process must be 823 followed, or as required to translate it into languages other than 824 English. 826 The limited permissions granted above are perpetual and will not be 827 revoked by the Internet Society or its successors or assigns. 829 This document and the information contained herein is provided on an 831 Internet DRAFT SASL 18 October 2003 833 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 834 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 835 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 836 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 837 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 839 Acknowledgement 841 Funding for the RFC Editor function is currently provided by the 842 Internet Society. 844 Appendix A. Relation of SASL to transport security 846 Questions have been raised about the relationship between SASL and 847 various services (such as IPsec and TLS) which provide a secured 848 connection. 850 Two of the key features of SASL are: 852 The separation of the authorization identity from the identity in 853 the client's credentials. This permits agents such as proxy 854 servers to authenticate using their own credentials, yet request 855 the access privileges of the identity for which they are proxying. 857 Upon successful completion of an authentication exchange, the 858 server knows the authorization identity the client wishes to use. 859 This allows servers to move to a "user is authenticated" state in 860 the protocol. 862 These features are extremely important to some application protocols, 863 yet Transport Security services do not always provide them. To 864 define SASL mechanisms based on these services would be a very messy 865 task, as the framing of these services would be redundant with the 866 framing of SASL and some method of providing these important SASL 867 features would have to be devised. 869 Sometimes it is desired to enable within an existing connection the 870 use of a security service which does not fit the SASL model. (TLS is 871 an example of such a service.) This can be done by adding a command, 872 for example "STARTTLS", to the protocol. Such a command is outside 873 the scope of SASL, and should be different from the command which 874 starts a SASL authentication protocol exchange. 876 In certain situations, it is reasonable to use SASL underneath one of 877 these Transport Security services. The transport service would 878 secure the connection, either service would authenticate the client, 879 and SASL would negotiate the authorization identity. The SASL 880 negotiation would be what moves the protocol from "unauthenticated" 882 Internet DRAFT SASL 18 October 2003 884 to "authenticated" state. The "EXTERNAL" SASL mechanism is 885 explicitly intended to handle the case where the transport service 886 secures the connection and authenticates the client and SASL 887 negotiates the authorization identity. 889 Appendix B. Changes since RFC 2222 891 The GSSAPI mechanism was removed. It is now specified in a separate 892 document [SASL-GSSAPI]. 894 The "KERBEROS_V4" mechanism defined in RFC 2222 is obsolete and has 895 been removed. 897 The "SKEY" mechanism described in RFC 2222 is obsolete and has been 898 removed. It has been replaced by the OTP mechanism [SASL-OTP]. 900 The overview has been substantially reorganized and clarified. 902 Clarified the definition and semantics of the authorization identity. 904 Prohibited the NUL character in authorization identities. 906 Added a section on character string issues. 908 The word "must" in the first paragraph of the "Protocol profile 909 requirements" section was changed to "MUST". 911 Specified that protocol profiles SHOULD provide a way for clients to 912 discover available SASL mechanisms. 914 Made the requirement that protocol profiles specify the semantics of 915 the authorization identity optional to the protocol profile. 916 Clarified that such a specification is a refinement of the definition 917 in the base SASL spec. 919 Added a requirement discouraging protocol profiles from breaking the 920 separation between protocol and mechanism. 922 Mentioned that standards track documents may carve out their own 923 portions of the SASL mechanism namespace and may amend registration 924 rules for the portion. However registration of individual SASL 925 mechanisms is still required. 927 Specified that the authorization identity in the EXTERNAL mechanism 928 is encoded in UTF-8. 930 Added a statement that a protocol profile SHOULD allow challenge data 931 to be sent with a success indication. 933 Internet DRAFT SASL 18 October 2003 935 Added a security consideration for the EXTERNAL mechansim. 937 Clarified sections concerning success with additional data. 939 Cleaned up IANA considerations/registrations and assembled them in 940 one place. 942 Updated references and split them into Informative and Normative. 944 Added text to the Security Considerations section regarding handling 945 of extremely large SASL blocks. 947 Replaced UTF-8 ABNF with the reference to the UTF-8 document. 949 Added text about SASLPrep for authentication identities and 950 passwords. Described where SASLPrep preparation should take place. 952 Added paragraph about verifying authorization identities. 954 This document requires to drop a security layer on reauthentication 955 when no security layer is negotiated. This differs from RFC 2222, 956 which required to keep the last security layer in this case. 958 Added a protocol profile requirement to specify interaction between 959 SASL and TLS security layers. 961 Added a protocol profile requirement to specify if it supports 962 reauthentication. 964 Removed the text that seemed to suggest that SASL security layer must 965 not be used when TLS is available. 967 Internet DRAFT SASL 18 October 2003 969 Status of this Memo .......................................... i 970 1. Abstract ............................................... 2 971 2. Organization of this document .......................... 2 972 2.1. How to read this document .............................. 2 973 2.2. Conventions used in this document ...................... 2 974 3. Overview ............................................... 3 975 4. Authentication mechanisms .............................. 3 976 4.1. Authentication protocol exchange ....................... 4 977 4.2. Authorization identities and proxy authentication ...... 4 978 4.3. Security layers ........................................ 6 979 4.4. Character string issues ................................ 6 980 5. Protocol profile requirements .......................... 6 981 6. Specific issues ........................................ 8 982 6.1. Client sends data first ................................ 8 983 6.2. Server returns success with additional data ............ 8 984 6.3. Multiple authentications ............................... 9 985 7. The EXTERNAL mechanism ................................ 11 986 7.1. Formal syntax ......................................... 12 987 7.2. Example ............................................... 12 988 8. IANA Considerations ................................... 12 989 8.1. Guidelines for IANA ................................... 13 990 8.2. Registration procedure ................................ 13 991 8.3. Comments on SASL mechanism registrations .............. 13 992 8.4. Change control ........................................ 14 993 8.5. Registration template ................................. 14 994 8.6. The EXTERNAL mechanism registration ................... 15 995 9. Security considerations ................................ 15 996 10. References ........................................... 16 997 10.1. Normative References ................................. 16 998 10.2. Informative References ............................... 17 999 11. Editor's Address ...................................... 18 1000 12. Acknowledgments ....................................... 18 1001 13. Full Copyright Statement .............................. 18 1002 Appendix A. Relation of SASL to transport security .......... 19 1003 Appendix B. Changes since RFC 2222 .......................... 20