Skip to main content

SASL Mechanism Family for External Authentication: EXTERNAL-*

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Simon Josefsson , Carolin Latze
Last updated 2013-01-12 (Latest revision 2012-07-11)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes a way to perform client authentication in the Simple Authentication and Security Layer (SASL) framework by referring to the client authentication provided by an external security layer. We specify a SASL mechanism family EXTERNAL-* and one instance EXTERNAL-TLS that rely on the Transport Layer Security (TLS) protocol. This mechanism differs to the existing EXTERNAL mechanism by alleviating the a priori assumptions that servers and clients needs somehow negotiate out of band which secure channel that is intended. This document also discuss the implementation of authorization decisions. See <> for more information.


Simon Josefsson
Carolin Latze

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)