Internet Draft: POP URL Scheme R. Gellens
Document: draft-gellens-pop-url-00.txt QUALCOMM, Incorporated
Expires: 6 August 1998 6 February 1998
POP URL Scheme
Status of this Memo:
This document is an Internet Draft. Internet Drafts are working
documents of the Internet Engineering Task Force (IETF), its Areas,
and its Working Groups. Note that other groups may also distribute
working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a
"working draft" or "work in progress."
To learn the current status of any Internet Draft, please check the
"1id-abstracts.txt" listing contained in the Internet Drafts shadow
directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
A version of this draft document is intended for submission to the
RFC editor as a Proposed Standard for the Internet Community.
Discussion and suggestions for improvement are requested. Please
send comments to the IETF ACAP mailing list,
<ietf-acap+@andrew.cmu.edu>. To subscribe, send a message
containing SUBSCRIBE to <ietf-acap-request+@andrew.cmu.edu>.
Distribution of this draft is unlimited.
1. Introduction
[POP3] is a widely-deployed mail access protocol. Many programs
access POP3 message stores, and thus need POP3 configuration
information. [ACAP] is a protocol designed for access to such
configuration data. In general, ACAP datasets prefer to use URLs
[BASIC-URL] as a convenient, single-string representation of access
to a specific service. For example, an [IMAP4] message store is
usually specified in ACAP datasets as an [IMAP-URL]. ACAP datasets
used by POP clients need a means of specifying a POP mailbox as a
URL. This memo defines such a URL scheme for referencing a POP
mailbox.
Gellens Expires August 1998 [Page 1]
Internet Draft POP URL Scheme February 1998
2. Conventions Used in this Document
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS].
3. POP Scheme
The POP URL scheme designates a POP server, and optionally a port
number, authentication mechanism, authentication ID, and/or
authorization ID.
The POP URL follows the common Internet scheme syntax as defined in
RFC 1738 [BASIC-URL] except that clear text passwords are not
permitted. If :<port> is omitted, the port defaults to 110.
The POP URL is described using [ABNF] in Section 8.
A POP URL is of the general form:
pop://<user>;auth=<auth>@<host>:<port>
Where <user>, <host>, and <port> are as defined in RFC 1738, and
some or all of the elements, except "pop:" and <host>, may be
omitted.
4. POP User Name and Authentication Mechanism
An authorization (which mailbox to access) and authentication
(whose password to check against) identity (referred to as "user
name" for simplicity) and/or authentication mechanism name may be
supplied. These are used in the "USER", "APOP", or "AUTH"
[POP-AUTH] commands after making the connection to the POP server.
If the URL doesn't supply an authentication identifier, the program
interpreting the POP URL SHOULD request one from the user.
An authentication mechanism can be expressed by adding
";AUTH=<enc_auth_type>" to the end of the user name. If the
authentication mechanism is not "APOP", it is a SASL POP [POP-AUTH]
mechanism. When such an <enc_auth_type> is indicated, the client
SHOULD request appropriate credentials from that mechanism and use
the "AUTH" or "APOP" commands instead of the "USER" command. If no
user name is specified, one SHOULD be obtained from the mechanism
or requested from the user as appropriate.
The string ";AUTH=*" indicates that the client SHOULD select an
appropriate authentication mechanism. It MAY use any mechanism
supported by the POP server.
Gellens Expires August 1998 [Page 2]
Internet Draft POP URL Scheme February 1998
If a user name is included with no authentication mechanism, then
";AUTH=*" is assumed.
Since URLs can easily come from untrusted sources, care must be
taken when resolving a URL which requires or requests any sort of
authentication. If authentication credentials are supplied to the
wrong server, it may compromise the security of the user's account.
The program resolving the URL should make sure it meets at least
one of the following criteria in this case:
(1) The URL comes from a trusted source, such as a referral server
which the client has validated and trusts according to site policy.
Note that user entry of the URL may or may not count as a trusted
source, depending on the experience level of the user and site
policy.
(2) Explicit local site policy permits the client to connect to the
server in the URL. For example, if the client knows the site
domain name, site policy may dictate that any hostname ending in
that domain is trusted.
(3) The user confirms that connecting to that domain name with the
specified credentials and/or mechanism is permitted.
(4) A mechanism is used which validates the server before passing
potentially compromising client credentials.
(5) An authentication mechanism is used which will not reveal
information to the server which could be used to compromise future
connections.
A URL containing ";AUTH=*" should be treated with extra care since
it might fall back on a weaker security mechanism. Finally, clients
are discouraged from using a plain text password as a fallback with
";AUTH=*" unless the connection has strong encryption (e.g., a key
length of greater than 56 bits).
Note that if unsafe or reserved characters such as " " or ";" are
present in the user name or authentication mechanism, they MUST be
encoded as described in RFC 1738 [BASIC-URL].
5. Relative POP URLs
Relative POP URLs are not permitted.
6. Multinational Considerations
Since 8-bit characters are not permitted in URLs, [UTF8] characters
are encoded as required by the URL specification [BASIC-URL].
Gellens Expires August 1998 [Page 3]
Internet Draft POP URL Scheme February 1998
7. Examples
The following examples demonstrate how a POP client program might
translate various POP URLs into a series of POP commands. Commands
sent from the client to the server are prefixed with "C:", and
responses sent from the server to the client are prefixed with
"S:".
The URL:
<pop:rg@mailsrv.qualcomm.com>
Results in the following client commands:
<request password from user>
<connect to mailsrv.qualcomm.com, port 110>
C: USER rg
S: +OK
C: PASS secret
S: +OK rg's mailbox has 2 messages (320 octets)
The URL:
<pop:rg;AUTH=APOP@mail.eudora.com:8110>
Results in the following client commands:
<client requests password from user>
<connect to mail.eudora.com, port 8110>
S: +OK POP3 server ready <1896.697170952@mail.eudora.com>
C: APOP rg c4c9334bac560ecc979e58001b3e22fb
S: +OK mailbox has 1 message (369 octets)
The URL:
<pop:baz;AUTH=SKEY@foo.bar>
Results in the following client commands:
<connect to foo.bar, port 110>
S: +OK POP3 server ready
C: AUTH SKEY c21pdGg=
S: + OTUgUWE1ODMwOA==
C: BsAY3g4gBNo=
S: +OK S/Key authentication successful
8. ABNF for POP URL scheme
The POP URL scheme is described using [ABNF]:
achar = uchar / "&" / "=" / "~"
Gellens Expires August 1998 [Page 4]
Internet Draft POP URL Scheme February 1998
; see [BASIC-URL] for "uchar" definition
auth = ";AUTH=" ( "*" / enc_auth_type )
enc_auth_type = 1*achar
; encoded version of [POP-AUTH] "auth_type"
enc_user = 1*achar
; encoded version of [POP3] mailbox
popurl = "pop://" server
server = [userauth "@"] hostport
; See [BASIC-URL] for "hostport" definition
userauth = enc_user [auth]
9. Security Considerations
Security considerations discussed in the [POP3] specification and
the [BASIC-URL] specification are relevant. Security
considerations related to authenticated URLs are discussed in
section 4 of this document.
Many email clients store the plain text password for later use
after logging into a POP server. Such clients MUST NOT use a
stored password in response to a POP URL without explicit
permission from the user to supply that password to the specified
host name.
10. Acknowledgements
This document borrows heavily from Chris Newman's [IMAP-URL]
specification, and has attempted to follow the advice in
[URL-GUIDELINES].
11. References
[ABNF] Crocker, Overell, "Augmented BNF for Syntax Specifications:
ABNF", RFC 2234, Internet Mail Consortium, Demon Internet Ltd.,
November 1997. <ftp://ds.internic.net/rfc/rfc2234.txt>
[ACAP] Newman, Myers, "ACAP -- Application Configuration Access
Protocol", RFC 2244, Innosoft, Netscape, November 1997.
<ftp://ds.internic.net/rfc/rfc2244.txt>
[BASIC-URL] Berners-Lee, Masinter, McCahill, "Uniform Resource
Locators (URL)", RFC 1738, CERN, Xerox Corporation, University of
Minnesota, December 1994. <ftp://ds.internic.net/rfc/rfc1738.txt>
Gellens Expires August 1998 [Page 5]
Internet Draft POP URL Scheme February 1998
[IMAP-URL] Newman, C., "IMAP URL Scheme", RFC 2192, Innosoft,
September 1997. <ftp://ds.internic.net/rfc/rfc2192.txt>
[IMAP4] Crispin, M., "Internet Message Access Protocol - Version
4rev1", RFC 2060, University of Washington, December 1996.
<ftp://ds.internic.net/rfc/rfc2060.txt>
[KEYWORDS] Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, Harvard University, March 1997.
<ftp://ds.internic.net/rfc/rfc2119.txt>
[POP-AUTH] Myers, J., "POP3 AUTHentication command", Netscape
Communications, November 1997, work in progress.
<ftp://ftp.isi.edu/internet-drafts/draft-myers-sasl-pop3-02.txt>
[POP3] Myers, J., Rose, M., "Post Office Protocol -- Version 3",
RFC 1939, Carnegie Mellon, Dover Beach Consulting, Inc., May 1996.
<ftp://ds.internic.net/rfc/rfc1939.txt>
[URL-GUIDELINES] Masinter, Alvestrand, Zigmond, "Guidelines for new
URL Schemes", Xerox Corporation, UNINETT A/S, Wink Communications,
work in progress, December 1997.
<ftp://ftp.isi.edu/internet-drafts/draft-ietf-urlreg-guide-01.txt>
[UTF8] Yergeau, F. "UTF-8, a transformation format of Unicode and
ISO 10646", RFC 2044, Alis Technologies, October 1996.
<ftp://ds.internic.net/rfc/rfc2044.txt>
12. Author's Address
Randall Gellens +1 619 651 5115
QUALCOMM, Incorporated +1 619 651 5334 (fax)
6455 Lusk Blvd. Randy@Qualcomm.Com
San Diego, CA 92121-2779
U.S.A.
Gellens Expires August 1998 [Page 6]
--
Randall Gellens || Opinions are personal; facts are suspect;
randy@qualcomm.com || I speak for myself alone
Surprise! You are the lucky winner of random I.R.S Audit! Just type
in your name and social security number. Please remember that leaving
the room is punishable under law:
Name #