IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response
RFC 4959

Document Type RFC - Proposed Standard (September 2007; Errata)
Was draft-siemborski-imap-sasl-initial-response (individual in app area)
Authors Rob Siemborski  , Arnt Gulbrandsen 
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4959 (Proposed Standard)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Chris Newman
Send notices to (None)
Network Working Group                                      R. Siemborski
Request for Comments: 4959                                  Google, Inc.
Category: Standards Track                                 A. Gulbrandsen
                                                  Oryx Mail Systems GmbH
                                                          September 2007

   IMAP Extension for Simple Authentication and Security Layer (SASL)
                        Initial Client Response

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.


   To date, the Internet Message Access Protocol (IMAP) has used a
   Simple Authentication and Security Layer (SASL) profile which always
   required at least one complete round trip for an authentication, as
   it did not support an initial client response argument.  This
   additional round trip at the beginning of the session is undesirable,
   especially when round-trip costs are high.

   This document defines an extension to IMAP which allows clients and
   servers to avoid this round trip by allowing an initial client
   response argument to the IMAP AUTHENTICATE command.

Siemborski & Gulbrandsen  Standards Track                       [Page 1]
RFC 4959       IMAP Ext for SASL Initial Client Response  September 2007

1.  Introduction

   The SASL initial client response extension is present in any IMAP
   [RFC3501] server implementation which returns "SASL-IR" as one of the
   supported capabilities in its CAPABILITY response.

   Servers which support this extension will accept an optional initial
   client response with the AUTHENTICATE command for any SASL [RFC4422]
   mechanisms which support it.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

   In examples, "C:" and "S:" indicate lines sent by the client and
   server, respectively.

   Formal syntax is defined by [RFC4234] as extended by [RFC3501].

3.  IMAP Changes to the IMAP AUTHENTICATE Command

   This extension adds an optional second argument to the AUTHENTICATE
   command that is defined in Section 6.2.2 of [RFC3501].  If this
   second argument is present, it represents the contents of the
   "initial client response" defined in Section 5.1 of [RFC4422].

   As with any other client response, this initial client response MUST
   be encoded as defined in Section 4 of [RFC4648].  It also MUST be
   transmitted outside of a quoted string or literal.  To send a zero-
   length initial response, the client MUST send a single pad character
   ("=").  This indicates that the response is present, but is a zero-
   length string.

   When decoding the BASE64 [RFC4648] data in the initial client
   response, decoding errors MUST be treated as IMAP [RFC3501] would
   handle them in any normal SASL client response.  In particular, the
   server should check for any characters not explicitly allowed by the
   BASE64 alphabet, as well as any sequence of BASE64 characters that
   contains the pad character ('=') anywhere other than the end of the
   string (e.g., "=AAA" and "AAA=BBB" are not allowed).

   If the client uses an initial response with a SASL mechanism that
   does not support an initial response, the server MUST reject the
   command with a tagged BAD response.

Siemborski & Gulbrandsen  Standards Track                       [Page 2]
RFC 4959       IMAP Ext for SASL Initial Client Response  September 2007

   Note: support and use of the initial client response is optional for
   both clients and servers.  Servers that implement this extension MUST
   support clients that omit the initial client response, and clients
   that implement this extension MUST NOT send an initial client
   response to servers that do not advertise the SASL-IR capability.  In
   such a situation, clients MUST fall back to an IMAP [RFC3501]
   compatible mode.

   If either the client or the server do not support the SASL-IR
   capability, a mechanism which uses an initial client response is
   negotiated using the challenge/response exchange described in
   [RFC3501], with an initial zero-length server challenge.

4.  Examples

   The following is an example authentication using the PLAIN (see
   [RFC4616]) SASL mechanism (under a TLS protection layer, see
   [RFC4346]) and an initial client response:

            ... client connects to server and negotiates a TLS
           protection layer ...
        C: C01 CAPABILITY
        S: C01 OK Completed
Show full document text