IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response
RFC 4959
| Document | Type |
RFC - Proposed Standard
(September 2007; Errata)
Was draft-siemborski-imap-sasl-initial-response (individual in app area)
|
|
|---|---|---|---|
| Authors | Rob Siemborski , Arnt Gulbrandsen | ||
| Last updated | 2020-01-21 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized with errata bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4959 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Chris Newman | ||
| Send notices to | (None) | ||
Network Working Group R. Siemborski
Request for Comments: 4959 Google, Inc.
Category: Standards Track A. Gulbrandsen
Oryx Mail Systems GmbH
September 2007
IMAP Extension for Simple Authentication and Security Layer (SASL)
Initial Client Response
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
To date, the Internet Message Access Protocol (IMAP) has used a
Simple Authentication and Security Layer (SASL) profile which always
required at least one complete round trip for an authentication, as
it did not support an initial client response argument. This
additional round trip at the beginning of the session is undesirable,
especially when round-trip costs are high.
This document defines an extension to IMAP which allows clients and
servers to avoid this round trip by allowing an initial client
response argument to the IMAP AUTHENTICATE command.
Siemborski & Gulbrandsen Standards Track [Page 1]
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
1. Introduction
The SASL initial client response extension is present in any IMAP
[RFC3501] server implementation which returns "SASL-IR" as one of the
supported capabilities in its CAPABILITY response.
Servers which support this extension will accept an optional initial
client response with the AUTHENTICATE command for any SASL [RFC4422]
mechanisms which support it.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
In examples, "C:" and "S:" indicate lines sent by the client and
server, respectively.
Formal syntax is defined by [RFC4234] as extended by [RFC3501].
3. IMAP Changes to the IMAP AUTHENTICATE Command
This extension adds an optional second argument to the AUTHENTICATE
command that is defined in Section 6.2.2 of [RFC3501]. If this
second argument is present, it represents the contents of the
"initial client response" defined in Section 5.1 of [RFC4422].
As with any other client response, this initial client response MUST
be encoded as defined in Section 4 of [RFC4648]. It also MUST be
transmitted outside of a quoted string or literal. To send a zero-
length initial response, the client MUST send a single pad character
("="). This indicates that the response is present, but is a zero-
length string.
When decoding the BASE64 [RFC4648] data in the initial client
response, decoding errors MUST be treated as IMAP [RFC3501] would
handle them in any normal SASL client response. In particular, the
server should check for any characters not explicitly allowed by the
BASE64 alphabet, as well as any sequence of BASE64 characters that
contains the pad character ('=') anywhere other than the end of the
string (e.g., "=AAA" and "AAA=BBB" are not allowed).
If the client uses an initial response with a SASL mechanism that
does not support an initial response, the server MUST reject the
command with a tagged BAD response.
Siemborski & Gulbrandsen Standards Track [Page 2]
RFC 4959 IMAP Ext for SASL Initial Client Response September 2007
Note: support and use of the initial client response is optional for
both clients and servers. Servers that implement this extension MUST
support clients that omit the initial client response, and clients
that implement this extension MUST NOT send an initial client
response to servers that do not advertise the SASL-IR capability. In
such a situation, clients MUST fall back to an IMAP [RFC3501]
compatible mode.
If either the client or the server do not support the SASL-IR
capability, a mechanism which uses an initial client response is
negotiated using the challenge/response exchange described in
[RFC3501], with an initial zero-length server challenge.
4. Examples
The following is an example authentication using the PLAIN (see
[RFC4616]) SASL mechanism (under a TLS protection layer, see
[RFC4346]) and an initial client response:
... client connects to server and negotiates a TLS
protection layer ...
C: C01 CAPABILITY
S: * CAPABILITY IMAP4rev1 SASL-IR AUTH=PLAIN
S: C01 OK Completed
Show full document text