RFC 4422 Simple Authentication and Security Layer (SASL)

[Docs] [txt|pdf] [draft-ietf-sasl...] [Tracker] [Diff1] [Diff2]

PROPOSED STANDARD

Network Working Group                                   A. Melnikov, Ed.
Request for Comments: 4422                                 Isode Limited
Obsoletes: 2222                                         K. Zeilenga, Ed.
Category: Standards Track                            OpenLDAP Foundation
                                                               June 2006


            Simple Authentication and Security Layer (SASL)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The Simple Authentication and Security Layer (SASL) is a framework
   for providing authentication and data security services in
   connection-oriented protocols via replaceable mechanisms.  It
   provides a structured interface between protocols and mechanisms.
   The resulting framework allows new protocols to reuse existing
   mechanisms and allows old protocols to make use of new mechanisms.
   The framework also provides a protocol for securing subsequent
   protocol exchanges within a data security layer.

   This document describes how a SASL mechanism is structured, describes
   how protocols include support for SASL, and defines the protocol for
   carrying a data security layer over a connection.  In addition, this
   document defines one SASL mechanism, the EXTERNAL mechanism.

   This document obsoletes RFC 2222.













Melnikov & Zeilenga         Standards Track                     [Page 1]


RFC 4422                          SASL                         June 2006


Table of Contents

   1. Introduction ....................................................3
      1.1. Document Audiences .........................................4
      1.2. Relationship to Other Documents ............................4
      1.3. Conventions ................................................5
   2. Identity Concepts ...............................................5
   3. The Authentication Exchange .....................................6
      3.1. Mechanism Naming ...........................................8
      3.2. Mechanism Negotiation ......................................9
      3.3. Request Authentication Exchange ............................9
      3.4. Challenges and Responses ...................................9
           3.4.1. Authorization Identity String ......................10
      3.5. Aborting Authentication Exchanges .........................10
      3.6. Authentication Outcome ....................................11
      3.7. Security Layers ...........................................12
      3.8. Multiple Authentications ..................................12
   4. Protocol Requirements ..........................................13
   5. Mechanism Requirements .........................................16
   6. Security Considerations ........................................18
      6.1. Active Attacks ............................................19
           6.1.1. Hijack Attacks .....................................19
           6.1.2. Downgrade Attacks ..................................19
           6.1.3. Replay Attacks .....................................20
           6.1.4. Truncation Attacks .................................20
           6.1.5. Other Active Attacks ...............................20
      6.2. Passive Attacks ...........................................20
      6.3. Re-keying .................................................21
      6.4. Other Considerations ......................................21
   7. IANA Considerations ............................................22
      7.1. SASL Mechanism Registry ...................................22
      7.2. Registration Changes ......................................26
   8. References .....................................................26
      8.1. Normative References ......................................26
      8.2. Informative References ....................................27
   9. Acknowledgements ...............................................28
   Appendix A.  The SASL EXTERNAL Mechanism ..........................29
      A.1. EXTERNAL Technical Specification ..........................29
      A.2. SASL EXTERNAL Examples ....................................30
      A.3. Security Considerations ...................................31
   Appendix B.  Changes since RFC 2222 ...............................31










Melnikov & Zeilenga         Standards Track                     [Page 2]


RFC 4422                          SASL                         June 2006


1.  Introduction

   The Simple Authentication and Security Layer (SASL) is a framework
   for providing authentication and data security services in
   connection-oriented protocols via replaceable mechanisms.  SASL
   provides a structured interface between protocols and mechanisms.
   SASL also provides a protocol for securing subsequent protocol
   exchanges within a data security layer.  The data security layer can
   provide data integrity, data confidentiality, and other services.

   SASL's design is intended to allow new protocols to reuse existing
   mechanisms without requiring redesign of the mechanisms and allows
   existing protocols to make use of new mechanisms without redesign of
   protocols.

   SASL is conceptually a framework that provides an abstraction layer
   between protocols and mechanisms as illustrated in the following
   diagram.

                  SMTP    LDAP    XMPP   Other protocols ...
                     \       |    |      /
                      \      |    |     /
                     SASL abstraction layer
                      /      |    |     \
                     /       |    |      \
              EXTERNAL   GSSAPI  PLAIN   Other mechanisms ...

   It is through the interfaces of this abstraction layer that the
   framework allows any protocol to utilize any mechanism.  While this
   layer does generally hide the particulars of protocols from
   mechanisms and the particulars of mechanisms from protocols, this
   layer does not generally hide the particulars of mechanisms from
   protocol implementations.  For example, different mechanisms require
   different information to operate, some of them use password-based
   authentication, some of then require realm information, others make
   use of Kerberos tickets, certificates, etc.  Also, in order to
   perform authorization, server implementations generally have to
   implement identity mapping between authentication identities, whose
   form is mechanism specific, and authorization identities, whose form
   is application protocol specific.  Section 2 discusses identity
   concepts.

   It is possible to design and implement this framework in ways that do
   abstract away particulars of similar mechanisms.  Such a framework
   implementation, as well as mechanisms implementations, could be
   designed not only to be shared by multiple implementations of a
   particular protocol but to be shared by implementations of multiple
   protocols.



Melnikov & Zeilenga         Standards Track                     [Page 3]


RFC 4422                          SASL                         June 2006


   The framework incorporates interfaces with both protocols and
   mechanisms in which authentication exchanges are carried out.
   Section 3 discusses SASL authentication exchanges.

   To use SASL, each protocol (amongst other items) provides a method
   for identifying which mechanism is to be used, a method for exchange
   of mechanism-specific server-challenges and client-responses, and a
   method for communicating the outcome of the authentication exchange.
   Section 4 discusses SASL protocol requirements.

   Each SASL mechanism defines (amongst other items) a series of
   server-challenges and client-responses that provide authentication
   services and negotiate data security services.  Section 5 discusses
   SASL mechanism requirements.

   Section 6 discusses security considerations.  Section 7 discusses
   IANA considerations.  Appendix A defines the SASL EXTERNAL mechanism.

1.1.  Document Audiences

   This document is written to serve several different audiences:

      -  protocol designers using this specification to support
         authentication in their protocol,

      -  mechanism designers that define new SASL mechanisms, and

      -  implementors of clients or servers for those protocols that
         support SASL.

   While the document organization is intended to allow readers to focus
   on details relevant to their engineering, readers are encouraged to
   read and understand all aspects of this document.

1.2.  Relationship to Other Documents

   This document obsoletes RFC 2222.  It replaces all portions of RFC
   2222 excepting sections 7.1 (the KERBEROS_IV mechanism), 7.2 (the
   GSSAPI mechanism), 7.3 (the SKEY mechanism).  The KERBEROS_IV and
   SKEY mechanisms are now viewed as obsolete and their specifications
   provided in RFC 2222 are Historic.  The GSSAPI mechanism is now
   separately specified [SASL-GSSAPI].

   Appendix B provides a summary of changes since RFC 2222.







Melnikov & Zeilenga         Standards Track                     [Page 4]


RFC 4422                          SASL                         June 2006


1.3.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14 [RFC2119].

   Character names in this document use the notation for code points and
   names from the Unicode Standard [Unicode].  For example, the letter
   "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>.

   Note: a glossary of terms used in Unicode can be found in [Glossary].
   Information on the Unicode character encoding model can be found in
   [CharModel].

   In examples, "C:" and "S:" indicate lines of data to be sent by the
   client and server, respectively.  Lines have been wrapped for
   improved readability.

2.  Identity Concepts

   In practice, authentication and authorization may involve multiple
   identities, possibly in different forms (simple username, Kerberos
   principal, X.500 Distinguished Name, etc.), possibly with different
   representations (e.g., ABNF-described UTF-8 encoded Unicode character
   string, BER-encoded Distinguished Name).  While technical
   specifications often prescribe both the identity form and
   representation used on the network, different identity forms and/or
   representations may be (and often are) used within implementations.
   How identities of different forms relate to each other is, generally,
   a local matter.  In addition, the forms and representations used
   within an implementation are a local matter.

   However, conceptually, the SASL framework involves two identities:

      1) an identity associated with the authentication credentials
         (termed the authentication identity), and

      2) an identity to act as (termed the authorization identity).

   SASL mechanism specifications describe the credential form(s) (e.g.,
   X.509 certificates, Kerberos tickets, simple username/password) used
   to authenticate the client, including (where appropriate) the syntax
   and semantics of authentication identities carried in the
   credentials.  SASL protocol specifications describe the identity
   form(s) used in authorization and, in particular, prescribe the
   syntax and semantics of the authorization identity character string
   to be transferred by mechanisms.




Melnikov & Zeilenga         Standards Track                     [Page 5]


RFC 4422                          SASL                         June 2006


   The client provides its credentials (which include or imply an
   authentication identity) and, optionally, a character string
   representing the requested authorization identity as part of the SASL
   exchange.  When this character string is omitted or empty, the client
   is requesting to act as the identity associated with the credentials
   (e.g., the user is requesting to act as the authentication identity).

   The server is responsible for verifying the client's credentials and
   verifying that the identity it associates with the client's
   credentials (e.g., the authentication identity) is allowed to act as
   the authorization identity.  A SASL exchange fails if either (or
   both) of these verifications fails.  (The SASL exchange may fail for
   other reasons, such as service authorization failure.)

   However, the precise form(s) of the authentication identities (used
   within the server in its verifications, or otherwise) and the precise
   form(s) of the authorization identities (used in making authorization
   decisions, or otherwise) are beyond the scope of SASL and this
   specification.  In some circumstances, the precise identity forms
   used in some context outside of the SASL exchange may be dictated by
   other specifications.  For instance, an identity assumption
   authorization (proxy authorization) policy specification may dictate
   how authentication and authorization identities are represented in
   policy statements.

3.  The Authentication Exchange

   Each authentication exchange consists of a message from the client to
   the server requesting authentication via a particular mechanism,
   followed by one or more pairs of challenges from the server and
   responses from the client, followed by a message from the server
   indicating the outcome of the authentication exchange.  (Note:
   exchanges may also be aborted as discussed in Section 3.5.)

   The following illustration provides a high-level overview of an
   authentication exchange.

      C: Request authentication exchange
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

   If the outcome is successful and a security layer was negotiated,
   this layer is then installed (see Section 3.7).  This also applies to
   the following illustrations.





Melnikov & Zeilenga         Standards Track                     [Page 6]


RFC 4422                          SASL                         June 2006


   Some mechanisms specify that the first data sent in the
   authentication exchange is from the client to the server.  Protocols
   may provide an optional initial response field in the request message
   to carry this data.  Where the mechanism specifies that the first
   data sent in the exchange is from the client to the server, the
   protocol provides an optional initial response field, and the client
   uses this field, the exchange is shortened by one round-trip:

      C: Request authentication exchange + Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

   Where the mechanism specifies that the first data sent in the
   exchange is from the client to the server and this field is
   unavailable or unused, the client request is followed by an empty
   challenge.

      C: Request authentication exchange
      S: Empty Challenge
      C: Initial Response
      <additional challenge/response messages>
      S: Outcome of authentication exchange

   Should a client include an initial response in its request where the
   mechanism does not allow the client to send data first, the
   authentication exchange fails.

   Some mechanisms specify that the server is to send additional data to
   the client when indicating a successful outcome.  Protocols may
   provide an optional additional data field in the outcome message to
   carry this data.  Where the mechanism specifies that the server is to
   return additional data with the successful outcome, the protocol
   provides an optional additional data field in the outcome message,
   and the server uses this field, the exchange is shortened by one
   round-trip:

      C: Request authentication exchange
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange with
         additional data with success

   Where the mechanism specifies that the server is to return additional
   data to the client with a successful outcome and this field is
   unavailable or unused, the additional data is sent as a challenge
   whose response is empty.  After receiving this response, the server
   then indicates the successful outcome.



Melnikov & Zeilenga         Standards Track                     [Page 7]


RFC 4422                          SASL                         June 2006


      C: Request authentication exchange
      S: Initial challenge
      C: Initial response
      <additional challenge/response messages>
      S: Additional data challenge
      C: Empty Response
      S: Outcome of authentication exchange

   Where mechanisms specify that the first data sent in the exchange is
   from the client to the server and additional data is sent to the
   client along with indicating a successful outcome, and the protocol
   provides fields supporting both, then the exchange takes two fewer
   round-trips:

      C: Request authentication exchange + Initial response
      <additional challenge/response messages>
      S: Outcome of authentication exchange
         with additional data with success

   instead of:

      C: Request authentication exchange
      S: Empty Challenge
      C: Initial Response
      <additional challenge/response messages>
      S: Additional data challenge
      C: Empty Response
      S: Outcome of authentication exchange

3.1.  Mechanism Naming

   SASL mechanisms are named by character strings, from 1 to 20
   characters in length, consisting of ASCII [ASCII] uppercase letters,
   digits, hyphens, and/or underscores.  In the following Augmented
   Backus-Naur Form (ABNF) [RFC4234] grammar, the <sasl-mech> production
   defines the syntax of a SASL mechanism name.

      sasl-mech    = 1*20mech-char
      mech-char    = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
      ; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _
      ; from ASCII character set.

      UPPER-ALPHA  = %x41-5A  ; A-Z (uppercase only)
      DIGIT        = %x30-39  ; 0-9
      HYPHEN       = %x2D ; hyphen (-)
      UNDERSCORE   = %x5F ; underscore (_)

   SASL mechanism names are registered as discussed in Section 7.1.



Melnikov & Zeilenga         Standards Track                     [Page 8]


RFC 4422                          SASL                         June 2006


3.2.  Mechanism Negotiation

   Mechanism negotiation is protocol specific.

   Commonly, a protocol will specify that the server advertises
   supported and available mechanisms to the client via some facility
   provided by the protocol, and the client will then select the "best"
   mechanism from this list that it supports and finds suitable.

   Note that the mechanism negotiation is not protected by the
   subsequent authentication exchange and hence is subject to downgrade
   attacks if not protected by other means.

   To detect downgrade attacks, a protocol can allow the client to
   discover available mechanisms subsequent to the authentication
   exchange and installation of data security layers with at least data
   integrity protection.  This allows the client to detect changes to
   the list of mechanisms supported by the server.

3.3.  Request Authentication Exchange

   The authentication exchange is initiated by the client by requesting
   authentication via a mechanism it specifies.  The client sends a
   message that contains the name of the mechanism to the server.  The
   particulars of the message are protocol specific.

   Note that the name of the mechanism is not protected by the
   mechanism, and hence is subject to alteration by an attacker if not
   integrity protected by other means.

   Where the mechanism is defined to allow the client to send data
   first, and the protocol's request message includes an optional
   initial response field, the client may include the response to the
   initial challenge in the authentication request message.

3.4.  Challenges and Responses

   The authentication exchange involves one or more pairs of server-
   challenges and client-responses, the particulars of which are
   mechanism specific.  These challenges and responses are enclosed in
   protocol messages, the particulars of which are protocol specific.

   Through these challenges and responses, the mechanism may:

      -  authenticate the client to the server,

      -  authenticate the server to the client,




Melnikov & Zeilenga         Standards Track                     [Page 9]


RFC 4422                          SASL                         June 2006


      -  transfer an authorization identity string,

      -  negotiate a security layer, and

      -  provide other services.

   The negotiation of the security layer may involve negotiation of the
   security services to be provided in the layer, how these services
   will be provided, and negotiation of a maximum cipher-text buffer
   size each side is able to receive in the layer (see Section 3.6).

   After receiving an authentication request or any client response, the
   server may issue a challenge, abort the exchange, or indicate the
   outcome of an exchange.  After receiving a challenge, a client
   mechanism may issue a response or abort the exchange.

3.4.1.  Authorization Identity String

   The authorization identity string is a sequence of zero or more
   Unicode [Unicode] characters, excluding the NUL (U+0000) character,
   representing the identity to act as.

   If the authorization identity string is absent, the client is
   requesting to act as the identity the server associates with the
   client's credentials.  An empty string is equivalent to an absent
   authorization identity.

   A non-empty authorization identity string indicates that the client
   wishes to act as the identity represented by the string.  In this
   case, the form of identity represented by the string, as well as the
   precise syntax and semantics of the string, is protocol specific.

   While the character encoding schema used to transfer the
   authorization identity string in the authentication exchange is
   mechanism specific, mechanisms are expected to be capable of carrying
   the entire Unicode repertoire (with the exception of the NUL
   character).

3.5.  Aborting Authentication Exchanges

   A client or server may desire to abort an authentication exchange if
   it is unwilling or unable to continue (or enter into).

   A client may abort the authentication exchange by sending a message,
   the particulars of which are protocol specific, to the server,
   indicating that the exchange is aborted.  The server may be required
   by the protocol to return a message in response to the client's abort
   message.



Melnikov & Zeilenga         Standards Track                    [Page 10]


RFC 4422                          SASL                         June 2006


   Likewise, a server may abort the authentication exchange by sending a
   message, the particulars of which are protocol specific, to the
   client, indicating that the exchange is aborted.

3.6.  Authentication Outcome

   At the conclusion of the authentication exchange, the server sends a
   message, the particulars of which are protocol specific, to the
   client indicating the outcome of the exchange.

   The outcome is not successful if

      -  the authentication exchange failed for any reason,

      -  the client's credentials could not be verified,

      -  the server cannot associate an identity with the client's
         credentials,

      -  the client-provided authorization identity string is malformed,

      -  the identity associated with the client's credentials is not
         authorized to act as the requested authorization identity,

      -  the negotiated security layer (or lack thereof) is not
         suitable, or

      -  the server is not willing to provide service to the client for
         any reason.

   The protocol may include an optional additional data field in this
   outcome message.  This field can only include additional data when
   the outcome is successful.

   If the outcome is successful and a security layer was negotiated,
   this layer is then installed.  If the outcome is unsuccessful, or a
   security layer was not negotiated, any existing security is left in
   place.

   The outcome message provided by the server can provide a way for the
   client to distinguish between errors that are best dealt with by re-
   prompting the user for her credentials, errors that are best dealt
   with by telling the user to try again later, and errors where the
   user must contact a system administrator for resolution (see the SYS
   and AUTH POP Response Codes [RFC3206] specification for an example).
   This distinction is particularly useful during scheduled server
   maintenance periods as it reduces support costs.  It is also
   important that the server can be configured such that the outcome



Melnikov & Zeilenga         Standards Track                    [Page 11]


RFC 4422                          SASL                         June 2006


   message will not distinguish between a valid user with invalid
   credentials and an invalid user.

3.7.  Security Layers

   SASL mechanisms may offer a wide range of services in security
   layers.  Typical services include data integrity and data
   confidentiality.  SASL mechanisms that do not provide a security
   layer are treated as negotiating no security layer.

   If use of a security layer is negotiated in the authentication
   protocol exchange, the layer is installed by the server after
   indicating the outcome of the authentication exchange and installed
   by the client upon receipt of the outcome indication.  In both cases,
   the layer is installed before transfer of further protocol data.  The
   precise position upon which the layer takes effect in the protocol
   data stream is protocol specific.

   Once the security layer is in effect in the protocol data stream, it
   remains in effect until either a subsequently negotiated security
   layer is installed or the underlying transport connection is closed.

   When in effect, the security layer processes protocol data into
   buffers of protected data.  If at any time the security layer is
   unable or unwilling to continue producing buffers protecting protocol
   data, the underlying transport connection MUST be closed.  If the
   security layer is not able to decode a received buffer, the
   underlying connection MUST be closed.  In both cases, the underlying
   transport connection SHOULD be closed gracefully.

   Each buffer of protected data is transferred over the underlying
   transport connection as a sequence of octets prepended with a four-
   octet field in network byte order that represents the length of the
   buffer.  The length of the protected data buffer MUST be no larger
   than the maximum size that the other side expects.  Upon the receipt
   of a length field whose value is greater than the maximum size, the
   receiver SHOULD close the connection, as this might be a sign of an
   attack.

   The maximum size that each side expects is fixed by the mechanism,
   either through negotiation or by its specification.

3.8.  Multiple Authentications

   Unless explicitly permitted in the protocol (as stated in the
   protocol's technical specification), only one successful SASL
   authentication exchange may occur in a protocol session.  In this




Melnikov & Zeilenga         Standards Track                    [Page 12]


RFC 4422                          SASL                         June 2006


   case, once an authentication exchange has successfully completed,
   further attempts to initiate an authentication exchange fail.

   Where multiple successful SASL authentication exchanges are permitted
   in the protocol, then in no case may multiple SASL security layers be
   simultaneously in effect.  If a security layer is in effect and a
   subsequent SASL negotiation selects a second security layer, then the
   second security layer replaces the first.  If a security layer is in
   effect and a subsequent SASL negotiation selects no security layer,
   the original security layer remains in effect.

   Where multiple successful SASL negotiations are permitted in the
   protocol, the effect of a failed SASL authentication exchange upon
   the previously established authentication and authorization state is
   protocol specific.  The protocol's technical specification should be
   consulted to determine whether the previous authentication and
   authorization state remains in force, or changed to an anonymous
   state, or otherwise was affected.  Regardless of the protocol-
   specific effect upon previously established authentication and
   authorization state, the previously negotiated security layer remains
   in effect.

4.  Protocol Requirements

   In order for a protocol to offer SASL services, its specification
   MUST supply the following information:

   1) A service name, to be selected from registry of "service" elements
      for the Generic Security Service Application Program Interface
      (GSSAPI) host-based service name form, as described in Section 4.1
      of [RFC2743].  Note that this registry is shared by all GSSAPI and
      SASL mechanisms.

   2) Detail any mechanism negotiation facility that the protocol
      provides (see Section 3.2).

      A protocol SHOULD specify a facility through which the client may
      discover, both before initiation of the SASL exchange and after
      installing security layers negotiated by the exchange, the names
      of the SASL mechanisms that the server makes available to the
      client.  The latter is important to allow the client to detect
      downgrade attacks.  This facility is typically provided through
      the protocol's extensions or capabilities discovery facility.

   3) Definition of the messages necessary for authentication exchange,
      including the following:





Melnikov & Zeilenga         Standards Track                    [Page 13]


RFC 4422                          SASL                         June 2006


      a) A message to initiate the authentication exchange (see Section
         3.3).

         This message MUST contain a field for carrying the name of the
         mechanism selected by the client.

         This message SHOULD contain an optional field for carrying an
         initial response.  If the message is defined with this field,
         the specification MUST describe how messages with an empty
         initial response are distinguished from messages with no
         initial response.  This field MUST be capable of carrying
         arbitrary sequences of octets (including zero-length sequences
         and sequences containing zero-valued octets).

      b) Messages to transfer server challenges and client responses
         (see Section 3.4).

         Each of these messages MUST be capable of carrying arbitrary
         sequences of octets (including zero-length sequences and
         sequences containing zero-valued octets).

      c) A message to indicate the outcome of the authentication
         exchange (see Section 3.6).

         This message SHOULD contain an optional field for carrying
         additional data with a successful outcome.  If the message is
         defined with this field, the specification MUST describe how
         messages with an empty additional data are distinguished from
         messages with no additional data.  This field MUST be capable
         of carrying arbitrary sequences of octets (including zero-
         length sequences and sequences containing zero-valued octets).

   4) Prescribe the syntax and semantics of non-empty authorization
      identity strings (see Section 3.4.1).

      In order to avoid interoperability problems due to differing
      normalizations, the protocol specification MUST detail precisely
      how and where (client or server) non-empty authorization identity
      strings are prepared, including all normalizations, for comparison
      and other applicable functions to ensure proper function.

      Specifications are encouraged to prescribe use of existing
      authorization identity forms as well as existing string
      representations, such as simple user names [RFC4013].

      Where the specification does not precisely prescribe how
      identities in SASL relate to identities used elsewhere in the
      protocol, for instance, in access control policy statements, it



Melnikov & Zeilenga         Standards Track                    [Page 14]


RFC 4422                          SASL                         June 2006


      may be appropriate for the protocol to provide a facility by which
      the client can discover information (such as the representation of
      the identity used in making access control decisions) about
      established identities for these uses.

   5) Detail any facility the protocol provides that allows the client
      and/or server to abort authentication exchange (see Section 3.5).

      Protocols that support multiple authentications typically allow a
      client to abort an ongoing authentication exchange by initiating a
      new authentication exchange.  Protocols that do not support
      multiple authentications may require the client to close the
      connection and start over to abort an ongoing authentication
      exchange.

      Protocols typically allow the server to abort ongoing
      authentication exchanges by returning a non-successful outcome
      message.

   6) Identify precisely where newly negotiated security layers start to
      take effect, in both directions (see Section 3.7).

      Typically, specifications require security layers to start taking
      effect on the first octet following the outcome message in data
      being sent by the server and on the first octet sent after receipt
      of the outcome message in data being sent by the client.

   7) If the protocol supports other layered security services, such as
      Transport Layer Security (TLS) [RFC4346], the specification MUST
      prescribe the order in which security layers are applied to
      protocol data.

      For instance, where a protocol supports both TLS and SASL security
      layers, the specification could prescribe any of the following:

      a) SASL security layer is always applied first to data being sent
         and, hence, applied last to received data,

      b) SASL security layer is always applied last to data being sent
         and, hence, applied first to received data,

      c) Layers are applied in the order in which they were installed,

      d) Layers are applied in the reverse order in which they were
         installed, or

      e) Both TLS and SASL security layers cannot be installed.




Melnikov & Zeilenga         Standards Track                    [Page 15]


RFC 4422                          SASL                         June 2006


   8) Indicate whether the protocol supports multiple authentications
      (see Section 3.8).  If so, the protocol MUST detail the effect a
      failed SASL authentication exchange will have upon a previously
      established authentication and authorization state.

   Protocol specifications SHOULD avoid stating implementation
   requirements that would hinder replacement of applicable mechanisms.
   In general, protocol specifications SHOULD be mechanism neutral.
   There are a number of reasonable exceptions to this recommendation,
   including

      -  detailing how credentials (which are mechanism specific) are
         managed in the protocol,

      -  detailing how authentication identities (which are mechanism
         specific) and authorization identities (which are protocol
         specific) relate to each other, and

      -  detailing which mechanisms are applicable to the protocol.

5.  Mechanism Requirements

   SASL mechanism specifications MUST supply the following information:

   1) The name of the mechanism (see Section 3.1).  This name MUST be
      registered as discussed in Section 7.1.

   2) A definition of the server-challenges and client-responses of the
      authentication exchange, as well as the following:

      a) An indication of whether the mechanism is client-first,
         variable, or server-first.  If a SASL mechanism is defined as
         client-first and the client does not send an initial response
         in the authentication request, then the first server challenge
         MUST be empty (the EXTERNAL mechanism is an example of this
         case).  If a SASL mechanism is defined as variable, then the
         specification needs to state how the server behaves when the
         initial client response in the authentication request is
         omitted (the DIGEST-MD5 mechanism [DIGEST-MD5] is an example of
         this case).  If a SASL mechanism is defined as server-first,
         then the client MUST NOT send an initial client response in the
         authentication request (the CRAM-MD5 mechanism [CRAM-MD5] is an
         example of this case).

      b) An indication of whether the server is expected to provide
         additional data when indicating a successful outcome.  If so,
         if the server sends the additional data as a challenge, the




Melnikov & Zeilenga         Standards Track                    [Page 16]


RFC 4422                          SASL                         June 2006


         specification MUST indicate that the response to this challenge
         is an empty response.

      SASL mechanisms SHOULD be designed to minimize the number of
      challenges and responses necessary to complete the exchange.

   3) An indication of whether the mechanism is capable of transferring
      authorization identity strings (see Section 3.4.1).  While some
      legacy mechanisms are incapable of transmitting an authorization
      identity (which means that for these mechanisms, the authorization
      identity is always the empty string), newly defined mechanisms
      SHOULD be capable of transferring authorization identity strings.
      The mechanism SHOULD NOT be capable of transferring both no
      authorization identity string and an empty authorization identity.

      Mechanisms that are capable of transferring an authorization
      identity string MUST be capable of transferring arbitrary non-
      empty sequences of Unicode characters, excluding those that
      contain the NUL (U+0000) character.  Mechanisms SHOULD use the
      UTF-8 [RFC3629] transformation format.  The specification MUST
      detail how any Unicode code points special to the mechanism that
      might appear in the authorization identity string are escaped to
      avoid ambiguity during decoding of the authorization identity
      string.  Typically, mechanisms that have special characters
      require these special characters to be escaped or encoded in the
      character string (after encoding it in a particular Unicode
      transformation format) using a data encoding scheme such as Base64
      [RFC3548].

   4) The specification MUST detail whether the mechanism offers a
      security layer.  If the mechanism does, the specification MUST
      detail the security and other services offered in the layer as
      well as how these services are to be implemented.

   5) If the underlying cryptographic technology used by a mechanism
      supports data integrity, then the mechanism specification MUST
      integrity protect the transmission of an authorization identity
      and the negotiation of the security layer.

   SASL mechanisms SHOULD be protocol neutral.

   SASL mechanisms SHOULD reuse existing credential and identity forms,
   as well as associated syntaxes and semantics.

   SASL mechanisms SHOULD use the UTF-8 transformation format [RFC3629]
   for encoding Unicode [Unicode] code points for transfer.





Melnikov & Zeilenga         Standards Track                    [Page 17]


RFC 4422                          SASL                         June 2006


   In order to avoid interoperability problems due to differing
   normalizations, when a mechanism calls for character data (other than
   the authorization identity string) to be used as input to a
   cryptographic and/or comparison function, the specification MUST
   detail precisely how and where (client or server) the character data
   is to be prepared, including all normalizations, for input into the
   function to ensure proper operation.

   For simple user names and/or passwords in authentication credentials,
   SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation
   algorithm), SHOULD be specified as the preparation algorithm.

   The mechanism SHOULD NOT use the authorization identity string in
   generation of any long-term cryptographic keys or hashes as there is
   no requirement that the authorization identity string be canonical.
   Long-term, here, means a term longer than the duration of the
   authentication exchange in which they were generated.  That is, as
   different clients (of the same or different protocol) may provide
   different authorization identity strings that are semantically
   equivalent, use of authorization identity strings in generation of
   cryptographic keys and hashes will likely lead to interoperability
   and other problems.

6.  Security Considerations

   Security issues are discussed throughout this memo.

   Many existing SASL mechanisms do not provide adequate protection
   against passive attacks, let alone active attacks, in the
   authentication exchange.  Many existing SASL mechanisms do not offer
   security layers.  It is hoped that future SASL mechanisms will
   provide strong protection against passive and active attacks in the
   authentication exchange, as well as security layers with strong basic
   data security features (e.g., data integrity and data
   confidentiality) services.  It is also hoped that future mechanisms
   will provide more advanced data security services like re-keying (see
   Section 6.3).

   Regardless, the SASL framework is susceptible to downgrade attacks.
   Section 6.1.2 offers a variety of approaches for preventing or
   detecting these attacks.  In some cases, it is appropriate to use
   data integrity protective services external to SASL (e.g., TLS) to
   protect against downgrade attacks in SASL.  Use of external
   protective security services is also important when the mechanisms
   available do not themselves offer adequate integrity and/or
   confidentiality protection of the authentication exchange and/or
   protocol data.




Melnikov & Zeilenga         Standards Track                    [Page 18]


RFC 4422                          SASL                         June 2006


6.1.  Active Attacks

6.1.1.  Hijack Attacks

   When the client selects a SASL security layer with at least integrity
   protection, this protection serves as a counter-measure against an
   active attacker hijacking the connection and modifying protocol data
   sent after establishment of the security layer.  Implementations
   SHOULD close the connection when the security services in a SASL
   security layer report protocol data report lack of data integrity.

6.1.2.  Downgrade Attacks

   It is important that any security-sensitive protocol negotiations be
   performed after installation of a security layer with data integrity
   protection.  Protocols should be designed such that negotiations
   performed prior to this installation should be revalidated after
   installation is complete.  Negotiation of the SASL mechanism is
   security sensitive.

   When a client negotiates the authentication mechanism with the server
   and/or other security features, it is possible for an active attacker
   to cause a party to use the least secure security services available.
   For instance, an attacker can modify the server-advertised mechanism
   list or can modify the client-advertised security feature list within
   a mechanism response.  To protect against this sort of attack,
   implementations SHOULD NOT advertise mechanisms and/or features that
   cannot meet their minimum security requirements, SHOULD NOT enter
   into or continue authentication exchanges that cannot meet their
   minimum security requirements, and SHOULD verify that completed
   authentication exchanges result in security services that meet their
   minimum security requirements.  Note that each endpoint needs to
   independently verify that its security requirements are met.

   In order to detect downgrade attacks to the least (or less) secure
   mechanism supported, the client can discover the SASL mechanisms that
   the server makes available both before the SASL authentication
   exchange and after the negotiated SASL security layer (with at least
   data integrity protection) has been installed through the protocol's
   mechanism discovery facility.  If the client finds that the
   integrity-protected list (the list obtained after the security layer
   was installed) contains a stronger mechanism than those in the
   previously obtained list, the client should assume that the
   previously obtained list was modified by an attacker and SHOULD close
   the underlying transport connection.

   The client's initiation of the SASL exchange, including the selection
   of a SASL mechanism, is done in the clear and may be modified by an



Melnikov & Zeilenga         Standards Track                    [Page 19]


RFC 4422                          SASL                         June 2006


   active attacker.  It is important for any new SASL mechanisms to be
   designed such that an active attacker cannot obtain an authentication
   with weaker security properties by modifying the SASL mechanism name
   and/or the challenges and responses.

   Multi-level negotiation of security features is prone to downgrade
   attack.  Protocol designers should avoid offering higher-level
   negotiation of security features in protocols (e.g., above SASL
   mechanism negotiation) and mechanism designers should avoid lower-
   level negotiation of security features in mechanisms (e.g., below
   SASL mechanism negotiation).

6.1.3.  Replay Attacks

   Some mechanisms may be subject to replay attacks unless protected by
   external data security services (e.g., TLS).

6.1.4.  Truncation Attacks

   Most existing SASL security layers do not themselves offer protection
   against truncation attack.  In a truncation attack, the active
   attacker causes the protocol session to be closed, causing a
   truncation of the possibly integrity-protected data stream that leads
   to behavior of one or both the protocol peers that inappropriately
   benefits the attacker.  Truncation attacks are fairly easy to defend
   against in connection-oriented application-level protocols.  A
   protocol can defend against these attacks by ensuring that each
   information exchange has a clear final result and that each protocol
   session has a graceful closure mechanism, and that these are
   integrity protected.

6.1.5.  Other Active Attacks

   When use of a security layer is negotiated by the authentication
   protocol exchange, the receiver SHOULD handle gracefully any
   protected data buffer larger than the defined/negotiated maximal
   size.  In particular, it MUST NOT blindly allocate the amount of
   memory specified in the buffer size field, as this might cause the
   "out of memory" condition.  If the receiver detects a large block, it
   SHOULD close the connection.

6.2.  Passive Attacks

   Many mechanisms are subject to various passive attacks, including
   simple eavesdropping of unprotected credential information as well as
   online and offline dictionary attacks of protected credential
   information.




Melnikov & Zeilenga         Standards Track                    [Page 20]


RFC 4422                          SASL                         June 2006


6.3.  Re-keying

   The secure or administratively permitted lifetimes of SASL
   mechanisms' security layers are finite.  Cryptographic keys weaken as
   they are used and as time passes; the more time and/or cipher-text
   that a cryptanalyst has after the first use of the a key, the easier
   it is for the cryptanalyst to mount attacks on the key.

   Administrative limits on a security layer's lifetime may take the
   form of time limits expressed in X.509 certificates, in Kerberos V
   tickets, or in directories, and are often desired.  In practice, one
   likely effect of administrative lifetime limits is that applications
   may find that security layers stop working in the middle of
   application protocol operation, such as, perhaps, during large data
   transfers.  As the result of this, the connection will be closed (see
   Section 3.7), which will result in an unpleasant user experience.

   Re-keying (key renegotiation process) is a way of addressing the
   weakening of cryptographic keys.  The SASL framework does not itself
   provide for re-keying; SASL mechanisms may.  Designers of future SASL
   mechanisms should consider providing re-keying services.

   Implementations that wish to re-key SASL security layers where the
   mechanism does not provide for re-keying SHOULD reauthenticate the
   same IDs and replace the expired or soon-to-expire security layers.
   This approach requires support for reauthentication in the
   application protocols (see Section 3.8).

6.4.  Other Considerations

   Protocol designers and implementors should understand the security
   considerations of mechanisms so they may select mechanisms that are
   applicable to their needs.

   Distributed server implementations need to be careful in how they
   trust other parties.  In particular, authentication secrets should
   only be disclosed to other parties that are trusted to manage and use
   those secrets in a manner acceptable to the disclosing party.
   Applications using SASL assume that SASL security layers providing
   data confidentiality are secure even when an attacker chooses the
   text to be protected by the security layer.  Similarly, applications
   assume that the SASL security layer is secure even if the attacker
   can manipulate the cipher-text output of the security layer.  New
   SASL mechanisms are expected to meet these assumptions.







Melnikov & Zeilenga         Standards Track                    [Page 21]


RFC 4422                          SASL                         June 2006


   Unicode security considerations [UTR36] apply to authorization
   identity strings, as well as UTF-8 [RFC3629] security considerations
   where UTF-8 is used.  SASLprep [RFC4013] and StringPrep [RFC3454]
   security considerations also apply where used.

7.  IANA Considerations

7.1.  SASL Mechanism Registry

   The SASL mechanism registry is maintained by IANA.  The registry is
   currently available at <http://www.iana.org/assignments/sasl-
   mechanisms>.

   The purpose of this registry is not only to ensure uniqueness of
   values used to name SASL mechanisms, but also to provide a definitive
   reference to technical specifications detailing each SASL mechanism
   available for use on the Internet.

   There is no naming convention for SASL mechanisms; any name that
   conforms to the syntax of a SASL mechanism name can be registered.

   The procedure detailed in Section 7.1.1 is to be used for
   registration of a value naming a specific individual mechanism.

   The procedure detailed in Section 7.1.2 is to be used for
   registration of a value naming a family of related mechanisms.

   Comments may be included in the registry as discussed in Section
   7.1.3 and may be changed as discussed in Section 7.1.4.

   The SASL mechanism registry has been updated to reflect that this
   document provides the definitive technical specification for SASL and
   that this section provides the registration procedures for this
   registry.

















Melnikov & Zeilenga         Standards Track                    [Page 22]


RFC 4422                          SASL                         June 2006


7.1.1.  Mechanism Name Registration Procedure

   IANA will register new SASL mechanism names on a First Come First
   Served basis, as defined in BCP 26 [RFC2434].  IANA has the right to
   reject obviously bogus registration requests, but will perform no
   review of claims made in the registration form.

   Registration of a SASL mechanism is requested by filling in the
   following template:

      Subject: Registration of SASL mechanism X

      SASL mechanism name (or prefix for the family):

      Security considerations:

      Published specification (recommended):

      Person & email address to contact for further information:

      Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)

      Owner/Change controller:

      Note: (Any other information that the author deems relevant may be
      added here.)

   and sending it via electronic mail to IANA at <iana@iana.org>.

   While this registration procedure does not require expert review,
   authors of SASL mechanisms are encouraged to seek community review
   and comment whenever that is feasible.  Authors may seek community
   review by posting a specification of their proposed mechanism as an
   Internet-Draft.  SASL mechanisms intended for widespread use should
   be standardized through the normal IETF process, when appropriate.
















Melnikov & Zeilenga         Standards Track                    [Page 23]


RFC 4422                          SASL                         June 2006


7.1.2.  Family Name Registration Procedure

   As noted above, there is no general naming convention for SASL
   mechanisms.  However, specifications may reserve a portion of the
   SASL mechanism namespace for a set of related SASL mechanisms, a
   "family" of SASL mechanisms.  Each family of SASL mechanisms is
   identified by a unique prefix, such as X-.  Registration of new SASL
   mechanism family names requires expert review as defined in BCP 26
   [RFC2434].

   Registration of a SASL family name is requested by filling in the
   following template:

      Subject: Registration of SASL mechanism family X

      SASL family name (or prefix for the family):

      Security considerations:

      Published specification (recommended):

      Person & email address to contact for further information:

      Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)

      Owner/Change controller:

      Note: (Any other information that the author deems relevant may be
      added here.)

   and sending it via electronic mail to the IETF SASL mailing list at
   <ietf-sasl@imc.org> and carbon copying IANA at <iana@iana.org>.
   After allowing two weeks for community input on the IETF SASL mailing
   list, the expert will determine the appropriateness of the
   registration request and either approve or disapprove the request
   with notice to the requestor, the mailing list, and IANA.

   The review should focus on the appropriateness of the requested
   family name for the proposed use and the appropriateness of the
   proposed naming and registration plan for existing and future
   mechanism names in the family.  The scope of this request review may
   entail consideration of relevant aspects of any provided technical
   specification, such as their IANA Considerations section.  However,
   this review is narrowly focused on the appropriateness of the
   requested registration and not on the overall soundness of any
   provided technical specification.





Melnikov & Zeilenga         Standards Track                    [Page 24]


RFC 4422                          SASL                         June 2006


   Authors are encouraged to pursue community review by posting the
   technical specification as an Internet-Draft and soliciting comment
   by posting to appropriate IETF mailing lists.

7.1.3.  Comments on SASL Mechanism Registrations

   Comments on a registered SASL mechanism/family should first be sent
   to the "owner" of the mechanism/family and/or to the <ietf-
   sasl@imc.org> mailing list.

   Submitters of comments may, after a reasonable attempt to contact the
   owner, request IANA to attach their comment to the SASL mechanism
   registration itself by sending mail to <iana@iana.org>.  At IANA's
   sole discretion, IANA may attach the comment to the SASL mechanism's
   registration.

7.1.4.  Change Control

   Once a SASL mechanism registration has been published by IANA, the
   author may request a change to its definition.  The change request
   follows the same procedure as the registration request.

   The owner of a SASL mechanism may pass responsibility for the SASL
   mechanism to another person or agency by informing IANA; this can be
   done without discussion or review.

   The IESG may reassign responsibility for a SASL mechanism.  The most
   common case of this will be to enable changes to be made to
   mechanisms where the author of the registration has died, has moved
   out of contact, or is otherwise unable to make changes that are
   important to the community.

   SASL mechanism registrations may not be deleted; mechanisms that are
   no longer believed appropriate for use can be declared OBSOLETE by a
   change to their "intended usage" field; such SASL mechanisms will be
   clearly marked in the lists published by IANA.

   The IESG is considered to be the owner of all SASL mechanisms that
   are on the IETF standards track.












Melnikov & Zeilenga         Standards Track                    [Page 25]


RFC 4422                          SASL                         June 2006


7.2.  Registration Changes

   The IANA has updated the SASL mechanisms registry as follows:

   1) Changed the "Intended usage" of the KERBEROS_V4 and SKEY mechanism
      registrations to OBSOLETE.

   2) Changed the "Published specification" of the EXTERNAL mechanism to
      this document as indicated below:

      Subject: Updated Registration of SASL mechanism EXTERNAL
      Family of SASL mechanisms: NO
      SASL mechanism name: EXTERNAL
      Security considerations: See A.3 of RFC 4422
      Published specification (optional, recommended): RFC 4422
      Person & email address to contact for further information:
          Alexey Melnikov <Alexey.Melnikov@isode.com>
      Intended usage: COMMON
      Owner/Change controller: IESG <iesg@ietf.org>
      Note: Updates existing entry for EXTERNAL

8.  References

8.1.  Normative References

   [RFC2119]     Bradner, S., "Key words for use in RFCs to Indicate
                 Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2244]     Newman, C. and J. G. Myers, "ACAP -- Application
                 Configuration Access Protocol", RFC 2244, November
                 1997.

   [RFC2434]     Narten, T. and H. Alvestrand, "Guidelines for Writing
                 an IANA Considerations Section in RFCs", BCP 26, RFC
                 2434, October 1998.

   [RFC2743]     Linn, J., "Generic Security Service Application Program
                 Interface Version 2, Update 1", RFC 2743, January 2000.

   [RFC3454]     Hoffman, P. and M. Blanchet, "Preparation of
                 Internationalized Strings ("stringprep")", RFC 3454,
                 December 2002.

   [RFC3629]     Yergeau, F., "UTF-8, a transformation format of ISO
                 10646", STD 63, RFC 3629, November 2003.

   [RFC4013]     Zeilenga, K., "SASLprep: Stringprep Profile for User
                 Names and Passwords", RFC 4013, February 2005.



Melnikov & Zeilenga         Standards Track                    [Page 26]


RFC 4422                          SASL                         June 2006


   [RFC4234]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
                 Specifications: ABNF", RFC 4234, October 2005.

   [ASCII]       Coded Character Set--7-bit American Standard Code for
                 Information Interchange, ANSI X3.4-1986.

   [Unicode]     The Unicode Consortium, "The Unicode Standard, Version
                 3.2.0" is defined by "The Unicode Standard, Version
                 3.0" (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-
                 61633-5), as amended by the "Unicode Standard Annex
                 #27: Unicode 3.1"
                 (http://www.unicode.org/reports/tr27/) and by the
                 "Unicode Standard Annex #28: Unicode 3.2"
                 (http://www.unicode.org/reports/tr28/).

   [CharModel]   Whistler, K. and M. Davis, "Unicode Technical Report
                 #17, Character Encoding Model", UTR17,
                 <http://www.unicode.org/unicode/reports/tr17/>, August
                 2000.

   [Glossary]    The Unicode Consortium, "Unicode Glossary",
                 <http://www.unicode.org/glossary/>.

8.2.  Informative References

   [RFC3206]     Gellens, R., "The SYS and AUTH POP Response Codes", RFC
                 3206, February 2002.

   [RFC3548]     Josefsson, S., "The Base16, Base32, and Base64 Data
                 Encodings", RFC 3548, July 2003.

   [RFC4301]     Kent, S. and K. Seo, "Security Architecture for the
                 Internet Protocol", RFC 4301, December 2005.

   [RFC4346]     Dierks, T. and E. Rescorla, "The Transport Layer
                 Security (TLS) Protocol Version 1.1", RFC 4346, April
                 2006.

   [SASL-GSSAPI] Melnikov, A. (Editor), "The Kerberos V5 ("GSSAPI") SASL
                 Mechanism", Work in Progress, May 2006.

   [UTR36]       Davis, M., "(Draft) Unicode Technical Report #36,
                 Character Encoding Model", UTR17,
                 <http://www.unicode.org/unicode/reports/tr36/>,
                 February 2005.

   [CRAM-MD5]    Nerenberg, L., "The CRAM-MD5 SASL Mechanism", Work in
                 Progress.



Melnikov & Zeilenga         Standards Track                    [Page 27]


RFC 4422                          SASL                         June 2006


   [DIGEST-MD5]  Leach, P., C. Newman, and A. Melnikov, "Using Digest
                 Authentication as a SASL Mechanism", Work in Progress,
                 March 2006.

9.  Acknowledgements

   This document is a revision of RFC 2222 written by John Myers.

   This revision is a product of the IETF Simple Authentication and
   Security Layer (SASL) Working Group.

   The following individuals contributed significantly to this revision:
   Abhijit Menon-Sen, Hallvard Furuseth, Jeffrey Hutzelman, John Myers,
   Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
   'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim
   Alsop, and Tony Hansen.



































Melnikov & Zeilenga         Standards Track                    [Page 28]


RFC 4422                          SASL                         June 2006


Appendix A.  The SASL EXTERNAL Mechanism

   This appendix is normative.

   The EXTERNAL mechanism allows a client to request the server to use
   credentials established by means external to the mechanism to
   authenticate the client.  The external means may be, for instance, IP
   Security [RFC4301] or TLS [RFC4346] services.  In absence of some a
   priori agreement between the client and the server, the client cannot
   make any assumption as to what external means the server has used to
   obtain the client's credentials, nor make an assumption as to the
   form of credentials.  For example, the client cannot assume that the
   server will use the credentials the client has established via TLS.

A.1.  EXTERNAL Technical Specification

   The name of this mechanism is "EXTERNAL".

   The mechanism does not provide a security layer.

   The mechanism is capable of transferring an authorization identity
   string.  If empty, the client is requesting to act as the identity
   the server has associated with the client's credentials.  If non-
   empty, the client is requesting to act as the identity represented by
   the string.

   The client is expected to send data first in the authentication
   exchange.  Where the client does not provide an initial response data
   in its request to initiate the authentication exchange, the server is
   to respond to the request with an empty initial challenge and then
   the client is to provide its initial response.

   The client sends the initial response containing the UTF-8 [RFC3629]
   encoding of the requested authorization identity string.  This
   response is non-empty when the client is requesting to act as the
   identity represented by the (non-empty) string.  This response is
   empty when the client is requesting to act as the identity the server
   associated with its authentication credentials.

   The syntax of the initial response is specified as a value of the
   <extern-initial-resp> production detailed below using the Augmented
   Backus-Naur Form (ABNF) [RFC4234] notation.

      external-initial-resp = authz-id-string
      authz-id-string       = *( UTF8-char-no-nul )
      UTF8-char-no-nul      = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
      UTF8-1-no-nul         = %x01-7F




Melnikov & Zeilenga         Standards Track                    [Page 29]


RFC 4422                          SASL                         June 2006


   where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined
   in [RFC3629].

   There are no additional challenges and responses.

   Hence, the server is to return the outcome of the authentication
   exchange.

   The exchange fails if

   -  the client has not established its credentials via external means,

   -  the client's credentials are inadequate,

   -  the client provided an empty authorization identity string and the
      server is unwilling or unable to associate an authorization
      identity with the client's credentials,

   -  the client provided a non-empty authorization identity string that
      is invalid per the syntax requirements of the applicable
      application protocol specification,

   -  the client provided a non-empty authorization identity string
      representing an identity that the client is not allowed to act as,
      or

   -  the server is unwilling or unable to provide service to the client
      for any other reason.

   Otherwise the exchange is successful.  When indicating a successful
   outcome, additional data is not provided.

A.2.  SASL EXTERNAL Examples

   This section provides examples of EXTERNAL authentication exchanges.
   The examples are intended to help the readers understand the above
   text.  The examples are not definitive.  The Application
   Configuration Access Protocol (ACAP) [RFC2244] is used in the
   examples.

   The first example shows use of EXTERNAL with an empty authorization
   identity.  In this example, the initial response is not sent in the
   client's request to initiate the authentication exchange.

      S: * ACAP (SASL "DIGEST-MD5")
      C: a001 STARTTLS
      S: a001 OK "Begin TLS negotiation now"
      <TLS negotiation, further commands are under TLS layer>



Melnikov & Zeilenga         Standards Track                    [Page 30]


RFC 4422                          SASL                         June 2006


      S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
      C: a002 AUTHENTICATE "EXTERNAL"
      S: + ""
      C: + ""
      S: a002 OK "Authenticated"

   The second example shows use of EXTERNAL with an authorization
   identity of "fred@example.com".  In this example, the initial
   response is sent with the client's request to initiate the
   authentication exchange.  This saves a round-trip.

      S: * ACAP (SASL "DIGEST-MD5")
      C: a001 STARTTLS
      S: a001 OK "Begin TLS negotiation now"
      <TLS negotiation, further commands are under TLS layer>
      S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
      C: a002 AUTHENTICATE "EXTERNAL" {16+}
      C: fred@example.com
      S: a002 NO "Cannot assume requested authorization identity"

A.3.  Security Considerations

   The EXTERNAL mechanism provides no security protection; it is
   vulnerable to spoofing by either client or server, active attack, and
   eavesdropping.  It should only be used when adequate security
   services have been established.

Appendix B.  Changes since RFC 2222

   This appendix is non-normative.

   The material in RFC 2222 was significantly rewritten in the
   production of this document.

   RFC 2222, by not stating that the authorization identity string was a
   string of Unicode characters, let alone character data, implied that
   the authorization identity string was a string of octets.

   -  The authorization identity string is now defined as a string of
      Unicode characters.  The NUL (U+0000) character is prohibited.
      While protocol specifications are responsible for defining the
      authorization identity form, as well as the Unicode string syntax
      and related semantics, mechanism specifications are responsible
      for defining how the Unicode string is carried in the
      authentication exchange.

   -  Deleted "If so, when the client does not send data first, the
      initial challenge MUST be specified as being an empty challenge."



Melnikov & Zeilenga         Standards Track                    [Page 31]


RFC 4422                          SASL                         June 2006


   The following technical change was made to the EXTERNAL mechanism:

      - The authorization identity string is to be UTF-8 encoded.

      Note that protocol and mechanism specification requirements have
      been significantly tightened.  Existing protocol and mechanism
      specifications will need to be updated to meet these requirements.

Editors' Addresses

   Alexey Melnikov
   Isode Limited
   5 Castle Business Village
   36 Station Road
   Hampton, Middlesex,
   TW12 2BX, United Kingdom

   EMail: Alexey.Melnikov@isode.com
   URI:   http://www.melnikov.ca/


   Kurt D. Zeilenga
   OpenLDAP Foundation

   EMail: Kurt@OpenLDAP.org


























Melnikov & Zeilenga         Standards Track                    [Page 32]


RFC 4422                          SASL                         June 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Melnikov & Zeilenga         Standards Track                    [Page 33]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/