Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
Alexey Melnikov <alexey.melnikov@isode.com> Mon, 15 January 2007 11:39 UTC
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBdVnZ026456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jan 2007 04:39:31 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l0FBdVSM026455; Mon, 15 Jan 2007 04:39:31 -0700 (MST) (envelope-from owner-ietf-pop3ext@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pop3ext@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l0FBdUf9026443; Mon, 15 Jan 2007 04:39:30 -0700 (MST) (envelope-from alexey.melnikov@isode.com)
Received: from [172.16.1.99] (shiny.isode.com [62.3.217.250]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <Ratn8ABD3Y1Q@rufus.isode.com>; Mon, 15 Jan 2007 11:39:29 +0000
Message-ID: <45AB67E5.2030505@isode.com>
Date: Mon, 15 Jan 2007 11:39:17 +0000
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Abhijit Menon-Sen <ams@oryx.com>
CC: Frank Ellermann <nobody@xyzzy.claranet.de>, ietf-sasl@imc.org, lisa@osafoundation.org, ietf-pop3ext@imc.org, robsiemb@google.com
Subject: Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication
References: <FDF696C1-7407-4C60-8D8F-04CC492BE435@osafoundation.org> <1E59CC0D-7022-4400-BA48-D9D7B427ABEF@commerce.net> <45A9DFA8.68E4@xyzzy.claranet.de> <20070114105359.GA30833@penne.toroid.org>
In-Reply-To: <20070114105359.GA30833@penne.toroid.org>
MIME-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-transfer-encoding: 7bit
Sender: owner-ietf-pop3ext@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pop3ext/mail-archive/>
List-ID: <ietf-pop3ext.imc.org>
List-Unsubscribe: <mailto:ietf-pop3ext-request@imc.org?body=unsubscribe>
Abhijit Menon-Sen wrote: >At 2007-01-14 08:45:44 +0100, nobody@xyzzy.claranet.de wrote: > > >>None of the POP3 servers I know support SASL, let alone DIGEST-MD5. >> >> >Just a note: My POP3 server has supported SASL for a long time. > > The same is true for Cyrus and Isode implementations. [...] >>Other nits / questions about the -08 draft: >> >>RFC 1734 had "AUTH" 1*WSP auth_type *(CRLF base64) CRLF >>The draft has "AUTH" SP sasl-mech [SP (base64 / "=" )] *(CRLF [base64]) CRLF >> >>1: Why was 1*WSP replaced by a single SP ? >> >> >I don't know (happened before I inherited the draft). Rob? > Only allowing for a single space makes implementation simpler. [...] >>The added DIGEST-MD5 example (thanks!) uses an RFC 4422 "empty response" >>at the end: >> >> S: + cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA== >> C: >> S: +OK Maildrop locked and ready >> >>5: Why is an empty response no "=" as in the <initial-response> ? >> >> >Because it's not an initial response. (The "=" encoding for an empty >SASL initial response is taken from Rob's IMAP SASL-IR draft.) > > Historically an empty response wasn't sent as "=". The "=" is used to specify an empty initial response (which is different from the missing initial response). >>The syntax for <continue-req> requires a trailing space if it's empty. >> >> continue-req = "+" SP [base64] CRLF >> >> >That's consistent with IMAP. > >I notice the following: > > Additionally, the ABNF specified in [RFC2449] is updated as follows: > > challenge /= continue-req > >But the ABNF specified in RFC2449 (pop3 extension mechanism) doesn't >actually define a "challenge" at all (and that /= should be =/ in any >case). I can't find anything that seems to define challenge in a way >relevant to POP3. (1734 doesn't define challenge at all.) > >Rob? Do you remember what the intent was here? > > The space is required in other application protocols using SASL (e.g. IMAP). [...] >>8: What is the meaning of a <realm> wrt POP3 ? Can servers pick what >> they like ? >> Yes. >>What's the definition of <authzid> wrt POP3 ? >> From POP3 SASL draft: The authorization identity generated by the SASL exchange is a simple username, and SHOULD use the SASLprep profile (see [RFC4013]) of the StringPrep algorithm (see [RFC3454]) to prepare these names for matching. If preparation of the authorization identity fails or results in an empty string (unless it was transmitted as the empty string), the server MUST fail the authentication. >> If it >> isn't allowed the draft should mention this. >> >> >That depends entirely on the server implementation, I'd say. > > >>9: RFC 2831 requires that the size of a digest-response is less than >> 4096 bytes. 4*4095/3=5460, the draft should state this limit for >> a DIGEST-MD5 response, it's more than the 40 guaranteed in RFC 1939. >> >> > >I don't think it's really necessary. The length limitation, so far as it >applies to the initial-response, is described already: > > For the purposes of the initial client response, the line > length limitation defined in [RFC2449] still applies. If a > client initial send would cause the AUTH command to exceed > this length, the client MUST NOT use the initial response > parameter (and must proceed instead by sending its initial > response after an empty challenge from the server, as in > section 3 of [RFC4422]). > > [...] >>11: Can the client indicate its <maxbuf>, and what would servers do >> with it ? >> The server is not allowed to send buffers encoded with SASL security layer, which are bigger than the value specified by the client. >>Do all clients support the default 64 KB ? >> I don't think so. It wouldn't be the case for clients running on small devices. >>Wrt POP3 is >> a <maxbuf> the maximal line lenght, or the combined multi-line >> lenght (i.e. message size) ? >> >> Neither. <maxbuf> is not related to line lengths during authentication exchange, it only affects SASL security layer. >I'm afraid I have no idea. > >
- "POP3 SASL Authentication Mechanism" submitted fo… Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Alexey Melnikov
- RE: "POP3 SASL Authentication Mechanism" submitte… Kurt D. Zeilenga
- RE: "POP3 SASL Authentication Mechanism" submitte… Lyndon Nerenberg
- RE: "POP3 SASL Authentication Mechanism" submitte… Paul Leach
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Frank Ellermann
- Re: "POP3 SASL Authentication Mechanism" submitte… Lisa Dusseault
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Arnt Gulbrandsen
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Alexey Melnikov
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Alexey Melnikov
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Hector Santos
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Frank Ellermann
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Simon Josefsson
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Abhijit Menon-Sen
- Re: Fwd: "POP3 SASL Authentication Mechanism" sub… Frank Ellermann