Editotorial changes (was Re: sasl-rfc2222bis review notes [long])
Alexey Melnikov <Alexey.Melnikov@isode.com> Tue, 02 March 2004 00:08 UTC
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i2208Pic058484; Mon, 1 Mar 2004 16:08:25 -0800 (PST) (envelope-from owner-ietf-sasl@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i2208Ppw058483; Mon, 1 Mar 2004 16:08:25 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-sasl@mail.imc.org using -f
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i2208NP8058467 for <ietf-sasl@imc.org>; Mon, 1 Mar 2004 16:08:24 -0800 (PST) (envelope-from Alexey.Melnikov@isode.com)
Received: from isode.com (MISHA.isode.net [218.37.227.80]) by rufus.isode.com via TCP (with SMTP (internal)) with ESMTPA; Tue, 2 Mar 2004 00:08:23 +0000
Message-ID: <4043C123.207@isode.com>
Date: Tue, 02 Mar 2004 08:02:59 +0900
From: Alexey Melnikov <Alexey.Melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
CC: ietf-sasl@imc.org
Subject: Editotorial changes (was Re: sasl-rfc2222bis review notes [long])
References: <6.0.1.1.0.20040225173049.04ce5210@127.0.0.1>
In-Reply-To: <6.0.1.1.0.20040225173049.04ce5210@127.0.0.1>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Kurt D. Zeilenga wrote: >> The Simple Authentication and Security Layer (SASL) provides a method >> for adding authentication support with an optional security layer to >> connection-based protocols. >> >> > >As used here, the word "optional" implies that protocols MAY >include security layer support. > In theory a protocol profile can disallow usage of a SASL security layer. >Suggest this be reworded > > The Simple Authentication and Security Layer (SASL) is a > framework for providing authentication and data security > services in connection-based protocols. > I like that. >> It also describes a structure for >> authentication mechanisms. The result is an abstraction layer >> between protocols and authentication mechanisms such that any SASL- >> compatible authentication mechanism can be used with any SASL- >> compatible protocol. >> >> This document describes how a SASL authentication mechanism is >> structured, describes how a protocol adds support for SASL, defines >> the protocol for carrying a security layer over a connection, and >> defines the EXTERNAL SASL authentication mechanism. >> >> > >It might be better to transpose EXTERNAL and SASL here. > Done. >>2. Organization of this document >> >>2.1. How to read this document >> >> This document is written to serve several different audiences, >> protocol designers using this specification to support authentication >> in their protocol, mechanism designers that define new SASL >> mechanisms, and implementors of clients or servers for those >> protocols using this specification. >> >> > >I suggest using a bullet list for the above. > Sounds good. > > >... > >>2.2. Conventions used in this document >> >> In examples, "C:" and "S:" indicate lines sent by the client and >> server respectively. >> >> The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" >> in this document are to be interpreted as defined in "Key words for >> use in RFCs to Indicate Requirement Levels" [KEYWORDS]. >> >> Character names in this document use the notation for code points and >> names from the Unicode Standard [Unicode]. For example, the letter >> "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. >> >> This document uses terms "integrity protection" and "confidentiality >> protection". The former references to a security layer that is able >> to detect data modification by using some kind of hash. However, >> >> > >I suggest the "by using some kind of hash" qualification be dropped. >The term "integrity protection" applies to any layer which is capable >of detecting data modification (regardless of whether it using some >kind of hash or not). I suggest: > > The term "integrity protection" refers to a security layer > designed to detect unauthorized data modification. > Ok ... >> authentication mechanism to be defined once, making it usable by any >> SASL protocol profile. In many implementations, the same SASL >> mechanism code is used for multiple protocols. >> >> > >Add another (see above) subsection which > >X.Y. Relationship to other documents > > This document obsoletes RFC 2222. It replaces all portions of > RFC 2222 excepting sections 7.1 (Kerberos version 4 mechanism), > 7.2 (GSSAPI mechanism), 7.3 (S/Key mechanism). The Kerberos > version 4 (KERBEROS_IV) and S/Key (SKEY) mechanisms are now > viewed as obsolete. The GSSAPI mechanism is now separately > specified [SASL-GSSAPI]. > I've added this as "Appendix B". The detailed list of changes in now Appendix C. >> Procedures for registering new SASL mechanisms are given in section 8. >> >> The "sasl-mech" production below defines the syntax of a SASL >> mechanism name. This uses the Augmented Backus-Naur Form (ABNF) >> notation as specified in [ABNF] and the ABNF core rules as specified >> in Appendix A of the ABNF specification [ABNF]. >> >> sasl-mech = 1*20mech-char >> mech-char = %x41-5A / DIGIT / "-" / "_" >> ; mech names restricted to ASCII uppercase letters, >> ; digits, "-" and "_" >> >> >> > >I suggest this comment be replaced with: > ; mech-char is restricted to "A"-"Z", "0"-"9", "-", and "_" > : from ASCII character set. > Done >... > >>5.2. Mechanism profile guidelines >> >> Designers of new SASL mechanism should be aware of the following >> issues: >> >> 1) Authorization identity. >> >> > >Remove the "." > Ok. >>6.1.1. Client sends data first examples >> >> The following are two examples of an SECURID authentication [SASL- >> SECURID] in the SMTP protocol [SMTP]. In the first example below, >> the client is trying fast reauthentication by sending the initial >> response: >> >> S: 220-smtp.example.com ESMTP Server >> C: EHLO client.example.com >> S: 250-smtp.example.com Hello client.example.com, pleased to meet you >> >> > >This line is too long. Suggest you s/Hello.*/Welcome client.example.com/ > Done. >> S: 250-AUTH GSSAPI SECURID >> S: 250 DSN >> C: AUTH SECURID AG1hZ251cwAxMjM0NTY3OAA= >> S: 235 Authentication successful >> >> The example below is almost identical to the previous, but here the >> client chooses not to use the initial response parameter. >> >> S: 220-smtp.example.com ESMTP Server >> C: EHLO client.example.com >> S: 250-smtp.example.com Hello client.example.com, pleased to meet you >> >> > >This line is too long. > Done. >> S: 250-AUTH GSSAPI SECURID >> S: 250 DSN >> C: AUTH SECURID >> S: 334 >> C: AG1hZ251cwAxMjM0NTY3OAA= >> S: 235 Authentication successful >> >> Section 7.2 contains an additional example. >> >> > >Indention is off here. > Thanks. > >Also note that 7.2 provides two examples as does 6.2.1. >So, this should read: > Additonal examples can be found in sections 6.2.1 and 7.2. > Changed. >> C: <stream:stream >> xmlns='jabber:client' >> xmlns:stream='http://etherx.jabber.org/streams' >> to='example.com' >> version='1.0'> >> S: <stream:stream >> xmlns='jabber:client' >> xmlns:stream='http://etherx.jabber.org/streams' >> id='c2s_234' >> from='example.com' >> version='1.0'> >> S: <stream:features> >> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> <mechanism>DIGEST-MD5</mechanism> >> <mechanism>CRAM-MD5</mechanism> >> </mechanisms> >> </stream:features> >> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' >> mechanism='DIGEST-MD5'/> >> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi >> >> > >This line is too long... > Fixed. >> LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg== >> </challenge> >> C: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0i >> T0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAw >> MDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20i >> LHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNo >> YXJzZXQ9dXRmLTgK >> </response> >> S: <success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo= >> </success> >> >> The example below is almost identical to the previous, but here >> the server chooses not to use the additional data with success. >> >> C: <stream:stream >> xmlns='jabber:client' >> xmlns:stream='http://etherx.jabber.org/streams' >> to='example.com' >> version='1.0'> >> S: <stream:stream >> xmlns='jabber:client' >> xmlns:stream='http://etherx.jabber.org/streams' >> id='c2s_234' >> from='example.com' >> version='1.0'> >> S: <stream:features> >> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> <mechanism>DIGEST-MD5</mechanism> >> <mechanism>CRAM-MD5</mechanism> >> </mechanisms> >> </stream:features> >> C: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' >> mechanism='DIGEST-MD5'/> >> S: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> >> cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi >> >> > >This line is too long. > Fixed. >... > > >> Non-terminals referenced but not defined below are as defined by >> [UTF-8]. >> >> > >I suggest the non-terminal productions be directly incorporated >into this document. > I actually disagree. If there is an update to UTF-8, I wouldn't like to waste additional time trying to synchronize the two. >> The "extern-init-resp" rule below defines the initial response sent >> from client to server. >> >> extern-init-resp = *( UTF8-char-no-nul ) >> >> UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4 >> >> UTF8-1-no-nul = %x01-7F >> >> >>7.2. Example >> >>... >> >> The following example is almost identical to the one above, but the >> client doesn't use proxy authentication. >> >> > >s/use/request/ > Changed. >> S: 220 smtp.example.com ESMTP server ready >> C: EHLO jgm.example.com >> S: 250-smtp.example.com >> S: 250 AUTH DIGEST-MD5 EXTERNAL >> C: AUTH EXTERNAL >> S: 235 Authentication successful. >> >> >>8. IANA Considerations >> >>8.1. Guidelines for IANA >> >> It is requested that IANA updates the SASL mechanisms registry as >> follows: >> >> Change the "Intended usage" of the KERBEROS_V4 and SKEY mechanism >> registrations to OBSOLETE. Change the "Published specification" >> of the EXTERNAL mechanism to this document. Updated registration >> is provided in Section 8.6. >> >> > >s/registration/registration information/ > Done. >>... >> >> >>10. References >> >>10.1. Normative References >> >> [ABNF] Crocker, D. (Ed.), Overell, P., "Augmented BNF for Syntax >> Specifications: ABNF", RFC 2234, November 1997 >> >> [ASCII] American National Standards Institute, "Code Extension >> Techniques for Use with the 7-bit Coded Character Set of American >> National Standard Code (ASCII) for Information Interchange", FIPS PUB >> 35, 1974 >> >> [CHARSET-POLICY] Alvestrand, H., "IETF Policy on Character Sets and >> Languages", RFC 2277, BCP 18, January 1998 >> >> [GSSAPI] Linn, J., "Generic Security Service Application Program >> Interface, Version 2, Update 1", RFC 2743, January 2000 >> >> [ISO-10646] "Universal Multiple-Octet Coded Character Set (UCS) - >> Architecture and Basic Multilingual Plane", ISO/IEC 10646-1 : 1993. >> >> > >This reference is never used and hence should be deleted. > Done. >> [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate >> Requirement Levels", RFC 2119, BCP 19, March 1997 >> >> [Unicode] The Unicode Consortium, "The Unicode Standard, Version >> 3.2.0" is defined by "The Unicode Standard, Version 3.0" (Reading, >> MA, Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the >> "Unicode Standard Annex #27: Unicode 3.1" >> (http://www.unicode.org/reports/tr27/) and by the "Unicode Standard >> Annex #28: Unicode 3.2" (http://www.unicode.org/reports/tr28/). >> >> [Stringprep] Hoffman, P., Blanchet, M., "Preparation of >> Internationalized Strings ("stringprep")", RFC 3454, December 2002. >> >> [SASLprep] Zeilenga, K., "SASLprep: Stringprep profile for user names >> and passwords", Work in progress, draft-ietf-sasl-saslprep-XX.txt. >> >> [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", >> RFC 3629, STD 63, November 2003. >> >>10.2. Informative References >> >> [SASL-GSSAPI] Melnikov, A., "SASL GSSAPI mechanisms", work in >> progress, draft-ietf-sasl-gssapi-XX.txt, November 2003 >> >> [SASL-DIGEST] Leach, P., Newman, C., Melnikov, A., "Using Digest >> Authentication as a SASL Mechanism", work in progress, draft-ietf- >> sasl-rfc2831bis-XX.txt, replaces RFC 2831 >> >> [SASL-OTP] Newman, C., "The One-Time-Password SASL Mechanism", RFC >> 2444, October 1998. >> >> [SASL-SECURID] Nystrom, M., "The SecurID(r) SASL Mechanism", RFC >> 2808, April 2000. >> >> [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April >> 2001. >> >> [SMTP-AUTH] Myers, J., "SMTP Service Extension for Authentication", >> RFC 2554, March 1999. >> >> Being revised by Siemborski, R., "SMTP Service Extension for >> Authentication", work in progress, draft-siemborski-rfc2554bis- >> XX.txt. >> >> > >This reference should be put into proper form. > I am not sure what exactly you suggest here. > >> [XMPP] Saint-Andre, P., "Extensible Messaging and Presence Protocol >> (XMPP): Core", work in progress, draft-ietf-xmpp-core-XX.txt. >> >> [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data >> >> >> >>A. Melnikov FORMFEED[Page 21] >> >> >> >> >> >>Internet DRAFT SASL 14 February 2004 >> >> >> Encodings", RFC 3548, July 2003. >> >> [RFC-INSTRUCTIONS] Postel, J., Reynolds, J., "Instructions to RFC >> Authors", RFC 2223, October 1997. >> >> [IANA-SASL] IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL) >> MECHANISMS", http://www.iana.org/assignments/sasl-mechanisms. >> >>11. Editor's Address >> >> Alexey Melnikov >> Isode Limited >> >> Email: Alexey.Melnikov@isode.com >> >>12. Acknowledgments >> >> This document is a revision of RFC 2222 written by John G. Myers. He >> also contributed significantly to this revision. >> >> Magnus Nystrom provided the ASCII art used in Section 6.3. >> >> Definition of partition was extracted from RFC 2617 ("HTTP >> Authentication: Basic and Digest Access Authentication"). >> >> Contributions of many members of the SASL mailing list are gratefully >> acknowledged, in particular Kurt D. Zeilenga, Peter Saint-Andre, Rob >> Siemborski, Jeffrey Hutzelman, Hallvard B Furuseth, Tony Hansen and >> Abhijit Menon-Sen for proofreading the document and various editorial >> suggestions. >> >> > >Suggest you drop middle initials. > As you wish :-). >Needs IPR notice. > Added. Alexey
- sasl-rfc2222bis review notes [long] Kurt D. Zeilenga
- Re: sasl-rfc2222bis review notes [long] Jeffrey Hutzelman
- Re: sasl-rfc2222bis review notes [long] Kurt D. Zeilenga
- Re: sasl-rfc2222bis review notes [long] Rob Siemborski
- Re: sasl-rfc2222bis review notes [long] Kurt D. Zeilenga
- Re: sasl-rfc2222bis review notes [long] Rob Siemborski
- Re: sasl-rfc2222bis review notes [long] Kurt D. Zeilenga
- Authentication/authorization id clarification (wa… Alexey Melnikov
- Re: sasl-rfc2222bis review notes [long] Alexey Melnikov
- Re: sasl-rfc2222bis review notes [long] Alexey Melnikov
- Re: sasl-rfc2222bis review notes [long] Rob Siemborski
- Re: sasl-rfc2222bis review notes [long] Alexey Melnikov
- Re: sasl-rfc2222bis review notes [long] Alexey Melnikov
- Editotorial changes (was Re: sasl-rfc2222bis revi… Alexey Melnikov
- More editorial changes (was sasl-rfc2222bis revie… Alexey Melnikov
- Re: sasl-rfc2222bis review notes [long] Alexey Melnikov