Home Esplora Aiuto
Accedi
bux
/
muzich
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Activity
624 Commit
1 Rami (Branch)
Albero (Tree): c3bfaaeff9
Rami (Branch) Tag
${ item.name }
Create branch ${ searchTerm }
from 'c3bfaaeff9'
${ noResults }
muzich/vendor/swiftmailer/notes/rfc/rfc4505.txt

rfc4505.txt 16KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508 
  1. 

  2. 

  3. 

  4. 

  5. 

  6. 

  7. Network Working Group                                   K. Zeilenga, Ed.

  8. Request for Comments: 4505                           OpenLDAP Foundation

  9. Obsoletes: 2245                                                June 2006

  10. Category: Standards Track

  11. 

  12. 

  13.   Anonymous Simple Authentication and Security Layer (SASL) Mechanism

  14. 

  15. Status of This Memo

  16. 

  17.    This document specifies an Internet standards track protocol for the

  18.    Internet community, and requests discussion and suggestions for

  19.    improvements.  Please refer to the current edition of the "Internet

  20.    Official Protocol Standards" (STD 1) for the standardization state

  21.    and status of this protocol.  Distribution of this memo is unlimited.

  22. 

  23. Copyright Notice

  24. 

  25.    Copyright (C) The Internet Society (2006).

  26. 

  27. Abstract

  28. 

  29.    On the Internet, it is common practice to permit anonymous access to

  30.    various services.  Traditionally, this has been done with a plain-

  31.    text password mechanism using "anonymous" as the user name and using

  32.    optional trace information, such as an email address, as the

  33.    password.  As plain-text login commands are not permitted in new IETF

  34.    protocols, a new way to provide anonymous login is needed within the

  35.    context of the Simple Authentication and Security Layer (SASL)

  36.    framework.

  37. 

  38. 1.  Introduction

  39. 

  40.    This document defines an anonymous mechanism for the Simple

  41.    Authentication and Security Layer ([SASL]) framework.  The name

  42.    associated with this mechanism is "ANONYMOUS".

  43. 

  44.    Unlike many other SASL mechanisms, whose purpose is to authenticate

  45.    and identify the user to a server, the purpose of this SASL mechanism

  46.    is to allow the user to gain access to services or resources without

  47.    requiring the user to establish or otherwise disclose their identity

  48.    to the server.  That is, this mechanism provides an anonymous login

  49.    method.

  50. 

  51.    This mechanism does not provide a security layer.

  52. 

  53.    This document replaces RFC 2245.  Changes since RFC 2245 are detailed

  54.    in Appendix A.

  55. 

  56. 

  57. 

  58. Zeilenga                    Standards Track                     [Page 1]

  59. 

  60. RFC 4505                Anonymous SASL Mechanism               June 2006

  61. 

  62. 

  63. 2.  The Anonymous Mechanism

  64. 

  65.    The mechanism consists of a single message from the client to the

  66.    server.  The client may include in this message trace information in

  67.    the form of a string of [UTF-8]-encoded [Unicode] characters prepared

  68.    in accordance with [StringPrep] and the "trace" stringprep profile

  69.    defined in Section 3 of this document.  The trace information, which

  70.    has no semantical value, should take one of two forms: an Internet

  71.    email address, or an opaque string that does not contain the '@'

  72.    (U+0040) character and that can be interpreted by the system

  73.    administrator of the client's domain.  For privacy reasons, an

  74.    Internet email address or other information identifying the user

  75.    should only be used with permission from the user.

  76. 

  77.    A server that permits anonymous access will announce support for the

  78.    ANONYMOUS mechanism and allow anyone to log in using that mechanism,

  79.    usually with restricted access.

  80. 

  81.    A formal grammar for the client message using Augmented BNF [ABNF] is

  82.    provided below as a tool for understanding this technical

  83.    specification.

  84. 

  85.       message     = [ email / token ]

  86.                     ;; to be prepared in accordance with Section 3

  87. 

  88.       UTF1        = %x00-3F / %x41-7F ;; less '@' (U+0040)

  89.       UTF2        = %xC2-DF UTF0

  90.       UTF3        = %xE0 %xA0-BF UTF0 / %xE1-EC 2(UTF0) /

  91.                     %xED %x80-9F UTF0 / %xEE-EF 2(UTF0)

  92.       UTF4        = %xF0 %x90-BF 2(UTF0) / %xF1-F3 3(UTF0) /

  93.                     %xF4 %x80-8F 2(UTF0)

  94.       UTF0        = %x80-BF

  95. 

  96.       TCHAR       = UTF1 / UTF2 / UTF3 / UTF4

  97.                     ;; any UTF-8 encoded Unicode character

  98.                     ;; except '@' (U+0040)

  99. 

  100.       email       = addr-spec

  101.                     ;; as defined in [IMAIL]

  102. 

  103.       token       = 1*255TCHAR

  104. 

  105.    Note to implementors:

  106.       The <token> production is restricted to 255 UTF-8-encoded Unicode

  107.       characters.  As the encoding of a characters uses a sequence of 1

  108.       to 4 octets, a token may be as long as 1020 octets.

  109. 

  110. 

  111. 

  112. 

  113. 

  114. Zeilenga                    Standards Track                     [Page 2]

  115. 

  116. RFC 4505                Anonymous SASL Mechanism               June 2006

  117. 

  118. 

  119. 3.  The "trace" Profile of "Stringprep"

  120. 

  121.    This section defines the "trace" profile of [StringPrep].  This

  122.    profile is designed for use with the SASL ANONYMOUS Mechanism.

  123.    Specifically, the client is to prepare the <message> production in

  124.    accordance with this profile.

  125. 

  126.    The character repertoire of this profile is Unicode 3.2 [Unicode].

  127. 

  128.    No mapping is required by this profile.

  129. 

  130.    No Unicode normalization is required by this profile.

  131. 

  132.    The list of unassigned code points for this profile is that provided

  133.    in Appendix A of [StringPrep].  Unassigned code points are not

  134.    prohibited.

  135. 

  136.    Characters from the following tables of [StringPrep] are prohibited:

  137. 

  138.       - C.2.1 (ASCII control characters)

  139.       - C.2.2 (Non-ASCII control characters)

  140.       - C.3 (Private use characters)

  141.       - C.4 (Non-character code points)

  142.       - C.5 (Surrogate codes)

  143.       - C.6 (Inappropriate for plain text)

  144.       - C.8 (Change display properties are deprecated)

  145.       - C.9 (Tagging characters)

  146. 

  147.    No additional characters are prohibited.

  148. 

  149.    This profile requires bidirectional character checking per Section 6

  150.    of [StringPrep].

  151. 

  152. 4.  Example

  153. 

  154.    Here is a sample ANONYMOUS login between an IMAP client and server.

  155.    In this example, "C:" and "S:" indicate lines sent by the client and

  156.    server, respectively.  If such lines are wrapped without a new "C:"

  157.    or "S:" label, then the wrapping is for editorial clarity and is not

  158.    part of the command.

  159. 

  160.    Note that this example uses the IMAP profile [IMAP4] of SASL.  The

  161.    base64 encoding of challenges and responses as well as the "+ "

  162.    preceding the responses are part of the IMAP4 profile, not part of

  163.    SASL itself.  Additionally, protocols with SASL profiles permitting

  164.    an initial client response will be able to avoid the extra round trip

  165.    below (the server response with an empty "+ ").

  166. 

  167. 

  168. 

  169. 

  170. Zeilenga                    Standards Track                     [Page 3]

  171. 

  172. RFC 4505                Anonymous SASL Mechanism               June 2006

  173. 

  174. 

  175.    In this example, the trace information is "sirhc".

  176. 

  177.       S: * OK IMAP4 server ready

  178.       C: A001 CAPABILITY

  179.       S: * CAPABILITY IMAP4 IMAP4rev1 AUTH=DIGEST-MD5 AUTH=ANONYMOUS

  180.       S: A001 OK done

  181.       C: A002 AUTHENTICATE ANONYMOUS

  182.       S: +

  183.       C: c2lyaGM=

  184.       S: A003 OK Welcome, trace information has been logged.

  185. 

  186. 5.  Security Considerations

  187. 

  188.    The ANONYMOUS mechanism grants access to services and/or resources by

  189.    anyone.  For this reason, it should be disabled by default so that

  190.    the administrator can make an explicit decision to enable it.

  191. 

  192.    If the anonymous user has any write privileges, a denial-of-service

  193.    attack is possible by filling up all available space.  This can be

  194.    prevented by disabling all write access by anonymous users.

  195. 

  196.    If anonymous users have read and write access to the same area, the

  197.    server can be used as a communication mechanism to exchange

  198.    information anonymously.  Servers that accept anonymous submissions

  199.    should implement the common "drop box" model, which forbids anonymous

  200.    read access to the area where anonymous submissions are accepted.

  201. 

  202.    If the anonymous user can run many expensive operations (e.g., an

  203.    IMAP SEARCH BODY command), this could enable a denial-of-service

  204.    attack.  Servers are encouraged to reduce the priority of anonymous

  205.    users or limit their resource usage.

  206. 

  207.    While servers may impose a limit on the number of anonymous users,

  208.    note that such limits enable denial-of-service attacks and should be

  209.    used with caution.

  210. 

  211.    The trace information is not authenticated, so it can be falsified.

  212.    This can be used as an attempt to get someone else in trouble for

  213.    access to questionable information.  Administrators investigating

  214.    abuse need to realize that this trace information may be falsified.

  215. 

  216.    A client that uses the user's correct email address as trace

  217.    information without explicit permission may violate that user's

  218.    privacy.  Anyone who accesses an anonymous archive on a sensitive

  219.    subject (e.g., sexual abuse) likely has strong privacy needs.

  220.    Clients should not send the email address without the explicit

  221.    permission of the user and should offer the option of supplying no

  222.    trace information, thus only exposing the source IP address and time.

  223. 

  224. 

  225. 

  226. Zeilenga                    Standards Track                     [Page 4]

  227. 

  228. RFC 4505                Anonymous SASL Mechanism               June 2006

  229. 

  230. 

  231.    Anonymous proxy servers could enhance this privacy but would have to

  232.    consider the resulting potential denial-of-service attacks.

  233. 

  234.    Anonymous connections are susceptible to man-in-the-middle attacks

  235.    that view or alter the data transferred.  Clients and servers are

  236.    encouraged to support external data security services.

  237. 

  238.    Protocols that fail to require an explicit anonymous login are more

  239.    susceptible to break-ins given certain common implementation

  240.    techniques.  Specifically, Unix servers that offer user login may

  241.    initially start up as root and switch to the appropriate user id

  242.    after an explicit login command.  Normally, such servers refuse all

  243.    data access commands prior to explicit login and may enter a

  244.    restricted security environment (e.g., the Unix chroot(2) function)

  245.    for anonymous users.  If anonymous access is not explicitly

  246.    requested, the entire data access machinery is exposed to external

  247.    security attacks without the chance for explicit protective measures.

  248.    Protocols that offer restricted data access should not allow

  249.    anonymous data access without an explicit login step.

  250. 

  251.    General [SASL] security considerations apply to this mechanism.

  252. 

  253.    [StringPrep] security considerations and [Unicode] security

  254.    considerations discussed in [StringPrep] apply to this mechanism.

  255.    [UTF-8] security considerations also apply.

  256. 

  257. 6.  IANA Considerations

  258. 

  259.    The SASL Mechanism registry [IANA-SASL] entry for the ANONYMOUS

  260.    mechanism has been updated by the IANA to reflect that this document

  261.    now provides its technical specification.

  262. 

  263.       To: iana@iana.org

  264.       Subject: Updated Registration of SASL mechanism ANONYMOUS

  265. 

  266.       SASL mechanism name: ANONYMOUS

  267.       Security considerations: See RFC 4505.

  268.       Published specification (optional, recommended): RFC 4505

  269.       Person & email address to contact for further information:

  270.            Kurt Zeilenga <Kurt@OpenLDAP.org>

  271.            Chris Newman <Chris.Newman@sun.com>

  272.       Intended usage: COMMON

  273.       Author/Change controller: IESG <iesg@ietf.org>

  274.       Note: Updates existing entry for ANONYMOUS

  275. 

  276. 

  277. 

  278. 

  279. 

  280. 

  281. 

  282. Zeilenga                    Standards Track                     [Page 5]

  283. 

  284. RFC 4505                Anonymous SASL Mechanism               June 2006

  285. 

  286. 

  287.    The [StringPrep] profile "trace", first defined in this RFC, has been

  288.    registered:

  289. 

  290.       To: iana@iana.org

  291.       Subject: Initial Registration of Stringprep "trace" profile

  292. 

  293.       Stringprep profile: trace

  294.       Published specification: RFC 4505

  295.       Person & email address to contact for further information:

  296.           Kurt Zeilenga <kurt@openldap.org>

  297. 

  298. 7.  Acknowledgement

  299. 

  300.    This document is a revision of RFC 2245 by Chris Newman.  Portions of

  301.    the grammar defined in Section 1 were borrowed from RFC 3629 by

  302.    Francois Yergeau.

  303. 

  304.    This document is a product of the IETF SASL WG.

  305. 

  306. 8.  Normative References

  307. 

  308.    [ABNF]       Crocker, D. and P. Overell, "Augmented BNF for Syntax

  309.                 Specifications: ABNF", RFC 4234, October 2005.

  310. 

  311.    [IMAIL]      Resnick, P., "Internet Message Format", RFC 2822, April

  312.                 2001.

  313. 

  314.    [SASL]       Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple

  315.                 Authentication and Security Layer (SASL)", RFC 4422,

  316.                 June 2006.

  317. 

  318.    [StringPrep] Hoffman, P. and M. Blanchet, "Preparation of

  319.                 Internationalized Strings ('stringprep')", RFC 3454,

  320.                 December 2002.

  321. 

  322.    [Unicode]    The Unicode Consortium, "The Unicode Standard, Version

  323.                 3.2.0" is defined by "The Unicode Standard, Version 3.0"

  324.                 (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),

  325.                 as amended by the "Unicode Standard Annex #27: Unicode

  326.                 3.1" (http://www.unicode.org/reports/tr27/) and by the

  327.                 "Unicode Standard Annex #28: Unicode 3.2"

  328.                 (http://www.unicode.org/reports/tr28/).

  329. 

  330.    [UTF-8]      Yergeau, F., "UTF-8, a transformation format of ISO

  331.                 10646", RFC 3629 (also STD 63), November 2003.

  332. 

  333. 

  334. 

  335. 

  336. 

  337. 

  338. Zeilenga                    Standards Track                     [Page 6]

  339. 

  340. RFC 4505                Anonymous SASL Mechanism               June 2006

  341. 

  342. 

  343. 9.  Informative References

  344. 

  345.    [IMAP4]      Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION

  346.                 4rev1", RFC 3501, March 2003.

  347. 

  348.    [IANA-SASL]  IANA, "SIMPLE AUTHENTICATION AND SECURITY LAYER (SASL)

  349.                 MECHANISMS", <http://www.iana.org/assignments/sasl-

  350.                 mechanisms>.

  351. 

  352. 

  353. 

  354. 

  355. 

  356. 

  357. 

  358. 

  359. 

  360. 

  361. 

  362. 

  363. 

  364. 

  365. 

  366. 

  367. 

  368. 

  369. 

  370. 

  371. 

  372. 

  373. 

  374. 

  375. 

  376. 

  377. 

  378. 

  379. 

  380. 

  381. 

  382. 

  383. 

  384. 

  385. 

  386. 

  387. 

  388. 

  389. 

  390. 

  391. 

  392. 

  393. 

  394. Zeilenga                    Standards Track                     [Page 7]

  395. 

  396. RFC 4505                Anonymous SASL Mechanism               June 2006

  397. 

  398. 

  399. Appendix A.  Changes since RFC 2245

  400. 

  401.    This appendix is non-normative.

  402. 

  403.    RFC 2245 allows the client to include optional trace information in

  404.    the form of a human readable string.  RFC 2245 restricted this string

  405.    to US-ASCII.  As the Internet is international, this document uses a

  406.    string restricted to UTF-8 encoded Unicode characters.  A

  407.    "stringprep" profile is defined to precisely define which Unicode

  408.    characters are allowed in this string.  While the string remains

  409.    restricted to 255 characters, the encoded length of each character

  410.    may now range from 1 to 4 octets.

  411. 

  412.    Additionally, a number of editorial changes were made.

  413. 

  414. Editor's Address

  415. 

  416.    Kurt D. Zeilenga

  417.    OpenLDAP Foundation

  418. 

  419.    EMail: Kurt@OpenLDAP.org

  420. 

  421. 

  422. 

  423. 

  424. 

  425. 

  426. 

  427. 

  428. 

  429. 

  430. 

  431. 

  432. 

  433. 

  434. 

  435. 

  436. 

  437. 

  438. 

  439. 

  440. 

  441. 

  442. 

  443. 

  444. 

  445. 

  446. 

  447. 

  448. 

  449. 

  450. Zeilenga                    Standards Track                     [Page 8]

  451. 

  452. RFC 4505                Anonymous SASL Mechanism               June 2006

  453. 

  454. 

  455. Full Copyright Statement

  456. 

  457.    Copyright (C) The Internet Society (2006).

  458. 

  459.    This document is subject to the rights, licenses and restrictions

  460.    contained in BCP 78, and except as set forth therein, the authors

  461.    retain all their rights.

  462. 

  463.    This document and the information contained herein are provided on an

  464.    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS

  465.    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET

  466.    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,

  467.    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE

  468.    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED

  469.    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

  470. 

  471. Intellectual Property

  472. 

  473.    The IETF takes no position regarding the validity or scope of any

  474.    Intellectual Property Rights or other rights that might be claimed to

  475.    pertain to the implementation or use of the technology described in

  476.    this document or the extent to which any license under such rights

  477.    might or might not be available; nor does it represent that it has

  478.    made any independent effort to identify any such rights.  Information

  479.    on the procedures with respect to rights in RFC documents can be

  480.    found in BCP 78 and BCP 79.

  481. 

  482.    Copies of IPR disclosures made to the IETF Secretariat and any

  483.    assurances of licenses to be made available, or the result of an

  484.    attempt made to obtain a general license or permission for the use of

  485.    such proprietary rights by implementers or users of this

  486.    specification can be obtained from the IETF on-line IPR repository at

  487.    http://www.ietf.org/ipr.

  488. 

  489.    The IETF invites any interested party to bring to its attention any

  490.    copyrights, patents or patent applications, or other proprietary

  491.    rights that may cover technology that may be required to implement

  492.    this standard.  Please address the information to the IETF at

  493.    ietf-ipr@ietf.org.

  494. 

  495. Acknowledgement

  496. 

  497.    Funding for the RFC Editor function is provided by the IETF

  498.    Administrative Support Activity (IASA).

  499. 

  500. 

  501. 

  502. 

  503. 

  504. 

  505. 

  506. Zeilenga                    Standards Track                     [Page 9]

  507.