ietf-nntp just a quick draft for everyone...
Jack De Winter
jack at wildbear.on.ca
Tue Dec 17 17:13:32 PST 1996
I talked to Stan Barber in San Jose about the SASL authentication
mechanisms and said I would get permission to do a draft for NNTP
based on the SASL specs for SMTP and POP3. The good part about
doing this is the ability to have common authentication libraries
for messaging systems. I think that some of John Meyer's SASL
work will also go into other protocols (ACAP and LDAP should be
including it) and it will also make NNTP stronger.
Of importance here would be a DEFLATE compression library that
I am doing for SASL. Basically, if we can come up with a good
BATCH command, we can probably get terrific compression with the
DEFLATE protocol. (Not sure how all of the breaks in a downloading
datastream will effect the compression.)
However, I am starting to get bogged down with some of this stuff,
and was wondering if some kind soul out there would help draft the
BATCH extension with me? I know what I would like to see from the
extension in terms of maximizing compression, but would also like
to get other input.
Please read through this and let me know of any problems that anyone
sees with this. One off the top of my head is the wording of the
AUTHINFO GENERIC and this draft getting confused.
regards,
Jack
p.s. I am assuming that we have to wait until the base draft becomes
an RFC before we can register the extension types with IANA. Is this
correct?
-------------- next part --------------
INTERNET DRAFT J. De Winter
Expires: ?????, 1997 Wildbear Consulting, Inc.
<draft-dewinter-??-00.txt> 17 December 1996
NNTP SASL AUTHentication command
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts
Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or
ftp.isi.edu (US West Coast).
1. Introduction
This document describes the optional AUTHSASL command, for indicating an
authentication mechanism to the server, performing an authentication
protocol exchange, and optionally negotiating a protection mechanism
for subsequent protocol interactions. The authentication and
protection mechanisms used by the NNTP AUTHSASL command are those used by
SASL draft.
Please note that large portions of this document are copied from
[POP3-AUTH] with the permission of the author of that document, John G.
Meyers.
2. The AUTHSASL command
AUTHSASL mechanism
Arguments:
a string identifying an SASL authentication mechanism,
such as defined by [SASL]. If no mechanism is identified
after the AUTHSASL command, it is interpretted as a request
for a list of all mechanisms supported by the server.
Restrictions:
may only be given in the AUTHORIZATION state
Discussion:
The AUTHSASL command indicates an authentication mechanism to
the server. If the server supports the requested
authentication mechanism, it performs an authentication
protocol exchange to authenticate and identify the user.
Optionally, it also negotiates a protection mechanism for
subsequent protocol interactions. If the requested
authentication mechanism is not supported, the server
should reject the AUTHSASL command by sending a negative
response.
The authentication protocol exchange consists of a series
of server challenges and client answers that are specific
to the authentication mechanism. A server challenge,
otherwise known as a ready response, is a line consisting
of a string starting with the 350 continue authortization response
code followed by a space, and then followed by a BASE64 encoded string.
The client answer consists solely of a line containing a
BASE64 encoded string. If the client wishes
to cancel an authentication exchange, it should issue a
line with a single "*". If the server receives such an
answer, it must reject the AUTHSASL command by sending a
negative response.
A protection mechanism provides integrity and privacy
protection to the protocol session. If a protection
mechanism is negotiated, it is applied to all subsequent
data sent over the connection. The protection mechanism
takes effect immediately following the CRLF that concludes
the authentication exchange for the client, and the CRLF of
the positive response for the server. Once the protection
mechanism is in effect, the stream of command and response
octets is processed into buffers of ciphertext. Each
buffer is transferred over the connection as a stream of
octets prepended with a four octet field in network byte
order that represents the length of the following data.
The maximum ciphertext buffer length is defined by the
protection mechanism.
The server is not required to support any particular
authentication mechanism, nor are authentication mechanisms
required to support any protection mechanisms. If an AUTHSASL
command fails with a negative response, the session remains
in the AUTHORIZATION state and client may try another
authentication mechanism by issuing another AUTHSASL command,
or may attempt to authenticate by using other available
authentication commands. In other words, the client may request
authentication types in decreasing order of preference,
with the AUTH USER command as a last resort.
If a request for a list of all the supported authenticated mechanisms
is received, the server will return the list of supported mechanisms,
each mechanism on a separate line. The end of the list is denoted by
the period character ('.') on a line by itself. While improbable, it
is possible that an implementation of AUTHSASL will return a null list,
that is a list consisting of no mechanisms.
Should the client successfully complete the authentication
exchange, the NNTP server issues a positive response and
the NNTP session enters the EXCHANGE state.
Possible Responses:
215 List of supported mechanisms follows.
250 Authorization accepted
350 Continue with authorization sequence
452 Authorization rejected
501 Command not supported
502 Authentication mechanism not defined.
Examples:
...
C: AUTHSASL
S: KERBEROS_V4
S: .
...
C: AUTHSASL KERBEROS_V4
S: 350 AmFYig==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: 350 or//EoAADZI=
C: DiAF5A4gA+oOIALuBkAAmw==
S: 250 Kerberos V4 authentication successful
...
C: AUTHSASL KERBEROS_V4
S: 350 AmFYig==
C: *
S: 452 Authorization rejected
...
C: AUTHSASL FOOBAR
S: 502 Unrecognized authentication type
Note: the line breaks in the first client answer are
for editorial clarity and are not in real authentica-
tors.
3. Formal Syntax
The following syntax specification uses the augmented Backus-Naur
Form (BNF) notation as specified in RFC 822.
Except as noted otherwise, all alphabetic characters are case-
insensitive. The use of upper or lower case characters to define
token strings is for editorial clarity only. Implementations MUST
accept these strings in a case-insensitive fashion.
ATOM_CHAR ::= <any CHAR except atom_specials>
atom_specials ::= "(" / ")" / "{" / SPACE / CTLs / "%" / "*" /
<"> / "\"
auth ::= "AUTHSASL" 1*(SPACE / TAB) auth_type *(CRLF base64)
CRLF
auth_type ::= 0*ATOM_CHAR
base64 ::= *(4base64_CHAR) [base64_terminal]
base64_char ::= "A" / "B" / "C" / "D" / "E" / "F" / "G" / "H" /
"I" / "J" / "K" / "L" / "M" / "N" / "O" / "P" /
"Q" / "R" / "S" / "T" / "U" / "V" / "W" / "X" /
"Y" / "Z" /
"a" / "b" / "c" / "d" / "e" / "f" / "g" / "h" /
"i" / "j" / "k" / "l" / "m" / "n" / "o" / "p" /
"q" / "r" / "s" / "t" / "u" / "v" / "w" / "x" /
"y" / "z" /
"0" / "1" / "2" / "3" / "4" / "5" / "6" / "7" /
"8" / "9" / "+" / "/"
;; Case-sensitive
base64_terminal ::= (2base64_char "==") / (3base64_char "=")
CHAR ::= <any 7-bit US-ASCII character except NUL,
0x01 - 0x7f>
continue_req ::= "350" SPACE base64 CRLF
CR ::= <ASCII CR, carriage return, 0x0C>
CRLF ::= CR LF
CTL ::= <any ASCII control character and DEL,
0x00 - 0x1f, 0x7f>
LF ::= <ASCII LF, line feed, 0x0A>
SPACE ::= <ASCII SP, space, 0x20>
TAB ::= <ASCII HT, tab, 0x09>
4. References
[POP3-AUTH] Myers, J., "POP3 Authentication Mechanisms", RFC 1734,
Carnegie Mellon, December 1994.
[SASL] Myers, J., "Simple Authentication and Security Layer",
draft-myers-auth-sasl-04.txt, July 1996 (not yet published as an RFC)
5. Security Considerations
Security issues are discussed throughout this memo.
6. Author's Address
Jack De Winter
Wildbear Consulting, Inc.
17 Brock Street
Kitchener, Ontario, Canada
N2M 1X2
Email: jack at wildbear.on.ca
-------------- next part --------------
-------------------------------------------------
Jack De Winter - Wildbear Consulting, Inc.
(519) 576-3873 http://www.wildbear.on.ca/
Author of SLMail(95/NT) (http://www.seattlelab.com/) and other great products.
More information about the ietf-nntp
mailing list