Network Working Group                                           J. Myers
Internet Draft                                            September 1997
Document: draft-myers-auth-sasl-12.txt


            Simple Authentication and Security Layer (SASL)

Status of this Memo

   This document is an Internet Draft.  Internet Drafts are working
   documents of the Internet Engineering Task Force (IETF), its Areas,
   and its Working Groups.  Note that other groups may also distribute
   working documents as Internet Drafts.

   Internet Drafts are draft documents valid for a maximum of six
   months.  Internet Drafts may be updated, replaced, or obsoleted by
   other documents at any time.  It is not appropriate to use Internet
   Drafts as reference material or to cite them other than as a
   ``working draft'' or ``work in progress``.

   To learn the current status of any Internet-Draft, please check the
   1id-abstracts.txt listing contained in the Internet-Drafts Shadow
   Directories on ds.internic.net, nic.nordu.net, ftp.isi.edu, or
   munnari.oz.au.

   A revised version of this draft document will be submitted to the RFC
   editor as a Proposed Standard for the Internet Community.  Discussion
   and suggestions for improvement are requested.  This document will
   expire before December 1996.  Distribution of this draft is
   unlimited.





















J. Myers                                                        [Page i]


Internet DRAFT                    SASL                 September 9, 1997


1.    Abstract

   This document describes a method for adding authentication support to
   connection-based protocols.  To use this specification, a protocol
   includes a command for identifying and authenticating a user to a
   server and for optionally negotiating protection of subsequent
   protocol interactions.  If its use is negotiated, a security layer is
   inserted between the protocol and the connection.  This document
   describes how a protocol specifies such a command, defines several
   mechanisms for use by the command, and defines the protocol used for
   carrying a negotiated security layer over the connection.

2.    Organization of this Document

2.1.  How to Read This Document

   This document is written to serve two different audiences, protocol
   designers using this specification to support authentication in their
   protocol, and implementors of clients or servers for those protocols
   using this specification.

   The sections "Introduction and Overview", "Profiling requirements",
   and "Security Considerations" cover issues that protocol designers
   need to understand and address in profiling this specification for
   use in a specific protocol.

   Implementors of a protocol using this specification need the
   protocol-specific profiling information in addition to the
   information in this document.

2.2.  Conventions Used in this Document

   In examples, "C:" and "S:" indicate lines sent by the client and
   server respectively.

   The following terms are used in this document to signify the
   requirements of this specification.

   1) MUST, or the adjective REQUIRED, means that the definition is an
   absolute requirement of the specification.

   2) MUST NOT that the definition is an absolute prohibition of the
   specification.

   3) SHOULD means that there may exist valid reasons in particular
   circumstances to ignore a particular item, but the full implications
   MUST be understood and carefully weighed before choosing a different
   course.



J. Myers                                                        [Page 2]


Internet DRAFT                    SASL                 September 9, 1997


   4) SHOULD NOT means that there may exist valid reasons in particular
   circumstances when the particular behavior is acceptable or even
   useful, but the full implications SHOULD be understood and the case
   carefully weighed before implementing any behavior described with
   this label.

   5) MAY, or the adjective OPTIONAL, means that an item is truly
   optional. One vendor may choose to include the item because a
   particular marketplace requires it or because the vendor feels that
   it enhances the product while another vendor may omit the same item.
   An implementation which does not include a particular option MUST be
   prepared to interoperate with another implementation which does
   include the option.

   "Can" is used instead of "may" when referring to a possible
   circumstance or situation, as opposed to an optional facility of the
   protocol.

2.3.  Examples

   Examples in this document are for the IMAP profile [IMAP4] of this
   specification.  The base64 encoding of challenges and responses, as
   well as the "+ " preceding the responses are part of the IMAP4
   profile, not part of the SASL specification itself.

3.    Introduction and Overview

   The Simple Authentication and Security Layer (SASL) is a method for
   adding authentication support to connection-based protocols.  To use
   this specification, a protocol includes a command for identifying and
   authenticating a user to a server and for optionally negotiating a
   security layer for subsequent protocol interactions.

   The command has a required argument identifying a SASL mechanism.
   SASL mechanisms are named by strings, from 1 to 20 characters in
   length, consisting of upper-case letters, digits, hyphens, and/or
   underscores.  SASL mechanism names must be registered with the IANA.
   Procedures for registering new SASL mechanisms are given in the
   section "Registration procedures"

   If a server supports the requested mechanism, it initiates an
   authentication protocol exchange.  This consists of a series of
   server challenges and client responses that are specific to the
   requested mechanism.  The challenges and responses are defined by the
   mechanisms as binary tokens of arbitrary length.  The protocol's
   profile then specifies how these binary tokens are then encoded for
   transfer over the connection.




J. Myers                                                        [Page 3]


Internet DRAFT                    SASL                 September 9, 1997


   After receiving the authentication command or any client response, a
   server may issue a challenge, indicate failure, or indicate
   completion.  The protocol's profile specifies how the server
   indicates which of the above it is doing.

   After receiving a challenge, a client may issue a response or abort
   the exchange.  The protocol's profile specifies how the client
   indicates which of the above it is doing.

   During the authentication protocol exchange, the mechanism performs
   authentication, transmits an authorization identity (frequently known
   as a userid) from the client to server, and negotiates the use of a
   mechanism-specific security layer.  If the use of a security layer is
   agreed upon, then the mechanism must also define or negotiate the
   maximum cipher-text buffer size that each side is able to receive.

   The transmitted authorization identity may be different than the
   identity in the client's authentication credentials.  This permits
   agents such as proxy servers to authenticate using their own
   credentials, yet request the access privileges of the identity for
   which they are proxying.  With any mechanism, transmitting an
   authorization identity of the empty string directs the server to
   derive an authorization identity from the client's authentication
   credentials.

   If use of a security layer is negotiated, it is applied to all
   subsequent data sent over the connection.  The security layer takes
   effect immediately following the last response of the authentication
   exchange for data sent by the client and the completion indication
   for data sent by the server.  Once the security layer is in effect,
   the protocol stream is processed by the security layer into buffers
   of cipher-text.  Each buffer is transferred over the connection as a
   stream of octets prepended with a four octet field in network byte
   order that represents the length of the following buffer.  The length
   of the cipher-text buffer must be no larger than the maximum size
   that was defined or negotiated by the other side.

4.    Profiling requirements

   In order to use this specification, a protocol definition must supply
   the following information:


   1. A service name, to be selected from the IANA registry of "service"
      elements for the GSSAPI host-based service name form. [GSSAPI]

   2. A definition of the command to initiate the authentication
      protocol exchange.  This command must have as a parameter the



J. Myers                                                        [Page 4]


Internet DRAFT                    SASL                 September 9, 1997


      mechanism name being selected by the client.

      The command SHOULD have an optional parameter giving an initial
      response.  This optional parameter allows the client to avoid a
      round trip when using a mechanism which is defined to have the
      client send data first.  When this initial response is sent by the
      client and the selected mechanism is defined to have the server
      start with an initial challenge, the command fails.  See section
      5.1 of this document for further information.

   3. A definition of the method by which the authentication protocol
      exchange is carried out, including how the challenges and
      responses are encoded, how the server indicates completion or
      failure of the exchange, how the client aborts an exchange, and
      how the exchange method interacts with any line length limits in
      the protocol.

   4. Identification of the octet where any negotiated security layer
      starts to take effect, in both directions.

   5. A specification of how the authorization identity passed from the
      client to the server is to be interpreted.

5.    Specific issues

5.1.  Client sends data first

   Some mechanisms specify that the first data sent in the
   authentication protocol exchange is from the client to the server.

   If a protocol's profile permits the command which initiates an
   authentication protocol exchange to contain an initial client
   response, this parameter SHOULD be used with such mechanisms.

   If the initial client response parameter is not given, or if a
   protocol's profile does not permit the command which initiates an
   authentication protocol exchange to contain an initial client
   response, then the server issues a challenge with no data.  The
   client's response to this challenge is then used as the initial
   client response.  (The server then proceeds to send the next
   challenge, indicates completion, or indicates failure.)

5.2.  Server returns success with additional data

   Some mechanisms may specify that server challenge data be sent to the
   client along with an indication of successful completion of the
   exchange.  This data would, for example, authenticate the server to
   the client.



J. Myers                                                        [Page 5]


Internet DRAFT                    SASL                 September 9, 1997


   If a protocol's profile does not permit this server challenge to be
   returned with a success indication, then the server issues the server
   challenge without an indication of successful completion.  The client
   then responds with no data.  After receiving this empty response, the
   server then indicates successful completion.

5.3.  Multiple authentications

   Unless otherwise stated by the protocol's profile, only one
   successful SASL negotiation may occur in a protocol session.  In this
   case, once an authentication protocol exchange has successfully
   completed, further attempts to initiate an authentication protocol
   exchange fail.

   In the case that a profile explicitly permits multiple successful
   SASL negotiations to occur, then in no case may multiple security
   layers be simultaneously in effect.  If a security layer is in effect
   and a subsequent SASL negotiation selects no security layer, the
   original security layer remains in effect.  If a security layer is in
   effect and a subsequent SASL negotiation selects a second security
   layer, then the second security layer replaces the first.

6.    Registration procedures

   Registration of a SASL mechanism is done by filling in the template
   in section 6.4 and sending it in to iana@isi.edu.  IANA has the right
   to reject obviously bogus registrations, but will perform no review
   of clams made in the registration form.

   There is no naming convention for SASL mechanisms; any name that
   conforms to the syntax of a SASL mechanism name can be registered.

   While the registration procedures do not require it, authors of SASL
   mechanisms are encouraged to seek community review and comment
   whenever that is feasible.  Authors may seek community review by
   posting a specification of their proposed mechanism as an internet-
   draft.  SASL mechanisms intended for widespread use should be
   standardized through the normal IETF process, when appropriate.

6.1.  Comments on SASL mechanism registrations

   Comments on registered SASL mechanisms should first be sent to the
   "owner" of the mechanism.  Submitters of comments may, after a
   reasonable attempt to contact the owner, request IANA to attach their
   comment to the SASL mechanism registration itself.  If IANA approves
   of this the comment will be made accessible in conjunction with the
   SASL mechanism registration itself.




J. Myers                                                        [Page 6]


Internet DRAFT                    SASL                 September 9, 1997


6.2.  Location of Registered SASL Mechanism List

   SASL mechanism registrations will be posted in the anonymous FTP
   directory
   "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-mechanisms/" and
   all registered SASL mechanisms will be listed in the periodically
   issued "Assigned Numbers" RFC [currently RFC-1700].  The SASL
   mechanism description and other supporting material may also be
   published as an Informational RFC by sending it to
   "rfc-editor@isi.edu" (please follow the instructions to RFC authors
   [RFC-1543]).

6.3.  Change Control

   Once a SASL mechanism registration has been published by IANA, the
   author may request a change to its definition.  The change request
   follows the same procedure as the registration request.

   The owner of a SASL mechanism may pass responsibility for the SASL
   mechanism to another person or agency by informing IANA; this can be
   done without discussion or review.

   The IESG may reassign responsibility for a SASL mechanism. The most
   common case of this will be to enable changes to be made to
   mechanisms where the author of the registration has died, moved out
   of contact or is otherwise unable to make changes that are important
   to the community.

   SASL mechanism registrations may not be deleted; mechanisms which are
   no longer believed appropriate for use can be declared OBSOLETE by a
   change to their "intended use" field; such SASL mechanisms will be
   clearly marked in the lists published by IANA.

   The IESG is considered to be the owner of all SASL mechanisms which
   are on the IETF standards track.

6.4.  Registration Template


     To: iana@isi.edu
     Subject: Registration of SASL mechanism X

     SASL mechanism name:

     Security considerations:

     Published specification (optional, recommended):




J. Myers                                                        [Page 7]


Internet DRAFT                    SASL                 September 9, 1997


     Person & email address to contact for further information:

     Intended usage:

     (One of COMMON, LIMITED USE or OBSOLETE)

     Author/Change controller:

     (Any other information that the author deems interesting may be
     added below this line.)

7.    Mechanism definitions

   The following mechanisms are hereby defined.

7.1.  Kerberos version 4 mechanism

   The mechanism name associated with Kerberos version 4 is
   "KERBEROS_V4".

   The first challenge consists of a random 32-bit number in network
   byte order.  The client responds with a Kerberos ticket and an
   authenticator for the principal "service.hostname@realm", where
   "service" is the service name specified in the protocol's profile,
   "hostname" is the first component of the host name of the server with
   all letters in lower case, and where "realm" is the Kerberos realm of
   the server.  The encrypted checksum field included within the
   Kerberos authenticator contains the server provided challenge in
   network byte order.

   Upon decrypting and verifying the ticket and authenticator, the
   server verifies that the contained checksum field equals the original
   server provided random 32-bit number.  Should the verification be
   successful, the server must add one to the checksum and construct 8
   octets of data, with the first four octets containing the incremented
   checksum in network byte order, the fifth octet containing a bit-mask
   specifying the security layers supported by the server, and the sixth
   through eighth octets containing, in network byte order, the maximum
   cipher-text buffer size the server is able to receive.  The server
   must encrypt using DES ECB mode the 8 octets of data in the session
   key and issue that encrypted data in a second challenge.  The client
   considers the server authenticated if the first four octets of the
   un-encrypted data is equal to one plus the checksum it previously
   sent.

   The client must construct data with the first four octets containing
   the original server-issued checksum in network byte order, the fifth
   octet containing the bit-mask specifying the selected security layer,



J. Myers                                                        [Page 8]


Internet DRAFT                    SASL                 September 9, 1997


   the sixth through eighth octets containing in network byte order the
   maximum cipher-text buffer size the client is able to receive, and
   the following octets containing the authorization identity.  The
   client must then append from one to eight zero-valued octets so that
   the length of the data is a multiple of eight octets. The client must
   then encrypt using DES PCBC mode the data with the session key and
   respond with the encrypted data.  The server decrypts the data and
   verifies the contained checksum.  The server must verify that the
   principal identified in the Kerberos ticket is authorized to connect
   as that authorization identity.  After this verification, the
   authentication process is complete.

   The security layers and their corresponding bit-masks are as follows:

      1 No security layer
      2 Integrity (krb_mk_safe) protection
      4 Privacy (krb_mk_priv) protection
   Other bit-masks may be defined in the future; bits which are not
   understood must be negotiated off.


   EXAMPLE: The following are two Kerberos version 4 login scenarios to
   the IMAP4 protocol (note that the line breaks in the sample
   authenticators are for editorial clarity and are not in real
   authenticators)

      S: * OK IMAP4 Server
      C: A001 AUTHENTICATE KERBEROS_V4
      S: + AmFYig==
      C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
         +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
         WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
      S: + or//EoAADZI=
      C: DiAF5A4gA+oOIALuBkAAmw==
      S: A001 OK Kerberos V4 authentication successful


      S: * OK IMAP4 Server
      C: A001 AUTHENTICATE KERBEROS_V4
      S: + gcfgCA==
      C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
         +nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
         WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
      S: A001 NO Kerberos V4 authentication failed







J. Myers                                                        [Page 9]


Internet DRAFT                    SASL                 September 9, 1997


7.2.  GSSAPI mechanism

   The mechanism name associated with all mechanisms employing the
   GSSAPI [GSSAPI] is "GSSAPI".

7.2.1 Client side of authentication protocol exchange

   The client calls GSS_Init_sec_context, passing in 0 for
   input_context_handle (initially) and a targ_name equal to output_name
   from GSS_Import_Name called with input_name_type of
   GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
   "service@hostname" where "service" is the service name specified in
   the protocol's profile, and "hostname" is the fully qualified host
   name of the server.  The client then responds with the resulting
   output_token.  If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
   then the client should expect the server to issue a token in a
   subsequent challenge.  The client must pass the token to another call
   to GSS_Init_sec_context, repeating the actions in this paragraph.

   When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes
   the following actions: If the last call to GSS_Init_sec_context
   returned an output_token, then the client responds with the
   output_token, otherwise the client responds with no data.  The client
   should then expect the server to issue a token in a subsequent
   challenge.  The client passes this token to GSS_Unwrap and interprets
   the first octet of resulting cleartext as a bit-mask specifying the
   security layers supported by the server and the second through fourth
   octets as the maximum size output_message to send to the server.  The
   client then constructs data, with the first octet containing the
   bit-mask specifying the selected security layer, the second through
   fourth octets containing in network byte order the maximum size
   output_message the client is able to receive, and the remaining
   octets containing the authorization identity.  The client passes the
   data to GSS_Wrap with conf_flag set to FALSE, and responds with the
   generated output_message.  The client can then consider the server
   authenticated.

7.2.2 Server side of authentication protocol exchange

   The server passes the initial client response to
   GSS_Accept_sec_context as input_token, setting input_context_handle
   to 0 (initially).  If GSS_Accept_sec_context returns
   GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
   to the client in challenge and passes the resulting response to
   another call to GSS_Accept_sec_context, repeating the actions in this
   paragraph.

   When GSS_Accept_sec_context returns GSS_S_COMPLETE, the client takes



J. Myers                                                       [Page 10]


Internet DRAFT                    SASL                 September 9, 1997


   the following actions: If the last call to GSS_Accept_sec_context
   returned an output_token, the server returns it to the client in a
   challenge and expects a reply from the client with no data.  Whether
   or not an output_token was returned (and after receipt of any
   response from the client to such an output_token), the server then
   constructs 4 octets of data, with the first octet containing a bit-
   mask specifying the security layers supported by the server and the
   second through fourth octets containing in network byte order the
   maximum size output_token the server is able to receive.  The server
   must then pass the plaintext to GSS_Wrap with conf_flag set to FALSE
   and issue the generated output_message to the client in a challenge.
   The server must then pass the resulting response to GSS_Unwrap and
   interpret the first octet of resulting cleartext as the bit-mask for
   the selected security layer, the second through fourth octets as the
   maximum size output_message to send to the client, and the remaining
   octets as the authorization identity.  The server must verify that
   the src_name is authorized to authenticate as the authorization
   identity.  After these verifications, the authentication process is
   complete.

7.2.3 Security layer

   The security layers and their corresponding bit-masks are as follows:

      1 No security layer
      2 Integrity protection.
        Sender calls GSS_Wrap with conf_flag set to FALSE
      4 Privacy protection.
        Sender calls GSS_Wrap with conf_flag set to TRUE
   Other bit-masks may be defined in the future; bits which are not
   understood must be negotiated off.




















J. Myers                                                       [Page 11]


Internet DRAFT                    SASL                 September 9, 1997


7.3.  S/Key mechanism

   The mechanism name associated with S/Key [SKEY] using the MD4 digest
   algorithm is "SKEY".

   The client sends an initial response with the authorization identity.

   The server then issues a challenge which contains the decimal
   sequence number followed by a single space and the seed string for
   the indicated authorization identity.  The client responds with the
   one-time-password, as either a 64-bit value in network byte order or
   encoded in the "six English words" format.

   The server must verify the one-time-password.  After this
   verification, the authentication process is complete.

   S/Key authentication does not provide for any security layers.


   EXAMPLE: The following are two S/Key login scenarios in the IMAP4
   protocol.

      S: * OK IMAP4 Server
      C: A001 AUTHENTICATE SKEY
      S: +
      C: bW9yZ2Fu
      S: + OTUgUWE1ODMwOA==
      C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
      S: A001 OK S/Key authentication successful


      S: * OK IMAP4 Server
      C: A001 AUTHENTICATE SKEY
      S: +
      C: c21pdGg=
      S: + OTUgUWE1ODMwOA==
      C: BsAY3g4gBNo=
      S: A001 NO S/Key authentication failed

   The following is an S/Key login scenario in an IMAP4-like protocol
   which has an optional "initial response" argument to the AUTHENTICATE
   command.

      S: * OK IMAP4-Like Server
      C: A001 AUTHENTICATE SKEY bW9yZ2Fu
      S: + OTUgUWE1ODMwOA==
      C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
      S: A001 OK S/Key authentication successful



J. Myers                                                       [Page 12]


Internet DRAFT                    SASL                 September 9, 1997


7.4.  External mechanism

   The mechanism name associated with external authentication is
   "EXTERNAL".

   The client sends an initial response with the authorization identity.

   The server uses information, external to SASL, to determine whether
   the client is authorized to authenticate as the authorization
   identity.  If the client is so authorized, the server indicates
   successful completion of the authentication exchange; otherwise the
   server indicates failure.

   The system providing this external information may be, for example,
   IPsec or TLS.

   If the client sends the empty string as the authorization identity
   (thus requesting the authorization identity be derived from the
   client's authentication credentials), the authorization identity is
   to be derived from authentication credentials which exist in the
   system which is providing the external authentication.






























J. Myers                                                       [Page 13]


Internet DRAFT                    SASL                 September 9, 1997


8.    References

   [IMAP4] Crispin, M., "Internet Message Access Protocol - Version 4",
   RFC 1730, University of Washington, December 1994.

   [GSSAPI] Linn, J., "Generic Security Service Application Program
   Interface, Version 2", RFC 2078, January 1997

   [RFC-1543] Postel, J., "Instructions to RFC Authors", RFC 1543,
   October 1993

   [SKEY] Haller, Neil M. "The S/Key One-Time Password System", RFC
   1760, Bellcore, February 1995

9.    Security Considerations

   Security issues are discussed throughout this memo.

   The mechanisms that support integrity protection are designed such
   that the negotiation of the security layer and authorization identity
   is integrity protected.  When the client selects a security layer
   with at least integrity protection, this protects against an active
   attacker hijacking the connection and modifying the authentication
   exchange to negotiate a plaintext connection.

   When a server or client supports multiple authentication mechanisms,
   each of which has a different security strength, it is possible for
   an active attacker to cause a party to use the least secure mechanism
   supported.  To protect against this sort of attack, a client or
   server which supports mechanisms of different strengths should have a
   configurable minimum strength that it will use.  It is not sufficient
   for this minimum strength check to only be on the server, since an
   active attacker can change which mechanisms the client sees as being
   supported, causing the client to send authentication credentials for
   its weakest supported mechanism.

   The client's selection of a SASL mechanism is done in the clear and
   may be modified by an active attacker.  It is important for any new
   SASL mechanisms to be designed such that an active attacker cannot
   obtain an authentication with weaker security properties by modifying
   the SASL mechanism name and/or the challenges and responses.

   Any protocol interactions prior to authentication are performed in
   the clear and may be modified by an active attacker.  In the case
   where a client selects integrity protection, it is important that any
   security-sensitive protocol negotiations be performed after
   authentication is complete.  Protocols should be designed such that
   negotiations performed prior to authentication should be either



J. Myers                                                       [Page 14]


Internet DRAFT                    SASL                 September 9, 1997


   ignored or revalidated once authentication is complete.

10.   Author's Address

   John G. Myers
   Netscape Communications
   501 E. Middlefield Road
   Mail Stop MV-029
   Mountain View, CA 94043-4042

   Email: jgmyers@netscape.com

Appendix A. Relation of SASL to Transport Security

   Questions have been raised about the relationship between SASL and
   various services (such as IPsec and TLS) which provide a secured
   connection.

   Two of the key features of SASL are:


   1. The separation of the authorization identity from the identity in
      the client's credentials.  This permits agents such as proxy
      servers to authenticate using their own credentials, yet request
      the access privileges of the identity for which they are proxying.

   2. Upon successful completion of an authentication exchange, the
      server knows the authorization identity the client wishes to use.
      This allows servers to move to a "user is authenticated" state in
      the protocol.

   These features are extremely important to some application protocols,
   yet Transport Security services do not always provide them.  To
   define SASL mechanisms based on these services would be a very messy
   task, as the framing of these services would be redundant with the
   framing of SASL and some method of providing these important SASL
   features would have to be devised.

   Sometimes it is desired to enable within an existing connection the
   use of a security service which does not fit the SASL model.  (TLS is
   an example of such a service.)  This can be done by adding a command,
   for example "STARTTLS", to the protocol.  Such a command is outside
   the scope of SASL, and should be different from the command which
   starts a SASL authentication protocol exchange.

   In certain situations, it is reasonable to use SASL underneath one of
   these Transport Security services.  The transport service would
   secure the connection, either service would authenticate the client,



J. Myers                                                       [Page 15]


Internet DRAFT                    SASL                 September 9, 1997


   and SASL would negotiate the authorization identity.  The SASL
   negotiation would be what moves the protocol from "unauthenticated"
   to "authenticated" state.  The "EXTERNAL" SASL mechanism is
   explicitly intended to handle the case where the transport service
   secures the connection and authenticates the client and SASL
   negotiates the authorization identity.

   When using SASL underneath a sufficiently strong Transport Security
   service, a SASL security layer would most likely be redundant.  The
   client and server would thus probably want to negotiate off the use
   of a SASL security layer.








































J. Myers                                                       [Page 16]


Internet DRAFT                    SASL                 September 9, 1997





                           Table of Contents



Status of this Memo ...............................................    i
1.    Abstract ....................................................    2
2.    Organization of this Document ...............................    2
2.1.  How to Read This Document ...................................    2
2.2.  Conventions Used in this Document ...........................    2
2.3.  Examples ....................................................    3
3.    Introduction and Overview ...................................    3
4.    Profiling requirements ......................................    4
5.    Specific issues .............................................    5
5.1.  Client sends data first .....................................    5
5.2.  Server returns success with additional data .................    5
5.3.  Multiple authentications ....................................    6
6.    Registration procedures .....................................    6
6.1.  Comments on SASL mechanism registrations ....................    6
6.2.  Location of Registered SASL Mechanism List ..................    7
6.3.  Change Control ..............................................    7
6.4.  Registration Template .......................................    7
7.    Mechanism definitions .......................................    8
7.1.  Kerberos version 4 mechanism ................................    8
7.2.  GSSAPI mechanism ............................................   10
7.2.1 Client side of authentication protocol exchange .............   10
7.2.2 Server side of authentication protocol exchange .............   10
7.2.3 Security layer ..............................................   11
7.3.  S/Key mechanism .............................................   12
7.4.  External mechanism ..........................................   13
8.    References ..................................................   14
9.    Security Considerations .....................................   14
10.   Author's Address ............................................   15
Appendix A. Relation of SASL to Transport Security ................   15















J. Myers                                                       [Page ii]