�g�b�v�y�[�W - �|��h�L�������g - RFC 4422
�����Fftp://ftp.rfc-editor.org/in-notes/rfc4422.txt
�����Ƃ̑Ζ�Ƃ��ēǂ݂������ցF���̃y�[�W�����[�J���ɕۑ����āA�X�^�C���V�[�g�� original �N���X�� display ������ none ���� block �ɕύX���Ă݂Ă��������B
�T�C�g���֘A�����N�FRFC 5034 POP3 SASL
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. ���̕����̓C���^�[�l�b�g�R�~���j�e�B�̂��߂̃C���^�[�l�b�g�W���g���b�N�v���g�R���ɂ��ďq�ׂĂ���A���ǂɌ����Ă̋c�_�ƒ�Ă����߂Ă���B���̃v���g�R���̕W�����̏�ԂƏɂ��Ă� "Internet Official Protocol Standards" (STD 1)���Q�Ƃ��Ăق����B���̕����̔z�z�ɐ����͂Ȃ��B
Copyright (C) The Internet Society (2006).
The Simple Authentication and Security Layer (SASL) is a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. It provides a structured interface between protocols and mechanisms. The resulting framework allows new protocols to reuse existing mechanisms and allows old protocols to make use of new mechanisms. The framework also provides a protocol for securing subsequent protocol exchanges within a data security layer. �P���F�ƃZ�L�����e�B���C��(Simple Authentication and Security Layer)(SASL)�́A�u���\�ȃ��J�j�Y�����g�p���ĔF�ƃf�[�^�ی�Ƃ����t���[�����[�N�ł���BSASL �̓v���g�R���ƃ��J�j�Y���Ƃ̊Ԃ̍\�������ꂽ�C���^�[�t�F�C�X�����B���ʂƂ��Đ�����t���[�����[�N�́A�V�����v���g�R���������̃��J�j�Y���𗘗p������A�����̃v���g�R�����V�������J�j�Y���𗘗p�����肷�邱�Ƃ��\�ɂ���B�܂����̃t���[�����[�N�́A�f�[�^�Z�L�����e�B���C���̒��Ō㑱�̃v���g�R��������ی삷�邽�߂̃v���g�R��������B
This document describes how a SASL mechanism is structured, describes how protocols include support for SASL, and defines the protocol for carrying a data security layer over a connection. In addition, this document defines one SASL mechanism, the EXTERNAL mechanism. ���̕����� SASL ���ǂ̂悤�ɐv����Ă��邩���L�q���A�v���g�R���� SASL ���T�|�[�g������@���q�ׁA�ڑ���Ńf�[�^�Z�L�����e�B���C�����^�Ԃ��߂̃v���g�R�����`����B����ɂ��̕����́ASASL ���J�j�Y���̂ЂƂł��� EXTERNAL ���J�j�Y�����`����B
This document obsoletes RFC 2222. ���̕����� RFC 2222 ��p�~����B
The Simple Authentication and Security Layer (SASL) is a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. SASL provides a structured interface between protocols and mechanisms. SASL also provides a protocol for securing subsequent protocol exchanges within a data security layer. The data security layer can provide data integrity, data confidentiality, and other services. SASL �́A�R�l�N�V�����w���v���g�R���ɂ�����F�ƃf�[�^�Z�L�����e�B�Ƃ̃T�[�r�X���A�u���\�ȃ��J�j�Y����ʂ��Ē��邽�߂̃t���[�����[�N�ł���BSASL �̓v���g�R���ƃ��J�j�Y���Ƃ̊Ԃ̍\�������ꂽ�C���^�[�t�F�C�X�����B�܂� SASL �́A�f�[�^�Z�L�����e�B���C�����Ō㑱�̃v���g�R��������ی삷�邽�߂̃v���g�R��������B���̃f�[�^�Z�L�����e�B���C���́A�f�[�^�̊��S����@�����Ȃǂ̃T�[�r�X����邱�Ƃ��ł���B
SASL's design is intended to allow new protocols to reuse existing mechanisms without requiring redesign of the mechanisms and allows existing protocols to make use of new mechanisms without redesign of protocols. SASL �̐v�́A���J�j�Y�����Đv���邱�ƂȂ��V�����v���g�R���������̃��J�j�Y���𗘗p������A�v���g�R�����Đv���邱�ƂȂ������̃v���g�R�����V�������J�j�Y���𗘗p������ł��邱�Ƃ�ړI�Ƃ��Ă���B
SASL is conceptually a framework that provides an abstraction layer between protocols and mechanisms as illustrated in the following diagram. �T�O�I�� SASL �́A���}�Ɏ����悤�ȃv���g�R���ƃ��J�j�Y���Ƃ̊Ԃ̒��ۃ��C�������t���[�����[�N�ł���B
SMTP LDAP XMPP Other protocols ...
\ | | /
\ | | /
SASL abstraction layer
/ | | \
/ | | \
EXTERNAL GSSAPI PLAIN Other mechanisms ...
SMTP LDAP XMPP ���̃v���g�R�� ...
\ | | /
\ | | /
SASL ���ۃ��C��
/ | | \
/ | | \
EXTERNAL GSSAPI PLAIN ���̃��J�j�Y�� ...
It is through the interfaces of this abstraction layer that the framework allows any protocol to utilize any mechanism. While this layer does generally hide the particulars of protocols from mechanisms and the particulars of mechanisms from protocols, this layer does not generally hide the particulars of mechanisms from protocol implementations. For example, different mechanisms require different information to operate, some of them use password-based authentication, some of then require realm information, others make use of Kerberos tickets, certificates, etc. Also, in order to perform authorization, server implementations generally have to implement identity mapping between authentication identities, whose form is mechanism specific, and authorization identities, whose form is application protocol specific. Section 2 discusses identity concepts. ���̒��ۃ��C���̃C���^�[�t�F�C�X��ʂ����ƂŁA���̃t���[�����[�N�͔C�ӂ̃v���g�R�����C�ӂ̃��J�j�Y���𗘗p���邱�Ƃ��\�ɂ��Ă���B��ʂɂ��̃��C���̓v���g�R���̏ڍׂ����J�j�Y������B�����A���J�j�Y���̏ڍׂ��v���g�R������B������B���̈���ŁA�ʏ킱�̃��C���̓��J�j�Y���̏ڍׂ��v���g�R����������B�����Ȃ��B�Ⴆ�ΈقȂ郁�J�j�Y���͈قȂ����K�v�Ƃ���B������̂̓p�X���[�h�x�[�X�̔F�𗘗p���A�܂�������̂͗̈���𗘗p���A�P���x���X�F�̃`�P�b�g��ؖ����Ȃǂ𗘗p������̂�����B�܂���ʂɃT�[�o�[�����́A�����t�^�����s���邽�߂ɁA�F�A�C�f���e�B�e�B(����̓��J�j�Y���ŗL�ł���)�ƌ����A�C�f���e�B�e�B(����̓A�v���P�[�V�����v���g�R���ŗL�ł���)�Ƃ̊Ԃ̃}�b�s���O����������K�v������B�A�C�f���e�B�e�B�̊T�O�̓Z�N�V���� 2 �ŋc�_����Ă���B
It is possible to design and implement this framework in ways that do abstract away particulars of similar mechanisms. Such a framework implementation, as well as mechanisms implementations, could be designed not only to be shared by multiple implementations of a particular protocol but to be shared by implementations of multiple protocols. �ގ��������J�j�Y���̏ڍׂ𒊏ۉ����Đ藣���`�ŁA���̃t���[�����[�N��v�E�������邱�Ƃ��\�ł���B���̂悤�ȃt���[�����[�N�̎����́A���J�j�Y���̎����Ɠ����悤�ɓ���̃v���g�R���̕����̎����ɂ���ċ��L����邾���łȂ��A�����̃v���g�R�������ɂ���ċ��L�����悤�ɐv���邱�Ƃ��ł��邾�낤�B
The framework incorporates interfaces with both protocols and mechanisms in which authentication exchanges are carried out. Section 3 discusses SASL authentication exchanges. ���̃t���[�����[�N�ɂ́A�F�،��������s�����v���g�R���y�у��J�j�Y���̗����Ƃ̃C���^�[�t�F�C�X���g�ݍ��܂�Ă���BSASL �̔F�،����̓Z�N�V���� 3 �ŋc�_����Ă���B
To use SASL, each protocol (amongst other items) provides a method for identifying which mechanism is to be used, a method for exchange of mechanism-specific server-challenges and client-responses, and a method for communicating the outcome of the authentication exchange. Section 4 discusses SASL protocol requirements. �e�v���g�R���� SASL �𗘗p���邽�߂ɁA�ǂ̃��J�j�Y�����g�p�����ׂ�������肷�郁�\�b�h�A���J�j�Y���ŗL�̃T�[�o�[�`�������W�ƃN���C�A���g���X�|���X�Ƃ��������邽�߂̃��\�b�h�A�F�،����̌��ʂ�`���郁�\�b�h��(���̃��\�b�h�Ƌ���)����BSASL �v���g�R���̗v�������̓Z�N�V���� 4 �ŋc�_����Ă���B
Each SASL mechanism defines (amongst other items) a series of server-challenges and client-responses that provide authentication services and negotiate data security services. Section 5 discusses SASL mechanism requirements. ���ꂼ��� SASL ���J�j�Y���́A�F�T�[�r�X����f�[�^�Z�L�����e�B�T�[�r�X���������A�̃T�[�o�[�`�������W�ƃN���C�A���g���X�|���X�Ƃ�(���̍��ڂƋ���)��`����BSASL ���J�j�Y���̗v�������̓Z�N�V���� 5 �Œ�`����Ă���B
Section 6 discusses security considerations. Section 7 discusses IANA considerations. Appendix A defines the SASL EXTERNAL mechanism. �Z�N�V���� 6 �ł̓Z�L�����e�B�l�@���c�_���Ă���B�Z�N�V���� 7 �� IANA �l�@�ł���B�t�^ A �� SASL EXTERNAL ���J�j�Y�����`���Ă���B
This document is written to serve several different audiences: ���̕����͈ȉ��̂悤�ȓǎ҂Ɍ����ď�����Ă���F
While the document organization is intended to allow readers to focus on details relevant to their engineering, readers are encouraged to read and understand all aspects of this document. ���̕����͓ǎ҂����ꂼ��̕���Ɋւ���ڍׂɏW���ł��邱�Ƃ��Ӑ}�����\���ɂȂ��Ă��邪�A�ǎ҂͂��̕����̂��ׂĂ�ǂ݁A�������邱�Ƃ𐄏������B
This document obsoletes RFC 2222. It replaces all portions of RFC 2222 excepting sections 7.1 (the KERBEROS_IV mechanism), 7.2 (the GSSAPI mechanism), 7.3 (the SKEY mechanism). The KERBEROS_IV and SKEY mechanisms are now viewed as obsolete and their specifications provided in RFC 2222 are Historic. The GSSAPI mechanism is now separately specified [SASL-GSSAPI]. ���̕����� RFC 2222 ��p�~����BRFC 2222 �̃Z�N�V���� 7.1(KERBEROS_IV ���J�j�Y��)�A7.2(GSSAPI ���J�j�Y��)�A7.3(SKEY ���J�j�Y��)�������A���̕����� RFC 2222 �̂��ׂĂ�u��������BKERBEROS_IV ���J�j�Y���� SKEY ���J�j�Y���Ƃ͌��݂ł͎���x��ƌ��Ȃ���Ă���ARFC 2222 �Œ���Ă��邻���̎d�l�͗��j�I�Ȃ̂���(Historic)�ł���BGSSAPI ���J�j�Y���͌��݁A�Ɨ����ċK�肳��Ă���[SASL-GSSAPI]�B
Appendix B provides a summary of changes since RFC 2222. RFC 2222 ����̕ύX�_�̊T�v�͕t�^ B �Ɏ�����Ă���B
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119]. �������̃L�[���[�h "MUST"�A"MUST NOT"�A"REQUIRED"�A"SHALL"�A"SHALL NOT""SHOULD"�A"SHOULD NOT"�A"RECOMMENDED"�A"MAY"�A"OPTIONAL" �́ABCP 14 [RFC2119] �Œ�`����Ă���ʂ�ɉ��߂����B
Character names in this document use the notation for code points and names from the Unicode Standard [Unicode]. For example, the letter "a" may be represented as either <U+0061> or <LATIN SMALL LETTER A>. �������̕�������(Character name)�́AUnicocde Standard [Unicode] �ɗR�����镶���R�[�h�|�C���g�Ɩ��̂Ƃ̕\�L���g�p���Ă���B�Ⴆ�Ε��� "a" �́A<U+0061> �܂��� <LATIN SMALL LETTER A> �ƕ\�������B
Note: a glossary of terms used in Unicode can be found in [Glossary]. Information on the Unicode character encoding model can be found in [CharModel]. ���ӁF���j�R�[�h�Ŏg�p����Ă���p��̐����� [Glossary] �Ɏ�����Ă���B���j�R�[�h�������G���R�[�h���郂�f���� [CharModel] �Ɏ�����Ă���B
In examples, "C:" and "S:" indicate lines of data to be sent by the client and server, respectively. Lines have been wrapped for improved readability. ��Ŏd�l����Ă��� "C:" �y�� "S:" �́A���ꂼ��N���C�A���g�E�T�[�o�[���瑗�M���ꂽ�s��\���B�e�s�͓ǂ݂₷���悤�ɐ܂�Ԃ���Ă���B
In practice, authentication and authorization may involve multiple identities, possibly in different forms (simple username, Kerberos principal, X.500 Distinguished Name, etc.), possibly with different representations (e.g., ABNF-described UTF-8 encoded Unicode character string, BER-encoded Distinguished Name). While technical specifications often prescribe both the identity form and representation used on the network, different identity forms and/or representations may be (and often are) used within implementations. How identities of different forms relate to each other is, generally, a local matter. In addition, the forms and representations used within an implementation are a local matter. ���ۖ��Ƃ��āA�F�ƌ����Ƃ͕����̃A�C�f���e�B�e�B���܂މ\��������B�����͈قȂ�`��(�P���ȃ��[�U�[���A�P���x���X��́AX.500 �̎��ʖ��Ȃ�)�ł��悢���A�قȂ�\��(ABNF �ŋL�q���ꂽ UTF-8 �`���̃��j�R�[�h������ABER �G���R�[�h���ꂽ���ʖ��Ȃ�)�ł��悢�B�����Z�p�d�l�̓l�b�g���[�N��Ŏg�p�����A�C�f���e�B�e�B�̌`���ƕ\���Ƃ��K�肷�邪�A���������ł͂���ƈقȂ�A�C�f���e�B�e�B�̌`����\�����g�p���Ă��悢�B�قȂ�`���̃A�C�f���e�B�e�B���݂��Ɋ֘A�t������@�́A��ʂɃ��[�J���̖��ł���B�܂����������Ŏg�p�����`���ƕ\�����A���[�J���̖��ł���B
However, conceptually, the SASL framework involves two identities: �������Ȃ���T�O�I�ɂ́ASASL �̃t���[�����[�N�͎��̓�̃A�C�f���e�B�e�B��K�v�Ƃ���F
SASL mechanism specifications describe the credential form(s) (e.g., X.509 certificates, Kerberos tickets, simple username/password) used to authenticate the client, including (where appropriate) the syntax and semantics of authentication identities carried in the credentials. SASL protocol specifications describe the identity form(s) used in authorization and, in particular, prescribe the syntax and semantics of the authorization identity character string to be transferred by mechanisms. SASL ���J�j�Y���̎d�l�́A�N���C�A���g��F���邽�߂Ɏg�p�����ؖ����̌`��(�Ⴆ�� X.509 �ؖ����A�P���x���X�`�P�b�g�A�P���ȃ��[�U�[��/�p�X���[�h�Ȃ�)���L�q����B(�K�ł����)����ɂ͏ؖ����ʼn^���F�A�C�f���e�B�e�B�̕��@�ƈӖ��Ƃ��܂܂��BSASL �v���g�R���̎d�l�͔F�Ɏg�p�����A�C�f���e�B�e�B�̌`�����L�q���A��̓I�ɂ́A���J�j�Y���ɂ���ē]�������F�A�C�f���e�B�e�B������̕��@�ƈӖ��_�Ƃ��K�肷��B
The client provides its credentials (which include or imply an authentication identity) and, optionally, a character string representing the requested authorization identity as part of the SASL exchange. When this character string is omitted or empty, the client is requesting to act as the identity associated with the credentials (e.g., the user is requesting to act as the authentication identity). �N���C�A���g�́ASASL �����̈ꕔ�Ƃ��Ď��g�̏ؖ���(�F�A�C�f���e�B�e�B���܂܂��)�ƁA�I�v�V�����ŁA�v�����ꂽ�F�A�C�f���e�B�e�B��\��������Ƃ����B���̕����ȗ�����Ă��邩�A�܂��͋�̂Ƃ��A�N���C�A���g�͂��̏ؖ����Ɋ֘A�t����ꂽ�A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ�v�����Ă���(�܂肻�̃��[�U�[�́A���̔F�A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ�v�����Ă���)�B
The server is responsible for verifying the client's credentials and verifying that the identity it associates with the client's credentials (e.g., the authentication identity) is allowed to act as the authorization identity. A SASL exchange fails if either (or both) of these verifications fails. (The SASL exchange may fail for other reasons, such as service authorization failure.) �T�[�o�[�̓N���C�A���g�ؖ����̌��ƁA�N���C�A���g�ؖ����ɑΉ�����A�C�f���e�B�e�B(���Ȃ킿�����A�C�f���e�B�e�B)�����̌����A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ�������Ă��邩�ǂ����̌��ƂɐӔC�����B�����̌��̂ǂ��炩(�܂��͗���)�Ɏ��s����ƁASASL �����͎��s����B(�����s���ȂǁA���̗��R�� SASL ���������s����\��������B)
However, the precise form(s) of the authentication identities (used within the server in its verifications, or otherwise) and the precise form(s) of the authorization identities (used in making authorization decisions, or otherwise) are beyond the scope of SASL and this specification. In some circumstances, the precise identity forms used in some context outside of the SASL exchange may be dictated by other specifications. For instance, an identity assumption authorization (proxy authorization) policy specification may dictate how authentication and authorization identities are represented in policy statements. �������Ȃ���A�F�A�C�f���e�B�e�B(���Ȃǂ̂��߂ɃT�[�o�[���Ŏg�p�����)�̐��m�ȏ������A�����A�C�f���e�B�e�B(�����̌���ȂǂɎg�p�����)�̐��m�ȏ������ASASL �y�т��̎d�l�͈̔͊O�ł���B���ɂ���ẮASASL �����̊O���ɂ����Ďg�p����鐳�m�ȃA�C�f���e�B�e�B�̏������A���̎d�l�����肷��ꍇ������B�Ⴆ�A�C�f���e�B�e�B�㗝�F��(�v���L�V�F��)�|���V�[�̎d�l�́A�F�A�C�f���e�B�e�B�ƌ����A�C�f���e�B�e�B�Ƃ��|���V�[�錾�ɂ����ĕ\���������@�����肷��\��������B
Each authentication exchange consists of a message from the client to the server requesting authentication via a particular mechanism, followed by one or more pairs of challenges from the server and responses from the client, followed by a message from the server indicating the outcome of the authentication exchange. (Note: exchanges may also be aborted as discussed in Section 3.5.) �e�F�،����́A�������̃��J�j�Y����ʂ��ĔF��v������N���C�A���g����T�[�o�[�ւ̃��b�Z�[�W�A���ɃT�[�o�[����̃`�������W�ƃN���C�A���g����̃��X�|���X�Ƃ̂ЂƂȏ�̑g�A�����ĔF�،����̌��ʂ�\���T�[�o�[����̃��b�Z�[�W���܂ށB(���ӁF�Z�N�V���� 3.5 �Ő�������Ă���悤�ɁA�F�،����͎��s����ꍇ������B)
The following illustration provides a high-level overview of an authentication exchange. �F�،����̍������̊T�v���ȉ��Ɏ����B
C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange
C: �F�،����̗v��
S: �����`�������W
C: �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �F�،����̌���
If the outcome is successful and a security layer was negotiated, this layer is then installed (see Section 3.7). This also applies to the following illustrations. �F�̌��ʂ������ł���A���Z�L�����e�B���C����������Ă����ꍇ�A���̃��C�������������(�Z�N�V���� 3.7 �Q��)�B����͈ȍ~�̐����ɂ��K�p�����B
Some mechanisms specify that the first data sent in the authentication exchange is from the client to the server. Protocols may provide an optional initial response field in the request message to carry this data. Where the mechanism specifies that the first data sent in the exchange is from the client to the server, the protocol provides an optional initial response field, and the client uses this field, the exchange is shortened by one round-trip: �F�،����ɂ����čŏ��ɑ��M�����f�[�^���N���C�A���g����T�[�o�[�ւ̂��̂ł���ƋK�肷�郁�J�j�Y��������B�v���g�R���́A���N�G�X�g���b�Z�[�W�ɂ�����ŏ��̃��X�|���X���ɂ��̃f�[�^���܂߂đ��M���邱�Ƃ��I�v�V�����ŋ����Ă��悢�B�ŏ��̃f�[�^���N���C�A���g����T�[�o�[�ւƑ��M�����ƃ��J�j�Y�����K�肵�A�v���g�R�����I�v�V�����̏������X�|���X�t�B�[���h����A�N���C�A���g�����̃t�B�[���h���g�p����ꍇ�A����肪�ꉝ���ȗ������B
C: Request authentication exchange + Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange
C: �F�،����̗v�� + �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �F�،����̌���
Where the mechanism specifies that the first data sent in the exchange is from the client to the server and this field is unavailable or unused, the client request is followed by an empty challenge. �F�،����ɂ�����ŏ��̃f�[�^���N���C�A���g����T�[�o�[�ւƑ��M�����ƃ��J�j�Y�����K�肵�Ă���A���������X�|���X�t�B�[���h�����p�s�\�܂��͖��g�p�̏ꍇ�A�N���C�A���g�̗v���̌�ɋ�̃`�������W�������B
C: Request authentication exchange
S: Empty Challenge
C: Initial Response
<additional challenge/response messages>
S: Outcome of authentication exchange
C: �F�،����̗v��
S: ��̃`�������W
C: �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �F�،����̌���
Should a client include an initial response in its request where the mechanism does not allow the client to send data first, the authentication exchange fails. �N���C�A���g���������X�|���X���܂ރ��N�G�X�g�𑗐M�������A�ŏ��̃f�[�^���N���C�A���g���瑗�M����邱�Ƃ����J�j�Y���������Ă��Ȃ������ꍇ�A�F�،����͎��s����B
Some mechanisms specify that the server is to send additional data to the client when indicating a successful outcome. Protocols may provide an optional additional data field in the outcome message to carry this data. Where the mechanism specifies that the server is to return additional data with the successful outcome, the protocol provides an optional additional data field in the outcome message, and the server uses this field, the exchange is shortened by one round-trip: �ꕔ�̃��J�j�Y���́A���ʂ������̏ꍇ�ɃT�[�o�[���N���C�A���g�ɒlj����𑗐M����ƋK�肵�Ă���B���̒lj�����`���邽�߂ɁA�v���g�R���͌��ʃ��b�Z�[�W�ɃI�v�V�����̒lj����t�B�[���h����Ă悢�B�����̌��ʂƂƂ��ɒlj��f�[�^��Ԃ����Ƃ����J�j�Y�����K�肵�A�v���g�R�������ʃ��b�Z�[�W�ɂ�����I�v�V�����̒lj����t�B�[���h����A�T�[�o�[�����̃t�B�[���h���g�p����ꍇ�A����肪�ꉝ���ȗ������F
C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange with
additional data with success
C: �F�،����̗v��
S: �����`�������W
C: �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �������Ă���A�lj������܂ޔF�،����̌���
Where the mechanism specifies that the server is to return additional data to the client with a successful outcome and this field is unavailable or unused, the additional data is sent as a challenge whose response is empty. After receiving this response, the server then indicates the successful outcome. ���������ꍇ�ɃT�[�o�[���N���C�A���g�ɒlj�����Ԃ��ƃ��J�j�Y�����K�肵�A�����̃t�B�[���h�����p�s�\�܂��͖��g�p�̏ꍇ�A���̒lj��f�[�^�́A���X�|���X����̃`�������W�Ƃ��đ��M�����B���̃��X�|���X����M������A�T�[�o�[�͐����̌��ʂ�Ԃ��B
C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Additional data challenge
C: Empty Response
S: Outcome of authentication exchange
C: �F�،����̗v��
S: �����`�������W
C: �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �lj����`�������W
C: ��̃��X�|���X
S: �F�،����̌���
Where mechanisms specify that the first data sent in the exchange is from the client to the server and additional data is sent to the client along with indicating a successful outcome, and the protocol provides fields supporting both, then the exchange takes two fewer round-trips: �F�،����ɂ�����ŏ��̃f�[�^���N���C�A���g����T�[�o�[�֑��M����ƃ��J�j�Y�����K�肵�A�������̌��ʂƂƂ��ɒlj��f�[�^���N���C�A���g�֑��M����A�������T�|�[�g����t�B�[���h���v���g�R�������Ă���ꍇ�A���̔F�،����̂����͓��Z���Ȃ�F
C: Request authentication exchange + Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange
with additional data with success
C: �F�،����̗v�� + �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �lj������Ƃ��Ȃ��F�،����̌���
instead of: ����͈ȉ��̑�ւł���F
C: Request authentication exchange
S: Empty Challenge
C: Initial Response
<additional challenge/response messages>
S: Additional data challenge
C: Empty Response
S: Outcome of authentication exchange
C: �F�،����̗v��
S: ��̃`�������W
C: �������X�|���X
<�lj��̃`�������W/���X�|���X>
S: �lj����`�������W
C: ��̃��X�|���X
S: �F�،����̌���
SASL mechanisms are named by character strings, from 1 to 20 characters in length, consisting of ASCII [ASCII] uppercase letters, digits, hyphens, and/or underscores. In the following Augmented Backus-Naur Form (ABNF) [RFC4234] grammar, the <sasl-mech> production defines the syntax of a SASL mechanism name. SASL ���J�j�Y���͕�����Ŗ��O��t�����A������ 1 �` 20�AASCII [ASCII] �̑啶���E�����E�n�C�t���E�A���_�[�X�R�A����\�������B�g���o�b�J�X�L�@(ABNF) [RFC4234]�ɂ�� SASL ���J�j�Y�����̕��@�́A�ȉ��� <sasl-mech> �Œ�`�����B
sasl-mech = 1*20mech-char
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
; mech-char is restricted to A-Z (uppercase only), 0-9, -, and _
; from ASCII character set.
UPPER-ALPHA = %x41-5A ; A-Z (uppercase only)
DIGIT = %x30-39 ; 0-9
HYPHEN = %x2D ; hyphen (-)
UNDERSCORE = %x5F ; underscore (_)
sasl-mech = 1*20mech-char
mech-char = UPPER-ALPHA / DIGIT / HYPHEN / UNDERSCORE
; mech-char �� ASCII �����Z�b�g�̂����AA-Z(�啶���̂�)�A0-9�A-�A_
; �����ɐ��������
UPPER-ALPHA = %x41-5A ; A-Z (�啶���̂�)
DIGIT = %x30-39 ; 0-9
HYPHEN = %x2D ; �n�C�t�� (-)
UNDERSCORE = %x5F ; �A���_�[�X�R�A (_)
SASL mechanism names are registered as discussed in Section 7.1. SASL ���J�j�Y���̖��̂́A�Z�N�V���� 7.2 �ŋc�_����Ă�����@�œo�^�����B
Mechanism negotiation is protocol specific. ���J�j�Y���̌��̓v���g�R���ŗL�̂��̂ł���B
Commonly, a protocol will specify that the server advertises supported and available mechanisms to the client via some facility provided by the protocol, and the client will then select the "best" mechanism from this list that it supports and finds suitable. ��ʂɃv���g�R���́A�T�[�o�[���T�|�[�g���Ă��藘�p�\�ȃ��J�j�Y�����A���̃v���g�R��������@�\�ɂ���ăN���C�A���g�ɒʒm����ƋK�肵�A�N���C�A���g�͂��̃��X�g�̒����玩�g���T�|�[�g���Ă���K�p�\�� "�ŗǂ�(best)" ���J�j�Y����I������B
Note that the mechanism negotiation is not protected by the subsequent authentication exchange and hence is subject to downgrade attacks if not protected by other means. ���J�j�Y���̌��͌㑱�̔F�،����ɂ��ی���Ȃ����߁A���̎�i�ŕی삳��Ă��Ȃ�����A�_�E���O���[�h�U�����₷�����Ƃɒ��ӂ��Ăق����B
To detect downgrade attacks, a protocol can allow the client to discover available mechanisms subsequent to the authentication exchange and installation of data security layers with at least data integrity protection. This allows the client to detect changes to the list of mechanisms supported by the server. �N���C�A���g���_�E���O���[�h�U�������o�ł���悤�ɁA�v���g�R���́A�F�،����Ə��Ȃ��Ƃ��f�[�^�̊��S���ی�����Z�L�����e�B���C���̓����Ƃ��Ȃ��ꂽ��ɁA���p�\�ȃ��J�j�Y�����N���C�A���g����������悤�ɂ��邱�Ƃ��ł���B����ɂ��N���C�A���g�́A�T�[�o�[���T�|�[�g���郁�J�j�Y���̈ꗗ�̕ω������o���邱�Ƃ��ł���B
The authentication exchange is initiated by the client by requesting authentication via a mechanism it specifies. The client sends a message that contains the name of the mechanism to the server. The particulars of the message are protocol specific. �F�،����́A�N���C�A���g���w�肵�����J�j�Y����ʂ����N���C�A���g�̔F�ؗv���ŊJ�n�����B�N���C�A���g�̓��J�j�Y���̖��̂��܂ރ��b�Z�[�W���T�[�o�[�ɑ��M����B���̃��b�Z�[�W�̏ڍׂ̓v���g�R���ŗL�̂��̂ł���B
Note that the name of the mechanism is not protected by the mechanism, and hence is subject to alteration by an attacker if not integrity protected by other means. ���J�j�Y���̖��̂̓��J�j�Y���ɂ��ی���Ȃ����߁A���̎�i�Ŋ��S�����ۏ���Ă��Ȃ�����A�U���҂ɂ����T���₷�����Ƃɒ��ӂ��Ăق����B
Where the mechanism is defined to allow the client to send data first, and the protocol's request message includes an optional initial response field, the client may include the response to the initial challenge in the authentication request message. �N���C�A���g���ŏ��Ƀf�[�^�𑗐M���邱�Ƃ����J�j�Y���������Ă���A�v���g�R���̃��N�G�X�g���b�Z�[�W���I�v�V�����̏������X�|���X�t�B�[���h���܂ޏꍇ�A�N���C�A���g�͔F�ؗv�����b�Z�[�W�̒��ɍŏ��̃`�������W�ւ̃��X�|���X���܂߂Ă��悢�B
The authentication exchange involves one or more pairs of server- challenges and client-responses, the particulars of which are mechanism specific. These challenges and responses are enclosed in protocol messages, the particulars of which are protocol specific. �F�،����̓T�[�o�[�`�������W�ƃN���C�A���g���X�|���X�Ƃ̑g���ЂƂ܂��͕����܂ށB���̏ڍׂ̓��J�j�Y���ŗL�ł���B�����̃`�������W�ƃ��X�|���X�̓v���g�R�����b�Z�[�W�̒��ɓ������B�v���g�R�����b�Z�[�W�̏ڍׂ̓v���g�R���ŗL�ł���B
Through these challenges and responses, the mechanism may: �����̃`�������W�ƃ��X�|���X�Ƃ�ʂ��ă��J�j�Y���́F
The negotiation of the security layer may involve negotiation of the security services to be provided in the layer, how these services will be provided, and negotiation of a maximum cipher-text buffer size each side is able to receive in the layer (see Section 3.6). �Z�L�����e�B���C���̌��ɂ́A���̃��C���Œ����Z�L�����e�B�T�[�r�X�̌����܂܂�Ă��悢�B�����̃T�[�r�X���ǂ̂悤�ɒ���邩�ƁA�o���ɂ�����Í��e�L�X�g�o�b�t�@�̍ő�T�C�Y�̌��Ƃ́A���̃��C���̒��Ŏ�邱�Ƃ��ł���(�Z�N�V���� 3.6 �Q��)�B
After receiving an authentication request or any client response, the server may issue a challenge, abort the exchange, or indicate the outcome of an exchange. After receiving a challenge, a client mechanism may issue a response or abort the exchange. �F�ؗv���܂��̓N���C�A���g���X�|���X����M������̃T�[�o�[�́A�`�������W�𑗐M���邩�A�����𒆎~���邩�A�����̌��ʂ�Ԃ����Ƃ��ł���B�`�������W����M������̃N���C�A���g�̃��J�j�Y���́A���X�|���X�𑗐M���邩�A�����𒆎~�����Ƃ��ł���B
The authorization identity string is a sequence of zero or more Unicode [Unicode] characters, excluding the NUL (U+0000) character, representing the identity to act as. �����A�C�f���e�B�e�B������̓[�������ȏ�̈�A�̃��j�R�[�h[Unicode]����(NUL (U+0000) ������)�ł���A���̃A�C�f���e�B�e�B�̖�����\���B
If the authorization identity string is absent, the client is requesting to act as the identity the server associates with the client's credentials. An empty string is equivalent to an absent authorization identity. �N���C�A���g����̔F�A�C�f���e�B�e�B�����ȗ�����Ă���ꍇ�A���̃N���C�A���g�́A�T�[�o�[�����̃N���C�A���g�̏ؖ����Ɋ֘A�t���Ă���A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ�v�����Ă���B����͔F�A�C�f���e�B�e�B���ȗ�����Ă���̂Ɠ����Ӗ��ł���B
A non-empty authorization identity string indicates that the client wishes to act as the identity represented by the string. In this case, the form of identity represented by the string, as well as the precise syntax and semantics of the string, is protocol specific. ��ȊO�̔F�A�C�f���e�B�e�B������́A���̕����\���A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ��N���C�A���g���]��ł��邱�Ƃ�\���B���̏ꍇ�A�����\���A�C�f���e�B�e�B�̏������A���̕�����̐��m�ȕ��@/�Ӗ��_���A�v���g�R���ŗL�ł���B
While the character encoding schema used to transfer the authorization identity string in the authentication exchange is mechanism specific, mechanisms are expected to be capable of carrying the entire Unicode repertoire (with the exception of the NUL character). �F�،����ɂ����Č����A�C�f���e�B�e�B�𑗐M����̂Ɏg�p����镶���G���R�[�h�@�̓��J�j�Y���ŗL�ł��邪�A���J�j�Y���͂��ׂẴ��j�R�[�h(NUL ����������)�𑗐M����\�͂������Ƃ����҂����B
A client or server may desire to abort an authentication exchange if it is unwilling or unable to continue (or enter into). �N���C�A���g�܂��̓T�[�o�[���F�،����̌p��(�܂��͊J�n)��]�܂Ȃ��A�܂��͂��ꂪ�ł��Ȃ��ꍇ�A���̔F�،����̒��~��]��ł��悢�B
A client may abort the authentication exchange by sending a message, the particulars of which are protocol specific, to the server, indicating that the exchange is aborted. The server may be required by the protocol to return a message in response to the client's abort message. ���������~���ꂽ���Ƃ��������b�Z�[�W���T�[�o�[�ɑ��M���邱�ƂŁA�N���C�A���g�͔F�،����𒆎~���邱�Ƃ��ł���B���̃��b�Z�[�W�̏ڍׂ̓v���g�R���ŗL�ł���B�v���g�R���̓N���C�A���g�̒��~���b�Z�[�W�ɑ��ăT�[�o�[�����b�Z�[�W��Ԃ��悤�ɗv�����Ă��悢�B
Likewise, a server may abort the authentication exchange by sending a message, the particulars of which are protocol specific, to the client, indicating that the exchange is aborted. �����悤�ɃT�[�o�[���A���������~���ꂽ���Ƃ��������b�Z�[�W���N���C�A���g�ɑ��M���邱�ƂŔF�،����𒆎~���邱�Ƃ��ł���B���̃��b�Z�[�W�̏ڍׂ̓v���g�R���ŗL�ł���B
At the conclusion of the authentication exchange, the server sends a message, the particulars of which are protocol specific, to the client indicating the outcome of the exchange. �T�[�o�[�͔F�،����̏I���ɁA���̌����̌��ʂ�\�����b�Z�[�W���N���C�A���g�ɑ��M����B���̃��b�Z�[�W�̏ڍׂ̓v���g�R���ŗL�ł���B
The outcome is not successful if �ȉ��̏ꍇ�A�F�͕s�����ƂȂ�F
The protocol may include an optional additional data field in this outcome message. This field can only include additional data when the outcome is successful. �v���g�R���͂��̌��ʃ��b�Z�[�W�ɃI�v�V�����̒lj��f�[�^�t�B�[���h���܂߂Ă��悢�B���̃t�B�[���h�ɒlj��f�[�^���܂ނ��Ƃ��ł���̂́A�F�����������ꍇ�����ł���B
If the outcome is successful and a security layer was negotiated, this layer is then installed. If the outcome is unsuccessful, or a security layer was not negotiated, any existing security is left in place. ���ʂ������ŁA�Z�L�����e�B���C����������Ă����ꍇ�A���̃��C�������������B�F�Ɏ��s�����A�܂��̓Z�L�����e�B���C����������Ă��Ȃ��ꍇ�A�ȑO�̃Z�L�����e�B�̂܂܂ł���B
The outcome message provided by the server can provide a way for the client to distinguish between errors that are best dealt with by re- prompting the user for her credentials, errors that are best dealt with by telling the user to try again later, and errors where the user must contact a system administrator for resolution (see the SYS and AUTH POP Response Codes [RFC3206] specification for an example). This distinction is particularly useful during scheduled server maintenance periods as it reduces support costs. It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user. �T�[�o�[����Ԃ����G���[�ɂ́A���[�U�[�ɍĂяؖ����𑣂��̂��ŗǂ̃G���[�A���炭��ɍĎ��s����悤�Ƀ��[�U�[�ɓ`����̂��ŗǂ̃G���[�A���[�U�[���V�X�e���Ǘ��҂ɘA�������ׂ��G���[(The SYS and AUTH POP Response Codes [RFC3206]�̗���Q��)������B�T�[�o�[�����錋�ʃ��b�Z�[�W�͂����̎��s���N���C�A���g����ʂ�����@��ł���B���̋�ʂ́A�T�[�o�[�̒�������e�i���X���ɃT�|�[�g�R�X�g���팸����̂ɓ��ɗL���ł���B���ʃ��b�Z�[�W�������ȃ��[�U�[�Ɩ����ȏؖ��������L���ȃ��[�U�[�Ƃ���ʂ��Ȃ��悤�ɃT�[�o�[���\���\�ł��邱�Ƃ��d�v�ł���B
SASL mechanisms may offer a wide range of services in security layers. Typical services include data integrity and data confidentiality. SASL mechanisms that do not provide a security layer are treated as negotiating no security layer. SASL ���J�j�Y���̓Z�L�����e�B���C���ɂ�����L�͈͂̃T�[�r�X������Ƃ��ł���B�T�^�I�ȃT�[�r�X�̓f�[�^�̊��S���ƃf�[�^�̋@�����Ƃ��܂ށB�Z�L�����e�B���C������Ȃ� SASL ���J�j�Y���́A�Z�L�����e�B���C���������Ȃ����̂Ƃ��Ĉ�����B
If use of a security layer is negotiated in the authentication protocol exchange, the layer is installed by the server after indicating the outcome of the authentication exchange and installed by the client upon receipt of the outcome indication. In both cases, the layer is installed before transfer of further protocol data. The precise position upon which the layer takes effect in the protocol data stream is protocol specific. �F�v���g�R���̌����̒��ŃZ�L�����e�B���C���̎g�p�������ꂽ�ꍇ�A���̃��C���́A�T�[�o�[�ɂ͔F�،����̌��ʂ�Ԃ�����ɁA�N���C�A���g�ɂ͌��ʂ���M�����Ƃ��ɓ��������B�ǂ���̏ꍇ���A���̌�̃v���g�R���f�[�^�𑗐M����O�Ƀ��C�������������B�v���g�R���̃f�[�^�X�g���[���ɂ����ă��C�������ʂ��������m�Ȉʒu�́A�v���g�R���ŗL�ł���B
Once the security layer is in effect in the protocol data stream, it remains in effect until either a subsequently negotiated security layer is installed or the underlying transport connection is closed. �v���g�R���f�[�^�X�g���[���ɂ����ăZ�L�����e�B���C�������ʂ���������A�ʂ̃Z�L�����e�B���C����������邩���w�̃g�����X�|�[�g�ڑ���������܂ŁA�ŏ��̃Z�L�����e�B���C������������B
When in effect, the security layer processes protocol data into buffers of protected data. If at any time the security layer is unable or unwilling to continue producing buffers protecting protocol data, the underlying transport connection MUST be closed. If the security layer is not able to decode a received buffer, the underlying connection MUST be closed. In both cases, the underlying transport connection SHOULD be closed gracefully. ���ʂ��������Z�L�����e�B���C���́A�ی삳�ꂽ�����̃f�[�^�o�b�t�@���Ńv���g�R���f�[�^����������B�Z�L�����e�B���C�������̃o�b�t�@���ł��Ȃ��Ȃ����ꍇ�A�܂��͐�����]�܂Ȃ��ꍇ�ɂ͏�ɁA���w�̃g�����X�|�[�g�ڑ��͕����Ȃ���Ȃ�Ȃ�(MUST)�B�Z�L�����e�B���C������M�o�b�t�@���f�R�[�h�ł��Ȃ��ꍇ�A���w�̐ڑ��͕����Ȃ���Ȃ�Ȃ�(MUST)�B�ǂ���̏ꍇ���A���w�̃g�����X�|�[�g�ڑ��͒ʏ�̎菇�ʂ�ɕ�����ׂ��ł���(SHOULD)�B
Each buffer of protected data is transferred over the underlying transport connection as a sequence of octets prepended with a four- octet field in network byte order that represents the length of the buffer. The length of the protected data buffer MUST be no larger than the maximum size that the other side expects. Upon the receipt of a length field whose value is greater than the maximum size, the receiver SHOULD close the connection, as this might be a sign of an attack. �e�o�b�t�@�͉��w�̃g�����X�|�[�g�ڑ������A�̃I�N�e�b�g�Ƃ��đ��M�����B���̃V�[�P���X�̑O�ɂ́A���̃o�b�t�@�̒������l�b�g���[�N�o�C�g�I�[�_�[�ŕ\���� 4 �I�N�e�b�g�̃����O�X�t�B�[���h���t�������B�o�b�t�@�̒����͒ʐM���肪���҂���ő�T�C�Y���Ă͂Ȃ�Ȃ�(MUST)�B�ő�T�C�Y���钷���̃����O�X�t�B�[���h�͍U���̒���ł���\�������邽�߁A��M�҂͐ڑ������ׂ��ł���(SHOULD)�B
The maximum size that each side expects is fixed by the mechanism, either through negotiation or by its specification. ���҂����҂���ő�T�C�Y�̓��J�j�Y���ɂ���ČŒ肳�����̂ł���A����ʂ��āA�܂��͂��̃��J�j�Y���̎d�l�ɂ���Č��肳���B
Unless explicitly permitted in the protocol (as stated in the protocol's technical specification), only one successful SASL authentication exchange may occur in a protocol session. In this case, once an authentication exchange has successfully completed, further attempts to initiate an authentication exchange fail. �v���g�R���������I�ɋ����Ă��Ȃ�����(�v���g�R���̋Z�p�d�l�ɋL�q����Ă��Ȃ�����)�A���̃v���g�R���Z�b�V�������ł� SASL �F�،����̐����͈���������B���̏ꍇ�A�F�،���������������ɍĂєF�،������J�n���Ă��A����͎��s����B
Where multiple successful SASL authentication exchanges are permitted in the protocol, then in no case may multiple SASL security layers be simultaneously in effect. If a security layer is in effect and a subsequent SASL negotiation selects a second security layer, then the second security layer replaces the first. If a security layer is in effect and a subsequent SASL negotiation selects no security layer, the original security layer remains in effect. �v���g�R����������� SASL �F�،����̐����������Ă���ꍇ�ł��A������ SASL �Z�L�����e�B���C���������Ɍ��ʂ��������Ƃ͋�����Ȃ��B����Z�L�����e�B���C�����L���ȂƂ��ɁA�ʂ� SASL �F�،��������̃Z�L�����e�B���C����I�������ꍇ�A���̃Z�L�����e�B���C�����ŏ��̃Z�L�����e�B���C���Ɏ���đ��邱�ƂɂȂ�B����Z�L�����e�B���C�����L���ȂƂ��ɕʂ� SASL �����Z�L�����e�B���C��������I�������ꍇ�A���̃Z�L�����e�B���C���̌��ʂ���������B
Where multiple successful SASL negotiations are permitted in the protocol, the effect of a failed SASL authentication exchange upon the previously established authentication and authorization state is protocol specific. The protocol's technical specification should be consulted to determine whether the previous authentication and authorization state remains in force, or changed to an anonymous state, or otherwise was affected. Regardless of the protocol- specific effect upon previously established authentication and authorization state, the previously negotiated security layer remains in effect. �v���g�R����������� SASL �F�،����̐����������Ă���ꍇ�ɁASASL �F�،����̎��s�����̑O�Ɋm������Ă����F�E�����̏�Ԃɋy�ڂ��e���́A���̃v���g�R���Ɉˑ�����B�O�̔F�إ�����̏�Ԃ��ێ�����邩�A������ԂɈڍs���邩�A�ʂ̉e�����邩�́A���̃v���g�R���̋Z�p�d�l�ɂ��������ׂ��ł���B�ȑO�Ɋm������Ă����F�E�����̏�Ԃɋy�ڂ��v���g�R���ŗL�̉e���ɊW�Ȃ��A�ȑO�Ɍ�����Ă����Z�L�����e�B���C���̌��ʂ͈ێ������B
In order for a protocol to offer SASL services, its specification MUST supply the following information: SASL �T�[�r�X�����v���g�R���̎d�l�́A�ȉ��̏�����Ȃ���Ȃ�Ȃ�(MUST)�F
A protocol SHOULD specify a facility through which the client may discover, both before initiation of the SASL exchange and after installing security layers negotiated by the exchange, the names of the SASL mechanisms that the server makes available to the client. The latter is important to allow the client to detect downgrade attacks. This facility is typically provided through the protocol's extensions or capabilities discovery facility. �v���g�R���́ASASL �����̊J�n�O�Ƃ��̌����ɂ���Č����ꂽ�Z�L�����e�B���C���̓�����ƂɁA�T�[�o�[������ SASL ���J�j�Y���̖��O���N���C�A���g����������@�\���K�肷�ׂ��ł���(SHOULD)�B������ɂ������̂́A�N���C�A���g���_�E���O���[�h�U�������o�ł���悤�ɂ��邽�߂ɏd�v�Ȃ��Ƃł���B��ʂɂ��̋@�\�́A���̃v���g�R���̊g���܂��͔\�͌����@�\��ʂ��Ē����B
This message MUST contain a field for carrying the name of the mechanism selected by the client. ���̃��b�Z�[�W�́A�N���C�A���g���I���������J�j�Y���̖��O���^�Ԃ��߂̃t�B�[���h���܂܂Ȃ���Ȃ�Ȃ�(MUST)�B
This message SHOULD contain an optional field for carrying an initial response. If the message is defined with this field, the specification MUST describe how messages with an empty initial response are distinguished from messages with no initial response. This field MUST be capable of carrying arbitrary sequences of octets (including zero-length sequences and sequences containing zero-valued octets). ���̃��b�Z�[�W�͏������X�|���X���^�Ԃ��߂̃I�v�V�����t�B�[���h�����ׂ��ł���(SHOULD)�B���b�Z�[�W�����̃I�v�V�����t�B�[���h�����ƒ�`����d�l�́A��̏������X�|���X�������b�Z�[�W�Ə������X�|���X�������Ȃ����b�Z�[�W�Ƃ���ʂ�����@���L�q���Ȃ���Ȃ�Ȃ�(MUST)�B���̃t�B�[���h�͔C�ӂ̃I�N�e�b�g�V�[�P���X(�����[���̃V�[�P���X�A�l�[���̃I�N�e�b�g���܂܂��V�[�P���X���܂�)���^�Ԃ��Ƃ��o���Ȃ���Ȃ�Ȃ�(MUST)�B
Each of these messages MUST be capable of carrying arbitrary sequences of octets (including zero-length sequences and sequences containing zero-valued octets). �����̃��b�Z�[�W�͔C�ӂ̃I�N�e�b�g�V�[�P���X(�����[���̃V�[�P���X�A�l�[���̃I�N�e�b�g���܂܂��V�[�P���X���܂�)��`���邱�Ƃ��o���Ȃ���Ȃ�Ȃ�(MUST)�B
This message SHOULD contain an optional field for carrying additional data with a successful outcome. If the message is defined with this field, the specification MUST describe how messages with an empty additional data are distinguished from messages with no additional data. This field MUST be capable of carrying arbitrary sequences of octets (including zero- length sequences and sequences containing zero-valued octets). ���̃��b�Z�[�W�́A�F�����������ꍇ�ɒlj��f�[�^��`���邽�߂̃I�v�V�����t�B�[���h���܂ނׂ��ł���(SHOULD)�B���b�Z�[�W�����̃I�v�V�����t�B�[���h�����ƒ�`����d�l�́A��̒lj��f�[�^�������b�Z�[�W�ƒlj����b�Z�[�W�������Ȃ����b�Z�[�W�Ƃ���ʂ�����@���L�q���Ȃ���Ȃ�Ȃ�(MUST)�B���̃t�B�[���h�͔C�ӂ̃I�N�e�b�g�V�[�P���X(�����[���̃V�[�P���X�A�l�[���̃I�N�e�b�g���܂܂��V�[�P���X���܂�)��`���邱�Ƃ��o���Ȃ���Ȃ�Ȃ�(MUST)�B
In order to avoid interoperability problems due to differing normalizations, the protocol specification MUST detail precisely how and where (client or server) non-empty authorization identity strings are prepared, including all normalizations, for comparison and other applicable functions to ensure proper function. �قȂ�K�i���ɋN�����鑊�݉^�p�̖�������A��r�y�ё��̓K�p�\�ȋ@�\���K�ȋ@�\��ۏł���悤�ɁA��ł͂Ȃ��F�A�C�f���e�B�e�B�����ǂ���(�N���C�A���g�܂��̓T�[�o�[)�A�܂��ǂ�����ď�������邩���A���ׂĂ̋K�i�����܂߃v���g�R���d�l�͐��m�ɋL�q���Ȃ���Ȃ�Ȃ�(MUST)�B
Specifications are encouraged to prescribe use of existing authorization identity forms as well as existing string representations, such as simple user names [RFC4013]. �v���g�R���d�l�́A�����̕�����\�������łȂ��A�����̔F�A�C�f���e�B�e�B�`���̎g�p���@���K�肷�邱�Ƃ����������[RFC4013]�B
Where the specification does not precisely prescribe how identities in SASL relate to identities used elsewhere in the protocol, for instance, in access control policy statements, it may be appropriate for the protocol to provide a facility by which the client can discover information (such as the representation of the identity used in making access control decisions) about established identities for these uses. SASL �ɂ�����A�C�f���e�B�e�B�ƃv���g�R�����̕ʂ̏ꏊ(�Ⴆ�A�N�Z�X����|���V�[�̐錾)�Ŏg�p�����A�C�f���e�B�e�B�Ƃ��֘A�t������@���v���g�R���d�l�����m�ɋL�q���Ă��Ȃ��ꍇ�A�m�����ꂽ�A�C�f���e�B�e�B�̎g�p���@�Ɋւ�����(�A�N�Z�X��������肷��Ƃ��Ɏg����A�C�f���e�B�e�B�̕\���Ȃ�)���N���C�A���g����������@�\�����̂��K���낤�B
Protocols that support multiple authentications typically allow a client to abort an ongoing authentication exchange by initiating a new authentication exchange. Protocols that do not support multiple authentications may require the client to close the connection and start over to abort an ongoing authentication exchange. ���d�F���T�|�[�g����v���g�R���͈�ʂɁA�N���C�A���g���V�����F�،������J�n���邱�ƂŐi�s���̔F�،����𒆎~���邱�Ƃ�������B���d�F���T�|�[�g���Ȃ��v���g�R���́A�N���C�A���g���i�s���̔F�𒆎~����ɂ͐ڑ�����A������x��蒼�����Ƃ�v�����Ă��悢�B
Protocols typically allow the server to abort ongoing authentication exchanges by returning a non-successful outcome message. ��ʂɃv���g�R���́A�T�[�o�[���s�����̌��ʃ��b�Z�[�W��Ԃ����ƂŐi�s���̔F�،����𒆎~���邱�Ƃ������Ă���B
Typically, specifications require security layers to start taking effect on the first octet following the outcome message in data being sent by the server and on the first octet sent after receipt of the outcome message in data being sent by the client. ��ʂɎd�l�́A�T�[�o�[�̏ꍇ�͌��ʃ��b�Z�[�W����̍ŏ��̃I�N�e�b�g����A�N���C�A���g�̏ꍇ�͌��ʃ��b�Z�[�W��M��̍ŏ��̃I�N�e�b�g����A�Z�L�����e�B���C�������ʂ��������Ƃ�v������B
For instance, where a protocol supports both TLS and SASL security layers, the specification could prescribe any of the following: �Ⴆ�ATLS �� SASL �̃Z�L�����e�B���C���Ƃ��T�|�[�g����v���g�R���̎d�l�́A�ȉ��̉��ꂩ���K��ł��邾�낤�B
Protocol specifications SHOULD avoid stating implementation requirements that would hinder replacement of applicable mechanisms. In general, protocol specifications SHOULD be mechanism neutral. There are a number of reasonable exceptions to this recommendation, including �v���g�R���d�l�́A�K�p�\�ȃ��J�j�Y���̒u����j�Q����悤�Ȏ����v���������ׂ��ł���(SHOULD)�B��ʂɃv���g�R���d�l�̓��J�j�Y���ɒ����ł���ׂ��ł���(SHOULD)�B���������̐��������ɂ́A�ȉ��̎������܂ނ��Ƃɂ�鑽���̍����I�ȗ�O����F
SASL mechanism specifications MUST supply the following information: SASL ���J�j�Y���̎d�l�͈ȉ��̏�����Ȃ���Ȃ�Ȃ�(MUST)�F
SASL mechanisms SHOULD be designed to minimize the number of challenges and responses necessary to complete the exchange. �������������邽�߂ɕK�v�Ƃ����`�������W�ƃ��X�|���X�Ƃ̐����ŏ����ɂȂ�悤�� SASL ���J�j�Y���v����ׂ��ł���(SHOULD)�B
Mechanisms that are capable of transferring an authorization identity string MUST be capable of transferring arbitrary non- empty sequences of Unicode characters, excluding those that contain the NUL (U+0000) character. Mechanisms SHOULD use the UTF-8 [RFC3629] transformation format. The specification MUST detail how any Unicode code points special to the mechanism that might appear in the authorization identity string are escaped to avoid ambiguity during decoding of the authorization identity string. Typically, mechanisms that have special characters require these special characters to be escaped or encoded in the character string (after encoding it in a particular Unicode transformation format) using a data encoding scheme such as Base64 [RFC3548]. �����A�C�f���e�B�e�B������𑗐M����\�͂������J�j�Y���́A���j�R�[�h���琬���ł͂Ȃ��C�ӂ̃V�[�P���X(������ NUL ����(U+0000)���܂ރV�[�P���X������)�𑗐M����\�͂������Ȃ���Ȃ�Ȃ�(MUST)�B���J�j�Y���� UTF-8 [RFC3629] �ϊ��t�H�[�}�b�g���g�p����ׂ��ł���(SHOULD)�B�F�A�C�f���e�B�e�B������̃f�R�[�h���̂����܂�����������邽�߂ɁA���J�j�Y���̎d�l�͔F�A�C�f���e�B�e�B�����Ɍ����\���̂�����ꕶ�����G�X�P�[�v������@���ڏq���Ȃ���Ȃ�Ȃ�(MUST)�B���ꕶ���������J�j�Y���͒ʏ�A�Ⴆ�� Base64 [RFC3548]�̂悤�ȃf�[�^�G���R�[�h��@���g�p���āA(���炩�̃��j�R�[�h�ϊ��t�H�[�}�b�g�ɂ��������ăG���R�[�h�������)�����̓��ꕶ�����G�X�P�[�v����邱�Ƃ�K�v�Ƃ���B
SASL mechanisms SHOULD be protocol neutral. SASL ���J�j�Y���̓v���g�R���ɒ����ł���ׂ��ł���(SHOULD)�B
SASL mechanisms SHOULD reuse existing credential and identity forms, as well as associated syntaxes and semantics. SASL ���J�j�Y���͊����̏ؖ����ƃA�C�f���e�B�e�B�Ƃ̌`�������ł͂Ȃ��A����ɑΉ����镶�@�ƈӖ����ė��p����ׂ��ł���(SHOULD)�B
SASL mechanisms SHOULD use the UTF-8 transformation format [RFC3629] for encoding Unicode [Unicode] code points for transfer. �]���̂��߂Ƀ��j�R�[�h[Unicode]�̃R�[�h�|�C���g���G���R�[�h����Ƃ��ASASL ���J�j�Y���� UTF-8 �ϊ��t�H�[�}�b�g[RFC3629]���g�p����ׂ��ł���(SHOULD)�B
In order to avoid interoperability problems due to differing normalizations, when a mechanism calls for character data (other than the authorization identity string) to be used as input to a cryptographic and/or comparison function, the specification MUST detail precisely how and where (client or server) the character data is to be prepared, including all normalizations, for input into the function to ensure proper operation. �قȂ�K�i���ɋN�����鑊�݉^�p�̖�������A�Í����r�̋@�\�ւ̓��͂��K�ȑ����ۏł���悤�ɁA���̋@�\�ւ̓��͂Ƃ��Ďg�p����镶���f�[�^(�����A�C�f���e�B�e�B�����������)�����J�j�Y�����v������ہA�����f�[�^���ǂ���(�N���C�A���g�܂��̓T�[�o�[)�A�܂��ǂ�����ď�������邩���A���ׂĂ̋K�i�����܂߃��J�j�Y���d�l�ɐ��m�ɋL�q���Ȃ���Ȃ�Ȃ�(MUST)�B
For simple user names and/or passwords in authentication credentials, SASLprep [RFC4013] (a profile of the StringPrep [RFC3454] preparation algorithm), SHOULD be specified as the preparation algorithm. �F�؏ؖ����ɂ�����P���ȃ��[�U�[��/�p�X���[�h�̂��߂ɁA�����A���S���Y���Ƃ��� SASLprep [RFC4013] (�����A���S���Y�� StringPrep [RFC3454] �̃v���t�@�C��)���K�肳���ׂ��ł���(SHOULD)�B
The mechanism SHOULD NOT use the authorization identity string in generation of any long-term cryptographic keys or hashes as there is no requirement that the authorization identity string be canonical. Long-term, here, means a term longer than the duration of the authentication exchange in which they were generated. That is, as different clients (of the same or different protocol) may provide different authorization identity strings that are semantically equivalent, use of authorization identity strings in generation of cryptographic keys and hashes will likely lead to interoperability and other problems. �����A�C�f���e�B�e�B������͐��K�������K�v���Ȃ����߁A���J�j�Y���͂�����ɂ킽��Í�����n�b�V���̐����Ɏg�p����ׂ��ł͂Ȃ�(SHOULD NOT)�B���̏ꍇ�́u�����v�Ƃ́A�����A�C�f���e�B�e�B�����������F�،����̊Ԋu�����������Ԃ�\���B�܂�A(����܂��͈قȂ�v���g�R�����g�p����)�����̃N���C�A���g���Ӗ��I�ɓ������قȂ錠���A�C�f���e�B�e�B�����������\�������邽�߁A�Í�����n�b�V���̐����Ɍ����A�C�f���e�B�e�B��������g�p����ƁA���݉^�p��̖��������N�����\��������Ƃ������Ƃł���B
Security issues are discussed throughout this memo. �Z�L�����e�B���͂��̕����S�̂�ʂ��ċc�_����Ă���B
Many existing SASL mechanisms do not provide adequate protection against passive attacks, let alone active attacks, in the authentication exchange. Many existing SASL mechanisms do not offer security layers. It is hoped that future SASL mechanisms will provide strong protection against passive and active attacks in the authentication exchange, as well as security layers with strong basic data security features (e.g., data integrity and data confidentiality) services. It is also hoped that future mechanisms will provide more advanced data security services like re-keying (see Section 6.3). ������ SASL ���J�j�Y���̑����̂͂��̔F�،����ɂ����āA�\���I�U���ɑ��Ă͂������A�I�U���ɑ���K�ȕی�����Ȃ��B������ SASL ���J�j�Y���̑����̓Z�L�����e�B���C������Ȃ��B����� SASL ���J�j�Y���́A�F�،����ɂ�����I�y�є\���I�U���ɑ��鋭�͂ȕی�ɉ����A���͂Ȋ�{�I�f�[�^�ی�@�\(�Ⴆ�f�[�^�̊��S����f�[�^�̋@����)�����Z�L�����e�B���C������邱�Ƃ��]�܂����B�܂�����̃��J�j�Y���ɂ́A�Ⴆ�Ō���(�Z�N�V���� 6.3 �Q��)�̂悤�ȁA��荂�x�ȃf�[�^�Z�L�����e�B�T�[�r�X����邱�Ƃ��]�܂��B
Regardless, the SASL framework is susceptible to downgrade attacks. Section 6.1.2 offers a variety of approaches for preventing or detecting these attacks. In some cases, it is appropriate to use data integrity protective services external to SASL (e.g., TLS) to protect against downgrade attacks in SASL. Use of external protective security services is also important when the mechanisms available do not themselves offer adequate integrity and/or confidentiality protection of the authentication exchange and/or protocol data. SASL �t���[�����[�N�̓_�E���O���[�h�U���̉e�����₷���B�Z�N�V���� 6.1.2 �͂��̂悤�ȍU�������o�E�h�䂷�邳�܂��܂Ȏ�@����Ă���BSASL �ɂ�����_�E���O���[�h�U���ɑ���ی����邽�߂ɁASASL �O���̃f�[�^���S���ی�T�[�r�X(�Ⴆ�� TLS)���g�p����̂��K�ȏꍇ������B���p�\�ȃ��J�j�Y�����F�،�����v���g�R���f�[�^�̊��S����@�����̓K�ȕی����Ȃ��ꍇ�ɂ��A�O���̕ی�T�[�r�X�̗��p�͗L���ł���B
When the client selects a SASL security layer with at least integrity protection, this protection serves as a counter-measure against an active attacker hijacking the connection and modifying protocol data sent after establishment of the security layer. Implementations SHOULD close the connection when the security services in a SASL security layer report protocol data report lack of data integrity. ���Ȃ��Ƃ����S���ی�@�\������ SASL �Z�L�����e�B���C�����N���C�A���g���I�������ꍇ�A���̕ی�T�[�r�X�́A�\���I�U���҂ɂ��ڑ��̃n�C�W���b�N�ƁA�Z�L�����e�B���C���m����ɑ��M�����v���g�R���f�[�^�̉��T�Ƃɑ���h���Ƃ��Ă̋@�\���ʂ����BSASL �Z�L�����e�B���C�����̃Z�L�����e�B�T�[�r�X���v���g�R���f�[�^�̊��S�����������Ă��邱�Ƃ�����ꍇ�A�����͂��̐ڑ������ׂ��ł���(SHOULD)�B
It is important that any security-sensitive protocol negotiations be performed after installation of a security layer with data integrity protection. Protocols should be designed such that negotiations performed prior to this installation should be revalidated after installation is complete. Negotiation of the SASL mechanism is security sensitive. �Z�L�����e�B�ɐT�d�������ׂ��v���g�R�����́A�f�[�^�̊��S���ی�@�\�����Z�L�����e�B���C���̓�����ɍs���邱�Ƃ��d�v�ł���B���̓����O�ɍs��ꂽ�����A����������ɍĊm�F���邱�Ƃ��`���t����悤�Ƀv���g�R���͐v�����ׂ��ł���BSASL ���J�j�Y���̌��̓Z�L�����e�B�ɐT�d�������ׂ����̂ł���B
When a client negotiates the authentication mechanism with the server and/or other security features, it is possible for an active attacker to cause a party to use the least secure security services available. For instance, an attacker can modify the server-advertised mechanism list or can modify the client-advertised security feature list within a mechanism response. To protect against this sort of attack, implementations SHOULD NOT advertise mechanisms and/or features that cannot meet their minimum security requirements, SHOULD NOT enter into or continue authentication exchanges that cannot meet their minimum security requirements, and SHOULD verify that completed authentication exchanges result in security services that meet their minimum security requirements. Note that each endpoint needs to independently verify that its security requirements are met. �N���C�A���g���F���J�j�Y���₻�̑��̃Z�L�����e�B�@�\���T�[�o�[�ƌ�����Ƃ��A�\���I�U���҂͗��p�\�Ȓ��ōŒ�̃Z�L�����e�B�T�[�r�X���Q���҂Ɏg�p�����邱�Ƃ��\�ł���B�Ⴆ�U���҂́A�T�[�o�[���ʒm���郁�J�j�Y���̈ꗗ�����T������A���X�|���X���ŃN���C�A���g���ʒm����Z�L�����e�B�@�\�̈ꗗ�����T�����肷�邱�Ƃ��ł���B���̎�̍U����h�����߂Ɏ����́A���g�̗v������Œ���̃Z�L�����e�B�Ɍ�����Ȃ����J�j�Y����@�\��ʒm���Ȃ��ׂ�(SHOULD NOT)�ł���A�Œ���̃Z�L�����e�B�Ɍ�����Ȃ��F�،������J�n������p�������肵�Ȃ��ׂ�(SHOULD NOT)�ł���A���������F�،��������g�̗v������Œ���̃Z�L�����e�B�Ɍ������\�͂������Ă��邱�Ƃ��m�F����ׂ��ł���(SHOULD)�B�����͊e�Q���҂����ꂼ��Ɨ����Ċm�F����K�v�����邱�Ƃɒ��ӂ��Ăق����B
In order to detect downgrade attacks to the least (or less) secure mechanism supported, the client can discover the SASL mechanisms that the server makes available both before the SASL authentication exchange and after the negotiated SASL security layer (with at least data integrity protection) has been installed through the protocol's mechanism discovery facility. If the client finds that the integrity-protected list (the list obtained after the security layer was installed) contains a stronger mechanism than those in the previously obtained list, the client should assume that the previously obtained list was modified by an attacker and SHOULD close the underlying transport connection. �T�|�[�g�������ōŎ��(�������́A���ア)���J�j�Y���ւƓ����_�E���O���[�h�U�������o���邽�߂ɁA�N���C�A���g�̓v���g�R���̎����J�j�Y���T���@�\��ʂ��āASASL �F�،����̑O��(���Ȃ��Ƃ��f�[�^���S���ی�@�\������) SASL �Z�L�����e�B���C���̓�����ƂɃT�[�o�[���L���ɂ��Ă��� SASL ���J�j�Y���ׂ邱�Ƃ��ł���B���S����ی삳�ꂽ���J�j�Y���̈ꗗ(�Z�L�����e�B���C��������Ɏ擾���ꂽ�ꗗ)�ɁA�ȑO�Ɏ擾�����ꗗ�Ɋ܂܂�Ă������̂�苭�����J�j�Y�����܂܂�Ă��邱�Ƃ������ꍇ�A�ȑO�Ɏ擾�����ꗗ�͍U���҂ɂ���ĉ��T����Ă����ƌ��Ȃ��A�N���C�A���g�͉��w�̃g�����X�|�[�g�ڑ������ׂ��ł���(SHOULD)�B
The client's initiation of the SASL exchange, including the selection of a SASL mechanism, is done in the clear and may be modified by an active attacker. It is important for any new SASL mechanisms to be designed such that an active attacker cannot obtain an authentication with weaker security properties by modifying the SASL mechanism name and/or the challenges and responses. �N���C�A���g�ɂ�� SASL ����(SASL ���J�j�Y���̑I�����܂�)�̊J�n�͕����ōs���邽�߁A�\���I�U���҂ɂ���ĉ��T�����\��������B����̐V���� SASL ���J�j�Y���́A�U���҂� SASL ���J�j�Y���̖��̂�`�������W/���X�|���X�����T���ĐƎ�ȔF�������邱�Ƃ��o���Ȃ��悤�ɐv����邱�Ƃ��d�v�ł���B
Multi-level negotiation of security features is prone to downgrade attack. Protocol designers should avoid offering higher-level negotiation of security features in protocols (e.g., above SASL mechanism negotiation) and mechanism designers should avoid lower- level negotiation of security features in mechanisms (e.g., below SASL mechanism negotiation). �Z�L�����e�B�@�\�̑��d���̓_�E���O���[�h�U�����₷���B�v���g�R���v�҂̓v���g�R���ɂ������ʃ��x����(�Ⴆ�� SASL ���J�j�Y���̌�����ʂ�)�Z�L�����e�B�@�\�̌�����邱�Ƃ������ׂ��ł���A���J�j�Y���v�҂̓��J�j�Y���ɂ����鉺�ʃ��x����(�Ⴆ�� SASL ���J�j�Y���̌���艺�ʂ�)�Z�L�����e�B�@�\�̌�����邱�Ƃ������ׂ��ł���B
Some mechanisms may be subject to replay attacks unless protected by external data security services (e.g., TLS). �O���̃f�[�^�ی�T�[�r�X(�Ⴆ�� TLS)�ɂ���ĕی삳��Ă��Ȃ�����A���J�j�Y���̓��v���C�U���̉e�����₷���B
Most existing SASL security layers do not themselves offer protection against truncation attack. In a truncation attack, the active attacker causes the protocol session to be closed, causing a truncation of the possibly integrity-protected data stream that leads to behavior of one or both the protocol peers that inappropriately benefits the attacker. Truncation attacks are fairly easy to defend against in connection-oriented application-level protocols. A protocol can defend against these attacks by ensuring that each information exchange has a clear final result and that each protocol session has a graceful closure mechanism, and that these are integrity protected. ������ SASL �Z�L�����e�B���C���̑啔���͐�̂čU���ɑ���ی����Ȃ��B��̂čU���ɂ����čU���҂́A�Q���҂̈���܂��͗������U���҂ɑ��ĕs���ȗ��v�������炷�悤�ɁA���S����ی삳��Ă���ł��낤�f�[�^�X�g���[�����̂Ă邱�ƂŃv���g�R���Z�b�V�������������B�R�l�N�V�����w���̃A�v���P�[�V�������x���v���g�R���ɂ����Đ�̂čU����h���̂͋ɂ߂ėe�Ղł���B���ꂼ��̏����������m�ȏI���ʒm�������ƁA�e�v���g�R���Z�b�V�����������ȏI�����J�j�Y���������ƁA���S�����ی삳��Ă邱�ƁA�������m�F���邱�ƂŃv���g�R���͂��������U����h�����Ƃ��ł���B
When use of a security layer is negotiated by the authentication protocol exchange, the receiver SHOULD handle gracefully any protected data buffer larger than the defined/negotiated maximal size. In particular, it MUST NOT blindly allocate the amount of memory specified in the buffer size field, as this might cause the "out of memory" condition. If the receiver detects a large block, it SHOULD close the connection. �F�v���g�R�������ɂ���ăZ�L�����e�B���C���̎g�p��������Ă���ꍇ�A��`/�����ꂽ�ő�T�C�Y���ی�f�[�^�o�b�t�@���傫�������Ƃ��Ă��A��M�҂͂���𐳏�Ɉ�����ׂ��ł���(SHOULD)�B���ɁA�o�b�t�@�T�C�Y�t�B�[���h�Ŏw�肳�ꂽ�������ʂ��ʂɊ��蓖�Ă邱�Ƃ� "�������s��(out of memory)" �̏�Ԃ��N�����\�������邽�߁A�s���Ă͂Ȃ�Ȃ�(MUST NOT)�B�傫�߂���u���b�N�����o������M�҂͐ڑ������ׂ��ł���(SHOULD)�B
Many mechanisms are subject to various passive attacks, including simple eavesdropping of unprotected credential information as well as online and offline dictionary attacks of protected credential information. �����̃��J�j�Y���́A�ی삳�ꂽ�ؖ������ɑ���I�����C���y�уI�t���C���ł̎����U���ɉ����A�ی삳��Ă��Ȃ��ؖ������̒P���ȓ����ȂǁA���܂��܂ȎI�U�����₷���B
The secure or administratively permitted lifetimes of SASL mechanisms' security layers are finite. Cryptographic keys weaken as they are used and as time passes; the more time and/or cipher-text that a cryptanalyst has after the first use of the a key, the easier it is for the cryptanalyst to mount attacks on the key. SASL ���J�j�Y���̃Z�L�����e�B���C���́A���S�Ȃ܂��͊Ǘ��㋖�����L�����Ԃ͗L���ł���B�g�p�����ɂ�āA�܂����Ԃ��o�߂���ɂ�āA�Í����͎キ�Ȃ�B���̂��ߌ����ŏ��Ɏg�p����Ă��玞�Ԃ��o�قǁA�܂��Í��e�L�X�g�����ĂΎ��قǁA�Í���ǎ҂��U������������̂͗e�ՂɂȂ�B
Administrative limits on a security layer's lifetime may take the form of time limits expressed in X.509 certificates, in Kerberos V tickets, or in directories, and are often desired. In practice, one likely effect of administrative lifetime limits is that applications may find that security layers stop working in the middle of application protocol operation, such as, perhaps, during large data transfers. As the result of this, the connection will be closed (see Section 3.7), which will result in an unpleasant user experience. �Z�L�����e�B���C���̊Ǘ���̗L�������́AX.509 �ؖ����EKerberos V �`�P�b�g�E�f�B���N�g���̉��ꂩ�ŕ\���ꂽ�`������邱�Ƃ�������Ă���A�������ꂪ�]�܂����B���ۖ��Ƃ��ĊǗ���̗L���������^������e���Ƃ��ẮA�Ⴆ�Α傫�ȃf�[�^�̓]���̂悤�ȃA�v���P�[�V�����v���g�R���̑��쒆�ɁA�Z�L�����e�B���C���̌��ʂ����������Ƃ��A�v���P�[�V������������\��������B���̌��ʂƂ��Đڑ��͕����(�Z�N�V���� 3.7 �Q��)�A���[�U�[�ɕs�����Ȏv���������Ă��܂����낤�B
Re-keying (key renegotiation process) is a way of addressing the weakening of cryptographic keys. The SASL framework does not itself provide for re-keying; SASL mechanisms may. Designers of future SASL mechanisms should consider providing re-keying services. �Č���(���̍Č��̎葱��)�́A�Í������キ�Ȃ�̂���������ЂƂ̕��@�ł���BSASL �t���[�����[�N���g�͍Ō�������Ȃ����ASASL ���J�j�Y���͂������Ă��悢�B����� SASL ���J�j�Y���̐v�҂́A�Ō����̒��l������ׂ��ł���B
Implementations that wish to re-key SASL security layers where the mechanism does not provide for re-keying SHOULD reauthenticate the same IDs and replace the expired or soon-to-expire security layers. This approach requires support for reauthentication in the application protocols (see Section 3.8). ���J�j�Y�����Ō�������Ă��Ȃ��Ƃ��� SASL �Z�L�����e�B���C���̍Č�����]�ގ����́A���� ID ���ēx�F���A������܂��͂������������̐��Z�L�����e�B���C����u��������ׂ��ł���(SHOULD)�B���̎�@�́A�A�v���P�[�V�����v���g�R���ɂ�����ĔF�̃T�|�[�g��K�v�Ƃ���(�Z�N�V���� 3.8 �Q��)�B
Protocol designers and implementors should understand the security considerations of mechanisms so they may select mechanisms that are applicable to their needs. �v���g�R���̐v�ҋy�ю����҂́A���������̗v���Ɍ��������J�j�Y����I���ł���悤�ɁA���J�j�Y���̃Z�L�����e�B�l�@�𗝉�����ׂ��ł���B
Distributed server implementations need to be careful in how they trust other parties. In particular, authentication secrets should only be disclosed to other parties that are trusted to manage and use those secrets in a manner acceptable to the party. Applications using SASL assume that SASL security layers providing data confidentiality are secure even when an attacker chooses the text to be protected by the security layer. Similarly, applications assume that the SASL security layer is secure even if the attacker can manipulate the cipher-text output of the security layer. New SASL mechanisms are expected to meet these assumptions. ���U���ꂽ�T�[�o�[�����́A���̎Q���҂�M��������@�ɐT�d�ł���K�v������B���ɔF�؋@���́A���J���鑤�����������@�ł����̋@�����Ǘ��E�g�p���Ă���ƐM�p�ł��鑊��ɂ̂��J����ׂ��ł���BSASL �𗘗p����A�v���P�[�V�����́A���Ƃ��U���҂��Z�L�����e�B���C���ɂ���ĕی삳��邽�߂Ƀe�L�X�g�𒊏o�����ꍇ�ł����Ă��A�f�[�^�̋@��������Ă��� SASL �Z�L�����e�B���C�������S�ł���Ɖ��肷��B���l�ɃA�v���P�[�V�����́A���Ƃ��Z�L�����e�B���C���ւ̈Í������ꂽ�e�L�X�g�o�͂��U���҂����삵���Ƃ��Ă��ASASL �Z�L�����e�B���C�������S�ł���Ɖ��肷��B�V���� SASL ���J�j�Y���͂����̉���������Ƃ����҂����B
Unicode security considerations [UTR36] apply to authorization identity strings, as well as UTF-8 [RFC3629] security considerations where UTF-8 is used. SASLprep [RFC4013] and StringPrep [RFC3454] security considerations also apply where used. �F�A�C�f���e�B�e�B������ɂ̓��j�R�[�h�̃Z�L�����e�B�l�@[UTR36]���K�p�����̂ɉ����āAUTF-8 ���g�p�����ꍇ�ɂ� UTF-8 [RFC3629] �̃Z�L�����e�B�l�@���K�p�����B�܂� SASLprep [RFC4013] �y�� StringPrep [RFC3454]���g�p�����ꍇ�ɂ́A�����̃Z�L�����e�B�l�@���K�p�����B
The SASL mechanism registry is maintained by IANA. The registry is currently available at <http://www.iana.org/assignments/sasl- mechanisms>. SASL ���J�j�Y���̓o�^�� IANA �ɂ���ĕێ炳���B���̃��W�X�g���͌��� <http://www.iana.org/assignments/sasl-mechanisms> �������ł���B
The purpose of this registry is not only to ensure uniqueness of values used to name SASL mechanisms, but also to provide a definitive reference to technical specifications detailing each SASL mechanism available for use on the Internet. ���̃��W�X�g���̖ړI�́ASASL ���J�j�Y���̖����Ɏg�p�����l�̈�Ӑ���ۏ��邱�Ƃ����ł͂Ȃ��A�C���^�[�l�b�g��ŗ��p�\�Ȋe SASL ���J�j�Y�����ڍׂɋL�q���Ă���Z�p�d�l�ւ́A�ł��M���̂����郊�t�@�����X����邱�Ƃ��ł���B
There is no naming convention for SASL mechanisms; any name that conforms to the syntax of a SASL mechanism name can be registered. SASL ���J�j�Y���̖����K���͑��݂��Ȃ��BSASL ���J�j�Y�����̂̕��@�ɂ��������C�ӂ̖��O��o�^�\�ł���B
The procedure detailed in Section 7.1.1 is to be used for registration of a value naming a specific individual mechanism. �Z�N�V���� 7.1.1 �ɏڂ����q�ׂ��Ă���̂́A����̃��J�j�Y����\���l��o�^����ۂɎg�p�����菇�ł���B
The procedure detailed in Section 7.1.2 is to be used for registration of a value naming a family of related mechanisms. �Z�N�V���� 7.1.2 �ɏڂ����q�ׂ��Ă���̂́A�֘A���郁�J�j�Y���t�@�~����\���l��o�^����ۂɎg�p�����菇�ł���B
Comments may be included in the registry as discussed in Section 7.1.3 and may be changed as discussed in Section 7.1.4. �Z�N�V���� 7.1.3 �ŋc�_����Ă���悤�ɁA���W�X�g���ɂ̓R�����g���܂߂邱�Ƃ��ł���B�܂��Z�N�V���� 7.1.4 �ŋc�_����Ă���悤�ɁA���̃R�����g��ύX���邱�Ƃ��ł���B
The SASL mechanism registry has been updated to reflect that this document provides the definitive technical specification for SASL and that this section provides the registration procedures for this registry. ���̕����� SASL �̂����Ƃ��m���ȋZ�p�g�p����Ă��邱�ƁA�����Ă��̃Z�N�V���������W�X�g���ւ̓o�^�葱������Ă��邱�Ƃf���邽�߂ɁASASL ���J�j�Y���̃��W�X�g���͍X�V����Ă���B
IANA will register new SASL mechanism names on a First Come First Served basis, as defined in BCP 26 [RFC2434]. IANA has the right to reject obviously bogus registration requests, but will perform no review of claims made in the registration form. BCP 26 [RFC2434]�Œ�`����Ă���ʂ�AIANA �͐V���� SASL ���J�j�Y�����̂�撅���œo�^����BIANA �͖��炩�ɋU��̓o�^�v�������ۂ��錠���������A�o�^�t�H�[���ɂ�����咣���]���邱�Ƃ͂Ȃ��B
Registration of a SASL mechanism is requested by filling in the following template: SASL ���J�j�Y���̓o�^��v������ɂ́A�܂��ȉ��̃e���v���[�g�߂�F
Subject: Registration of SASL mechanism X
(�����FSASL ���J�j�Y�� X �̓o�^)
SASL mechanism name (or prefix for the family):
(SASL ���J�j�Y������(�܂��̓t�@�~���̃v���t�B�N�X)�F)
Security considerations:
(�Z�L�����e�B�l�@�F)
Published specification (recommended):
(���J�������d�l(����)�F)
Person & email address to contact for further information:
(�ڍ��̑����ƂȂ�l�ƃ��[���A�h���X�F)
Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)
(�g�p�ړI�F(COMMON�ALIMITED USE�AOBSOLETE �̂ǂꂩ))
Owner/Change controller:
(���L��/�X�V�S����)
Note: (Any other information that the author deems relevant may be
added here.)
(���L�F�N���҂��K�ƍl����C�ӂ̒lj����)
and sending it via electronic mail to IANA at <[email protected]>. �����Ă����d�q���[���� IANA <[email protected]> �ɑ��M����B
While this registration procedure does not require expert review, authors of SASL mechanisms are encouraged to seek community review and comment whenever that is feasible. Authors may seek community review by posting a specification of their proposed mechanism as an Internet-Draft. SASL mechanisms intended for widespread use should be standardized through the normal IETF process, when appropriate. ���̓o�^�葱���ɐ��Ƃ̃��r���[�͕K�v�Ȃ����ASASL ���J�j�Y���̒��҂́A�\�ȏꍇ�ɂ͂��ł��R�~���j�e�B�ɂ�郌�r���[�ƃR�����g�Ƃ����߂邱�Ƃ����������B��Ă��郁�J�j�Y���̎d�l���C���^�[�l�b�g�h���t�g�Ƃ��ē��e���邱�ƂŃR�~���j�e�B�̃��r���[�����߂Ă��悢�B�L�͈͂Ɏg�p����邱�Ƃ�ړI�Ƃ��� SASL ���J�j�Y���́A�K�ł���Βʏ�� IETF �v���Z�X��ʂ��ĕW���������ׂ��ł���B
As noted above, there is no general naming convention for SASL mechanisms. However, specifications may reserve a portion of the SASL mechanism namespace for a set of related SASL mechanisms, a "family" of SASL mechanisms. Each family of SASL mechanisms is identified by a unique prefix, such as X-. Registration of new SASL mechanism family names requires expert review as defined in BCP 26 [RFC2434]. �O�q�̒ʂ�ASASL ���J�j�Y���̈�ʓI�Ȗ����K���͑��݂��Ȃ��B�������Ȃ���A�֘A���� SASL ���J�j�Y���̏W��(SASL ���J�j�Y���� "�t�@�~��(family)")�̂��߂ɁASASL ���J�j�Y���̖��O��Ԃ�\�邱�Ƃ�������Ă���BSASL ���J�j�Y���̊e�t�@�~���́A���j�[�N�ȃv���t�B�N�X(�Ⴆ�� X-)�Ŏ��ʂ����B�V���� SASL ���J�j�Y���t�@�~�����̓o�^�́ABCP 26 [RFC2434]�Œ�`����Ă�����Ƃ̃��r���[��K�v�Ƃ���B
Registration of a SASL family name is requested by filling in the following template: SASL �t�@�~�����̓o�^��v������ɂ́A�܂��ȉ��̃e���v���[�g�߂�F
Subject: Registration of SASL mechanism family X
(�����FSASL ���J�j�Y���t�@�~�� X �̓o�^)
SASL family name (or prefix for the family):
(SASL �t�@�~����(�܂��̓t�@�~���̃v���t�B�N�X)�F)
Security considerations:
(�Z�L�����e�B�l�@�F)
Published specification (recommended):
(���J�������d�l(����)�F)
Person & email address to contact for further information:
(�ڍ��̑����ƂȂ�l�ƃ��[���A�h���X�F)
Intended usage: (One of COMMON, LIMITED USE, or OBSOLETE)
(�g�p�ړI�F(COMMON�ALIMITED USE�AOBSOLETE �̂ǂꂩ))
Owner/Change controller:
(���L��/�X�V�S����)
Note: (Any other information that the author deems relevant may be
added here.)
(���L�F�N���҂��K�ƍl����C�ӂ̒lj����)
and sending it via electronic mail to the IETF SASL mailing list at <[email protected]> and carbon copying IANA at <[email protected]>. After allowing two weeks for community input on the IETF SASL mailing list, the expert will determine the appropriateness of the registration request and either approve or disapprove the request with notice to the requestor, the mailing list, and IANA. �����Ă����d�q���[���� IETF SASL ���[�����O���X�g <[email protected]> ���ĂɁA�J�[�{���R�s�[�� IANA <[email protected]> ���Ăɑ��M����BIETF SASL ���[�����O���X�g��ŃR�~���j�e�B����̓��e�ɓ�T�Ԃ��|������A���Ƃ����̓o�^�v���̑Ó����f���A�v���ҁE���[�����O���X�g�EIANA �ɂ��̗v���̉ۂ�`����B
The review should focus on the appropriateness of the requested family name for the proposed use and the appropriateness of the proposed naming and registration plan for existing and future mechanism names in the family. The scope of this request review may entail consideration of relevant aspects of any provided technical specification, such as their IANA Considerations section. However, this review is narrowly focused on the appropriateness of the requested registration and not on the overall soundness of any provided technical specification. ���̃��r���[�ł́A��Ă��ꂽ�g�p�@�ɑ���v�����ꂽ�t�@�~�����̑Ó����ƁA���̃t�@�~���Ɋ܂܂������܂��͏����̃��J�j�Y�����̓o�^�E�����̌v��̑Ó����Ƃɒ��ڂ���ׂ��ł���B���̗v�����r���[�͈̔͂ɂ́A���ꂽ�d�l�̊֘A����(�Ⴆ�� IANA �l�@�Z�N�V�����Ȃ�)�̍l�@���܂܂�Ă��悢�B�������Ȃ��炱�̃��r���[�͗v�����ꂽ�o�L���e�̑Ó����ɒ��ڂ�����̂ł���A���ꂽ�Z�p�d�l�S�̂̐��퐫�ɂ͒��ڂ��Ȃ��B
Authors are encouraged to pursue community review by posting the technical specification as an Internet-Draft and soliciting comment by posting to appropriate IETF mailing lists. ���҂́A�C���^�[�l�b�g�h���t�g�Ƃ��ċZ�p�d�l�𓊍e���A�K�� IETF ���[�����O���X�g�ɃR�����g�����߂铊�e���s�����ƂŁA�R�~���j�e�B�̃��r���[�����߂邱�Ƃ����������B
Comments on a registered SASL mechanism/family should first be sent to the "owner" of the mechanism/family and/or to the <ietf- [email protected]> mailing list. �o�^�ς݂� SASL ���J�j�Y��/�t�@�~���Ɋւ���R�����g�́A�܂��ŏ��ɂ��̃��J�j�Y��/�t�@�~���� "���L��(owner)" �ƃ��[�����O���X�g <[email protected]> �ƂցA�܂��͂��̂ǂ��炩�ւƑ��M�����ׂ��ł���B
Submitters of comments may, after a reasonable attempt to contact the owner, request IANA to attach their comment to the SASL mechanism registration itself by sending mail to <[email protected]>. At IANA's sole discretion, IANA may attach the comment to the SASL mechanism's registration. ���e�҂͏��L�҂ւ̘A����Ó��Ȏ�i�Ŏ��݂���A<[email protected]> �Ƀ��[���𑗂邱�ƂŁA���� SASL ���J�j�Y���̃��W�X�g�����̂ɃR�����g��Y�t����悤�� IANA �ɗv�����邱�Ƃ��ł���BIANA �Ǝ��̍ٗʂŁAIANA �� SASL ���J�j�Y���̃��W�X�g���ɂ��̃R�����g��Y�t���邱�Ƃ��ł���B
Once a SASL mechanism registration has been published by IANA, the author may request a change to its definition. The change request follows the same procedure as the registration request. SASL ���J�j�Y���̓o�^�� IANA �ɂ���Ĉ�U���J�����ƁA���̃��J�j�Y���̒��҂͒�`�̕ύX��v�����邱�Ƃ��ł���B�ύX�̗v���͓o�^�̗v���Ɠ����葱���ɂ��������B
The owner of a SASL mechanism may pass responsibility for the SASL mechanism to another person or agency by informing IANA; this can be done without discussion or review. SASL ���J�j�Y���̏��L�҂́AIANA �ɒʒm���邱�Ƃł��� SASL ���J�j�Y���ɑ���Ӗ���ʂ̐l���A�܂��͑㗝�l�ɓn�����Ƃ��ł���B����ɂ͋c�_��r���[�͕s�v�ł���B
The IESG may reassign responsibility for a SASL mechanism. The most common case of this will be to enable changes to be made to mechanisms where the author of the registration has died, has moved out of contact, or is otherwise unable to make changes that are important to the community. IESG �� SASL ���J�j�Y���̐Ӗ���]�C�����邱�Ƃ��ł���B�����Ƃ���ʓI�ȃP�[�X�́A���J�j�Y���̓o�^�҂����S�����ꍇ��A�������Ȃ��Ȃ����ꍇ�ȂǁA����ȊO�̕��@�ł̓R�~���j�e�B�ɂƂ��ďd�v�ȕύX���s���Ȃ��ꍇ�ł���B
SASL mechanism registrations may not be deleted; mechanisms that are no longer believed appropriate for use can be declared OBSOLETE by a change to their "intended usage" field; such SASL mechanisms will be clearly marked in the lists published by IANA. �o�^���ꂽ SASL ���J�j�Y�����폜���邱�Ƃ͋�����Ȃ��B�g�p����̂��K�ł͂Ȃ��Ȃ����ƍl�����郁�J�j�Y���́A���� "�g�p�ړI(intended usage)" �� OBSOLETE �ɕύX���邱�Ƃ��ł���B���̂悤�ȃ��J�j�Y���́AIANA �ɂ���Č��J����郊�X�g�̒��Ŗ��m�Ɏ�����邾�낤�B
The IESG is considered to be the owner of all SASL mechanisms that are on the IETF standards track. IESG �́AIETF �̃X�^���_�[�h�g���b�N�ɍڂ����Ă���S�Ă� SASL ���J�j�Y���̏��L�҂Ƃ݂Ȃ����B
The IANA has updated the SASL mechanisms registry as follows: IANA �� SASL ���J�j�Y���̓o�L�����̂悤�ɍX�V�����F
Subject: Updated Registration of SASL mechanism EXTERNAL
Family of SASL mechanisms: NO
SASL mechanism name: EXTERNAL
Security considerations: See A.3 of RFC 4422
Published specification (optional, recommended): RFC 4422
Person & email address to contact for further information:
Alexey Melnikov <[email protected]>
Intended usage: COMMON
Owner/Change controller: IESG <[email protected]>
Note: Updates existing entry for EXTERNAL
This document is a revision of RFC 2222 written by John Myers. ���̕����� John Myers �ɂ�� RFC 2222 �̉����łł���B
This revision is a product of the IETF Simple Authentication and Security Layer (SASL) Working Group. ���̉����ł� IETF Simple Authentication and Security Layer (SASL) Working Group �ɂ����̂ł���B
The following individuals contributed significantly to this revision:
Abhijit Menon-Sen, Hallvard Furuseth, Jeffrey Hutzelman, John Myers,
Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL
'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim
Alsop, and Tony Hansen.
���̉���ɏd�v�ȍv�������Ă��ꂽ�l�͈ȉ��̒ʂ�F
Abhijit Menon-Sen, Hallvard Furuseth, Jeffrey Hutzelman, John Myers, Luke Howard, Magnus Nystrom, Nicolas Williams, Peter Saint-Andre, RL 'Bob' Morgan, Rob Siemborski, Sam Hartman, Simon Josefsson, Tim Alsop, Tony Hansen
This appendix is normative. ���̕t�^�͕W�����߂Ă���B
The EXTERNAL mechanism allows a client to request the server to use credentials established by means external to the mechanism to authenticate the client. The external means may be, for instance, IP Security [RFC4301] or TLS [RFC4346] services. In absence of some a priori agreement between the client and the server, the client cannot make any assumption as to what external means the server has used to obtain the client's credentials, nor make an assumption as to the form of credentials. For example, the client cannot assume that the server will use the credentials the client has established via TLS. �N���C�A���g�� EXTERNAL ���J�j�Y���𗘗p���邱�ƂŁA���J�j�Y���O���̎�i�ɂ���Ċm�����ꂽ�ؖ������g���ăN���C�A���g��F����悤�ɃT�[�o�[�ɗv���ł���B�O���̎�i�Ƃ́A�Ⴆ�� IP Security [RFC4301] �� TLS [RFC4346] �ł���B�N���C�A���g�ƃT�[�o�[�Ƃ̊Ԃɉ��炩�̎��O�̍��ӂ��Ȃ�������A�N���C�A���g�́A�N���C�A���g�̏ؖ������擾���邽�߂ɃT�[�o�[���g�p�����O���̎�i�����ł��邩�𐄑����邱�Ƃ͂ł��Ȃ����A�ؖ����̏����𐄑����邱�Ƃ��ł��Ȃ��B�N���C�A���g�́A�Ⴆ�� TLS ��ʂ��Ċm�����ꂽ�ؖ������T�[�o�[���g�p���邾�낤�Ɖ��肷�邱�Ƃ͂ł��Ȃ��B
The name of this mechanism is "EXTERNAL". ���̃��J�j�Y���̖��̂� "EXTERNAL" �ł���B
The mechanism does not provide a security layer. ���̃��J�j�Y���̓Z�L�����e�B���C������Ȃ��B
The mechanism is capable of transferring an authorization identity string. If empty, the client is requesting to act as the identity the server has associated with the client's credentials. If non- empty, the client is requesting to act as the identity represented by the string. ���̃��J�j�Y���͔F�A�C�f���e�B�e�B������𑗐M����\�͂����B�F�A�C�f���e�B�e�B������̏ꍇ�A�T�[�o�[�����̃N���C�A���g�̏ؖ����Ɋ֘A�t���Ă���A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ��N���C�A���g�͗v�����Ă���B��łȂ��ꍇ�A���̕�����ŕ\�����A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ��N���C�A���g�͗v�����Ă���B
The client is expected to send data first in the authentication exchange. Where the client does not provide an initial response data in its request to initiate the authentication exchange, the server is to respond to the request with an empty initial challenge and then the client is to provide its initial response. �N���C�A���g�͔F�،����ɂ����čŏ��Ƀf�[�^�𑗐M���邱�Ƃ����҂����B�F�،������J�n���郊�N�G�X�g�̒��ŃN���C�A���g���������X�|���X����Ȃ������ꍇ�A�T�[�o�[�͂��̃��N�G�X�g�̉����ɋ�̏����`�������W��Ԃ��A�N���C�A���g�͂���ɑ��ď������X�|���X�����B
The client sends the initial response containing the UTF-8 [RFC3629] encoding of the requested authorization identity string. This response is non-empty when the client is requesting to act as the identity represented by the (non-empty) string. This response is empty when the client is requesting to act as the identity the server associated with its authentication credentials. �N���C�A���g�����M���鏉�����X�|���X�ɂ� UTF-8 [RFC3629] �ŃG���R�[�h���ꂽ�F�A�C�f���e�B�e�B�����܂܂��B(��ł͂Ȃ�)������ɂ���ĕ\���ꂽ�A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ��N���C�A���g���v������ꍇ�A���̃��X�|���X�͋�ł͂Ȃ��B�N���C�A���g�̔F�؏ؖ����ɃT�[�o�[���֘A�t���Ă���A�C�f���e�B�e�B�Ƃ��ĐU�镑�����Ƃ��N���C�A���g���v������ꍇ�A���̃��X�|���X�͋�ł���B
The syntax of the initial response is specified as a value of the <extern-initial-resp> production detailed below using the Augmented Backus-Naur Form (ABNF) [RFC4234] notation. �������X�|���X�̕��@�́A�g���o�b�J�X�L�@(ABNF) [RFC4234] ���g�p�����ȉ��� <extern-initial-resp> �̒l�Ƃ��ċK�肳���B
external-initial-resp = authz-id-string
authz-id-string = *( UTF8-char-no-nul )
UTF8-char-no-nul = UTF8-1-no-nul / UTF8-2 / UTF8-3 / UTF8-4
UTF8-1-no-nul = %x01-7F
where the <UTF8-2>, <UTF8-3>, and <UTF8-4> productions are as defined in [RFC3629]. <UTF8-2>�E<UTF8-3>�E<UTF8-4> �́A[RFC3629] �Œ�`����Ă���B
There are no additional challenges and responses. �lj��̃`�������W�E���X�|���X�͂Ȃ��B
Hence, the server is to return the outcome of the authentication exchange. ���������ăT�[�o�[�́A���̌�ɔF�،����̌��ʂ�Ԃ����ƂɂȂ�B
The exchange fails if �ȉ��̏ꍇ�A�����͎��s����B
Otherwise the exchange is successful. When indicating a successful outcome, additional data is not provided. �����łȂ���ΔF�،����͐�������B���ʂ������ł���A�lj��f�[�^�͒���Ȃ��B
This section provides examples of EXTERNAL authentication exchanges. The examples are intended to help the readers understand the above text. The examples are not definitive. The Application Configuration Access Protocol (ACAP) [RFC2244] is used in the examples. ���̃Z�N�V�����ł� EXTERNAL ���J�j�Y���̔F�،����̗�����B�����̗�͓ǎ҂�����܂ł̓��e�𗝉�����菕���ƂȂ邱�Ƃ�ړI�Ƃ����̂ł���A�ł��M���̂�������̂Ƃ����킯�ł͂Ȃ��B��̒��ŁAApplication Configuration Access Protocol (ACAP) [RFC2244] ���g�p���Ă���B
The first example shows use of EXTERNAL with an empty authorization identity. In this example, the initial response is not sent in the client's request to initiate the authentication exchange. �ŏ��̗�́A��̔F�A�C�f���e�B�e�B�Ƌ��� EXTERNAL ���J�j�Y�����g�p����P�[�X�ł���B���̗�ł́A�F�،������J�n����N���C�A���g�̗v���̒��ŏ������X�|���X�͑��M����Ă��Ȃ��B
S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL"
S: + ""
C: + ""
S: a002 OK "Authenticated"
S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS ���A�lj��̖��߂� TLS ���C���̉��ōs����>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL"
S: + ""
C: + ""
S: a002 OK "Authenticated"
The second example shows use of EXTERNAL with an authorization identity of "[email protected]". In this example, the initial response is sent with the client's request to initiate the authentication exchange. This saves a round-trip. ��Ԗڂ̗�́A"[email protected]" �Ƃ����F�A�C�f���e�B�e�B�Ƌ��� EXTERNAL ���J�j�Y�����g�p����P�[�X�ł���B���̗�ł́A�F�،������J�n����N���C�A���g�̃��N�G�X�g���������X�|���X���đ��M����Ă���A����ɂ���Ă���肪�ꉝ���ȗ�����Ă���B
S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" {16+}
C: [email protected]
S: a002 NO "Cannot assume requested authorization identity"
S: * ACAP (SASL "DIGEST-MD5")
C: a001 STARTTLS
S: a001 OK "Begin TLS negotiation now"
<TLS ���A�lj��̖��߂� TLS ���C���̉��ōs����>
S: * ACAP (SASL "DIGEST-MD5" "EXTERNAL")
C: a002 AUTHENTICATE "EXTERNAL" {16+}
C: [email protected]
S: a002 NO "Cannot assume requested authorization identity"
The EXTERNAL mechanism provides no security protection; it is vulnerable to spoofing by either client or server, active attack, and eavesdropping. It should only be used when adequate security services have been established. EXTERNAL ���J�j�Y���̓Z�L�����e�B�ی����Ȃ����߁A�N���C�A���g�܂��̓T�[�o�[�ɂ��Ȃ肷�܂���A�\���I�U���A�����ɑ��ĐƎ�ł���B���̃��J�j�Y���͓K�ȃZ�L�����e�B�T�[�r�X���m���ς݂̏ꍇ�ɂ̂ݎg�p�����ׂ��ł���B
This appendix is non-normative. ���̕t�^�͕W�����߂���̂ł͂Ȃ��B
The material in RFC 2222 was significantly rewritten in the production of this document. ���̕����� RFC 2222 �̑�ނ�傫�����������Ă���B
RFC 2222, by not stating that the authorization identity string was a string of Unicode characters, let alone character data, implied that the authorization identity string was a string of octets. RFC 2222 �́A�F�A�C�f���e�B�e�B�������j�R�[�h�����ł���ƋL�q���Ȃ��̂͂������A�����f�[�^�ł���Ƃ��L�q���Ȃ����ƂŁA�F�A�C�f���e�B�e�B�����P�Ȃ�I�N�e�b�g������ł��邱�Ƃ��Î����Ă����B
The following technical change was made to the EXTERNAL mechanism: EXTERNAL ���J�j�Y���ɑ��Ĉȉ��̕ύX���s��ꂽ�F
Note that protocol and mechanism specification requirements have been significantly tightened. Existing protocol and mechanism specifications will need to be updated to meet these requirements. �v���g�R���d�l�y�у��J�j�Y���d�l�ɑ���v�����������Ȃ茵�����Ȃ������Ƃɒ��ӂ��Ăق����B�����̃v���g�R���d�l�ƃ��J�j�Y���d�l�́A�����̗v�������ɍ����悤�ɍX�V�����K�v�����邾�낤�B
Alexey Melnikov Isode Limited 5 Castle Business Village 36 Station Road Hampton, Middlesex, TW12 2BX, United Kingdom EMail: [email protected] URI: http://www.melnikov.ca/ Kurt D. Zeilenga OpenLDAP Foundation EMail: [email protected]
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at [email protected].
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). RFC �ҏW�҂̓����ɑ��鎑�����o�́AIETF Administrative Support Activity (IASA)�ɂ���Ē���Ă���B
�g�b�v�y�[�W - �|��h�L�������g - RFC 4422