ARMWARE RFC Archive <- RFC Index (4401..4500)

RFC 4467

Updated by RFC 5092, RFC 5550

Network Working Group                                         M. Crispin
Request for Comments: 4467                      University of Washington
Updates: 3501                                                   May 2006
Category: Standards Track

      Internet Message Access Protocol (IMAP) - URLAUTH Extension

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes the URLAUTH extension to the Internet Message
   Access Protocol (IMAP) (RFC 3501) and the IMAP URL Scheme (IMAPURL)
   (RFC 2192).  This extension provides a means by which an IMAP client
   can use URLs carrying authorization to access limited message data on
   the IMAP server.

   An IMAP server that supports this extension indicates this with a
   capability name of "URLAUTH".

1.  Introduction

   In [IMAPURL], a URL of the form imap://fred@example.com/INBOX/;uid=20
   requires authorization as userid "fred".  However, [IMAPURL] implies
   that it only supports authentication and confuses the concepts of
   authentication and authorization.

   The URLAUTH extension defines an authorization mechanism for IMAP
   URLs to replace [IMAPURL]'s authentication-only mechanism.  URLAUTH
   conveys authorization in the URL string itself and reuses a portion
   of the syntax of the [IMAPURL] authentication mechanism to convey the
   authorization identity (which also defines the default namespace in
   [IMAP]).

   The URLAUTH extension provides a means by which an authorized user of
   an IMAP server can create URLAUTH-authorized IMAP URLs.  A URLAUTH-
   authorized URL conveys authorization (not authentication) to the data

Crispin                     Standards Track                     [Page 1]



RFC 4467                IMAP - URLAUTH Extension                May 2006

   addressed by that URL.  This URL can be used in another IMAP session
   to access specific content on the IMAP server, without otherwise
   providing authorization to any other data (such as other data in the
   mailbox specified in the URL) owned by the authorizing user.

   Conceptually, a URLAUTH-authorized URL can be thought of as a "pawn
   ticket" that carries no authentication information and can be
   redeemed by whomever presents it.  However, unlike a pawn ticket,
   URLAUTH has optional mechanisms to restrict the usage of a URLAUTH-
   authorized URL.  Using these mechanisms, URLAUTH-authorized URLs can
   be usable by:

      . anonymous (the "pawn ticket" model)
      . authenticated users only
      . a specific authenticated user only
      . message submission acting on behalf of a specific user only

   There is also a mechanism for expiration.

   A URLAUTH-authorized URL can be used in the argument to the BURL
   command in message composition, as described in [BURL], for such
   purposes as allowing a client (with limited memory or other
   resources) to submit a message forward or to resend from an IMAP
   mailbox without requiring the client to fetch that message data.

   The URLAUTH is generated using an authorization mechanism name and an
   authorization token, which is generated using a secret mailbox access
   key.  An IMAP client can request that the server generate and assign
   a new mailbox access key (thus effectively revoking all current URLs
   using URLAUTH with the old mailbox access key) but cannot set the
   mailbox access key to a key of its own choosing.

1.1.  Conventions Used in this Document

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   in this document are to be interpreted as defined in [KEYWORDS].

   The formal syntax uses the Augmented Backus-Naur Form (ABNF) notation
   including the core rules defined in Appendix A of [ABNF].

   In examples, "C:" and "S:" indicate lines sent by the client and
   server, respectively.  If a single "C:" or "S:" label applies to
   multiple lines, then the line breaks between those lines are for
   editorial clarity only and are not part of the actual protocol
   exchange.

Crispin                     Standards Track                     [Page 2]



RFC 4467                IMAP - URLAUTH Extension                May 2006

2.  Concepts

2.1.  URLAUTH

   The URLAUTH is a component, appended at the end of a URL, that
   conveys authorization to access the data addressed by that URL.  It
   contains an authorized access identifier, an authorization mechanism
   name, and an authorization token.  The authorization token is
   generated from the URL, the authorized access identifier, the
   authorization mechanism name, and a mailbox access key.

2.2.  Mailbox Access Key

   The mailbox access key is a random string with at least 128 bits of
   entropy.  It is generated by software (not by the human user) and
   MUST be unpredictable.

   Each user has a table of mailboxes and an associated mailbox access
   key for each mailbox.  Consequently, the mailbox access key is per-
   user and per-mailbox.  In other words, two users sharing the same
   mailbox each have a different mailbox access key for that mailbox,
   and each mailbox accessed by a single user also has a different
   mailbox access key.

2.3.  Authorized Access Identifier

   The authorized access identifier restricts use of the URLAUTH
   authorized URL to certain users authorized on the server, as
   described in section 3.

2.4.  Authorization Mechanism

   The authorization mechanism is the algorithm by which the URLAUTH is
   generated and subsequently verified, using the mailbox access key.

2.4.1.  INTERNAL Authorization Mechanism

   This specification defines the INTERNAL mechanism, which uses a token
   generation algorithm of the server's choosing and does not involve
   disclosure of the mailbox access key to the client.

      Note: The token generation algorithm chosen by the server
      implementation should be modern and reasonably secure.  At the
      time of the writing of this document, an [HMAC] such as HMAC-SHA1
      is recommended.

Crispin                     Standards Track                     [Page 3]



RFC 4467                IMAP - URLAUTH Extension                May 2006

      If it becomes necessary to change the token generation algorithm
      of the INTERNAL mechanism (e.g., because an attack against the
      current algorithm has been discovered), all currently existing
      URLAUTH-authorized URLs are invalidated by the change in
      algorithm.  Since this would be an unpleasant surprise to
      applications that depend upon the validity of a URLAUTH-authorized
      URL, and there is no good way to do a bulk update of existing
      deployed URLs, it is best to avoid this situation by using a
      secure algorithm as opposed to one that is "good enough".

      Server implementations SHOULD consider the possibility of changing
      the algorithm.  In some cases, it may be desirable to implement
      the change of algorithm in a way that newly-generated tokens use
      the new algorithm, but that for a limited period of time tokens
      using either the new or old algorithm can be validated.
      Consequently, the server SHOULD incorporate some means of
      identifying the token generation algorithm within the token.

   Although this specification is extensible for other mechanisms, none
   are defined in this document.  In addition to the mechanism name
   itself, other mechanisms may have mechanism-specific data, which is
   to be interpreted according to the definition of that mechanism.

2.5.  Authorization Token

   The authorization token is a deterministic string of at least 128
   bits that an entity with knowledge of the secret mailbox access key
   and URL authorization mechanism can use to verify the URL.

3.  IMAP URL Extensions

   [IMAPURL] is extended by allowing the addition of
   ";EXPIRE=<datetime>" and ";URLAUTH=<access>:<mech>:<token>" to IMAP
   URLs that refer to a specific message or message parts.

   The URLAUTH is comprised of ";URLAUTH=<access>:<mech>:<token>" and
   MUST be at the end of the URL.

   URLAUTH does not apply to, and MUST NOT be used with, any IMAP URL
   that refers to an entire IMAP server, a list of mailboxes, an entire
   IMAP mailbox, or IMAP search results.

   When ";EXPIRE=<datetime>" is used, this indicates the latest date and
   time that the URL is valid.  After that date and time, the URL has
   expired, and server implementations MUST reject the URL.  If
   ";EXPIRE=<datetime>" is not used, the URL has no expiration, but
   still can be revoked as discussed below.

Crispin                     Standards Track                     [Page 4]



RFC 4467                IMAP - URLAUTH Extension                May 2006

   The URLAUTH takes the form ";URLAUTH=<access>:<mech>:<token>".  It is
   composed of three parts.  The <access> portion provides the
   authorized access identifiers, which may constrain the operations and
   users that are permitted to use this URL.  The <mech> portion
   provides the authorization mechanism used by the IMAP server to
   generate the authorization token that follows.  The <token> portion
   provides the authorization token.

   The "submit+" access identifier prefix, followed by a userid,
   indicates that only a userid authorized as a message submission
   entity on behalf of the specified userid is permitted to use this
   URL.  The IMAP server does not validate the specified userid but does
   validate that the IMAP session has an authorization identity that is
   authorized as a message submission entity.  The authorized message
   submission entity MUST validate the userid prior to contacting the
   IMAP server.

   The "user+" access identifier prefix, followed by a userid, indicates
   that use of this URL is limited to IMAP sessions that are logged in
   as the specified userid (that is, have authorization identity as that
   userid).

      Note: If a SASL mechanism that provides both authorization and
      authentication identifiers is used to authenticate to the IMAP
      server, the "user+" access identifier MUST match the authorization
      identifier.

   The "authuser" access identifier indicates that use of this URL is
   limited to IMAP sessions that are logged in as an authorized user
   (that is, have authorization identity as an authorized user) of that
   IMAP server.  Use of this URL is prohibited to anonymous IMAP
   sessions.

   The "anonymous" access identifier indicates that use of this URL is
   not restricted by session authorization identity; that is, any IMAP
   session in authenticated or selected state (as defined in [IMAP]),
   including anonymous sessions, may issue a URLFETCH using this URL.

   The authorization token is represented as an ASCII-encoded
   hexadecimal string, which is used to authorize the URL.  The length
   and the calculation of the authorization token depends upon the
   mechanism used; but, in all cases, the authorization token is at
   least 128 bits (and therefore at least 32 hexadecimal digits).

Crispin                     Standards Track                     [Page 5]



RFC 4467                IMAP - URLAUTH Extension                May 2006

4.  Discussion of URLAUTH Authorization Issues

   In [IMAPURL], the userid before the "@" in the URL has two purposes:

      1) It provides context for user-specific mailbox paths such as
         "INBOX".

      2) It specifies that resolution of the URL requires logging in as
         that user and limits use of that URL to only that user.

   An obvious limitation of using the same field for both purposes is
   that the URL can only be resolved by the mailbox owner.

   URLAUTH overrides the second purpose of the userid in the IMAP URL
   and by default permits the URL to be resolved by any user permitted
   by the access identifier.

   The "user+<userid>" access identifier limits resolution of that URL
   to a particular userid, whereas the "submit+<userid>" access
   identifier is more general and simply requires that the session be
   authorized by a user that has been granted a "submit" role within the
   authentication system.  Use of either of these access identifiers
   makes it impossible for an attacker, spying on the session, to use
   the same URL, either directly or by submission to a message
   submission entity.

   The "authuser" and "anonymous" access identifiers do not have this
   level of protection and should be used with caution.  These access
   identifiers are primarily useful for public export of data from an
   IMAP server, without requiring that it be copied to a web or
   anonymous FTP server.  Refer to the Security Considerations for more
   details.

5.  Generation of URLAUTH-Authorized URLs

   A URLAUTH-authorized URL is generated from an initial URL as follows:

   An initial URL is built, ending with ";URLAUTH=<access>" but without
   the ":<mech>:<token>" components.  An authorization mechanism is
   selected and used to calculate the authorization token, with the
   initial URL as the data and a secret known to the IMAP server as the
   key.  The URLAUTH-authorized URL is generated by taking the initial
   URL and appending ":", the URL authorization mechanism name, ":", and
   the ASCII-encoded hexadecimal representation of the authorization
   token.

Crispin                     Standards Track                     [Page 6]



RFC 4467                IMAP - URLAUTH Extension                May 2006

      Note: ASCII-encoded hexadecimal is used instead of BASE64 because
      a BASE64 representation may have "=" padding characters, which
      would be problematic in a URL.

   In the INTERNAL mechanism, the mailbox access key for that mailbox is
   the secret known to the IMAP server, and a server-selected algorithm
   is used as described in section 2.4.1.

6.  Validation of URLAUTH-authorized URLs

   A URLAUTH-authorized URL is validated as follows:

   The URL is split at the ":" that separates "<access>" from
   "<mech>:<token>" in the ";URLAUTH=<access>:<mech>:<token>" portion of
   the URL.  The "<mech>:<token>" portion is first parsed and saved as
   the authorization mechanism and the authorization token.  The URL is
   truncated, discarding the ":" described above, to create a "rump URL"
   (the URL minus the ":" and the "<mech>:<token>" portion).  The rump
   URL is then analyzed to identify the mailbox.

   If the mailbox cannot be identified, an authorization token is
   calculated on the rump URL, using random "plausible" keys (selected
   by the server) as needed, before returning a validation failure.
   This prevents timing attacks aimed at identifying mailbox names.

   If the mailbox can be identified, the authorization token is
   calculated on the rump URL and a secret known to the IMAP server
   using the given URL authorization mechanism.  Validation is
   successful if, and only if, the calculated authorization token for
   that mechanism matches the authorization token supplied in
   ";URLAUTH=<access>:<mech>:<token>".

   Removal of the ":<mech>:<token>" portion of the URL MUST be the only
   operation applied to the URLAUTH-authorized URL to get the rump URL.
   In particular, URL percent escape decoding and case-folding
   (including to the domain part of the URL) MUST NOT occur.

   In the INTERNAL mechanism, the mailbox access key for that mailbox is
   used as the secret known to the IMAP server, and the same server-
   selected algorithm used for generating URLs is used to calculate the
   authorization token for verification.

Crispin                     Standards Track                     [Page 7]



RFC 4467                IMAP - URLAUTH Extension                May 2006

7.  Additional Commands

   These commands are extensions to the [IMAP] base protocol.

   The section headings of these commands are intended to correspond
   with where they would be located in the base protocol document if
   they were part of that document.

BASE.6.3.RESETKEY.  RESETKEY Command

   Arguments:  optional mailbox name
               optional mechanism name(s)

   Responses:  none other than in result

   Result:     OK - RESETKEY completed, URLMECH containing new data
               NO - RESETKEY error: can't change key of that mailbox
               BAD - command unknown or arguments invalid

   The RESETKEY command has two forms.

   The first form accepts a mailbox name as an argument and generates a
   new mailbox access key for the given mailbox in the user's mailbox
   access key table, replacing any previous mailbox access key (and
   revoking any URLs that were authorized with a URLAUTH using that key)
   in that table.  By default, the mailbox access key is generated for
   the INTERNAL mechanism; other mechanisms can be specified with the
   optional mechanism argument.

   The second form, with no arguments, removes all mailbox access keys
   in the user's mailbox access key table, revoking all URLs currently
   authorized using URLAUTH by the user.

   Any current IMAP session logged in as the user that has the mailbox
   selected will receive an untagged OK response with the URLMECH status
   response code (see section BASE.7.1.URLMECH for more details about
   the URLMECH status response code).

   Example:

      C: a31 RESETKEY
      S: a31 OK All keys removed
      C: a32 RESETKEY INBOX
      S: a32 OK [URLMECH INTERNAL] mechs
      C: a33 RESETKEY INBOX XSAMPLE
      S: a33 OK [URLMECH INTERNAL XSAMPLE=P34OKhO7VEkCbsiYY8rGEg==] done

Crispin                     Standards Track                     [Page 8]



RFC 4467                IMAP - URLAUTH Extension                May 2006

BASE.6.3.GENURLAUTH.  GENURLAUTH Command

      Argument:   one or more URL/mechanism pairs

      Response:   untagged response: GENURLAUTH

      Result:     OK - GENURLAUTH completed
                  NO - GENURLAUTH error: can't generate a URLAUTH
                  BAD - command unknown or arguments invalid

   The GENURLAUTH command requests that the server generate a URLAUTH-
   authorized URL for each of the given URLs using the given URL
   authorization mechanism.

   The server MUST validate each supplied URL as follows:

      (1) The mailbox component of the URL MUST refer to an existing
          mailbox.

      (2) The server component of the URL MUST contain a valid userid
          that identifies the owner of the mailbox access key table that
          will be used to generate the URLAUTH-authorized URL.  As a
          consequence, the iserver rule of [IMAPURL] is modified so that
          iuserauth is mandatory.

             Note: the server component of the URL is generally the
             logged in userid and server.  If not, then the logged in
             userid and server MUST have owner-type access to the
             mailbox access key table owned by the userid and server
             indicated by the server component of the URL.

      (3) There is a valid access identifier that, in the case of
          "submit+" and "user+", will contain a valid userid.  This
          userid is not necessarily the same as the owner userid
          described in (2).

      (4) The server MAY also verify that the iuid and/or isection
          components (if present) are valid.

   If any of the above checks fail, the server MUST return a tagged BAD
   response with the following exception.  If an invalid userid is
   supplied as the mailbox access key owner and/or as part of the access
   identifier, the server MAY issue a tagged OK response with a
   generated mailbox key that always fails validation when used with a
   URLFETCH command.  This exception prevents an attacker from
   validating userids.

Crispin                     Standards Track                     [Page 9]



RFC 4467                IMAP - URLAUTH Extension                May 2006

   If there is currently no mailbox access key for the given mailbox in
   the owner's mailbox access key table, one is automatically generated.
   That is, it is not necessary to use RESETKEY prior to first-time use
   of GENURLAUTH.

   If the command is successful, a GENURLAUTH response code is returned
   listing the requested URLs as URLAUTH-authorized URLs.

   Examples:

      C: a775 GENURLAUTH "imap://joe@example.com/INBOX/;uid=20/
         ;section=1.2" INTERNAL
      S: a775 BAD missing access identifier in supplied URL
      C: a776 GENURLAUTH "imap://example.com/Shared/;uid=20/
         ;section=1.2;urlauth=submit+fred" INTERNAL
      S: a776 BAD missing owner username in supplied URL
      C: a777 GENURLAUTH "imap://joe@example.com/INBOX/;uid=20/
         ;section=1.2;urlauth=submit+fred" INTERNAL
      S: * GENURLAUTH "imap://joe@example.com/INBOX/;uid=20/;section=1.2
         ;urlauth=submit+fred:internal:91354a473744909de610943775f92038"
      S: a777 OK GENURLAUTH completed

BASE.6.3.URLFETCH.  URLFETCH Command

      Argument:   one or more URLs

      Response:   untagged response: URLFETCH

      Result:     OK - urlfetch completed
                  NO - urlfetch failed due to server internal error
                  BAD - command unknown or arguments invalid

   The URLFETCH command requests that the server return the text data
   associated with the specified IMAP URLs, as described in [IMAPURL]
   and extended by this document.  The data is returned for all
   validated URLs, regardless of whether or not the session would
   otherwise be able to access the mailbox containing that data via
   SELECT or EXAMINE.

      Note: This command does not require that the URL refer to the
      selected mailbox; nor does it require that any mailbox be
      selected.  It also does not in any way interfere with any selected
      mailbox.

Crispin                     Standards Track                    [Page 10]



RFC 4467                IMAP - URLAUTH Extension                May 2006

   The URLFETCH command effectively executes with the access of the
   userid in the server component of the URL (which is generally the
   userid that issued the GENURLAUTH).  By itself, the URLAUTH does NOT
   grant access to the data; once validated, it grants whatever access
   to the data is held by the userid in the server component of the URL.
   That access may have changed since the GENURLAUTH was done.

   The URLFETCH command MUST return an untagged URLFETCH response and a
   tagged OK response to any URLFETCH command that is syntactically
   valid.  A NO response indicates a server internal failure that may be
   resolved on later retry.

      Note: The possibility of a NO response is to accommodate
      implementations that would otherwise have to issue an untagged BYE
      with a fatal error due to an inability to respond to a valid
      request.  In an ideal world, a server SHOULD NOT issue a NO
      response.

   The server MUST return NIL for any IMAP URL that references an entire
   IMAP server, a list of mailboxes, an entire IMAP mailbox, or IMAP
   search results.

   Example:

      Note: For clarity, this example uses the LOGIN command, which
      SHOULD NOT be used over a non-encrypted communication path.

      This example is of a submit server, obtaining a message segment
      for a message that it has already validated was submitted by
      "fred".

      S: * OK [CAPABILITY IMAP4REV1 URLAUTH] example.com IMAP server
      C: a001 LOGIN submitserver secret
      S: a001 OK submitserver logged in
      C: a002 URLFETCH "imap://joe@example.com/INBOX/;uid=20/
         ;section=1.2;urlauth=submit+fred:internal
         :91354a473744909de610943775f92038"
      S: * URLFETCH "imap://joe@example.com/INBOX/;uid=20/;section=1.2
         ;urlauth=submit+fred:internal
         :91354a473744909de610943775f92038" {28}
      S: Si vis pacem, para bellum.
      S:
      S: a002 OK URLFETCH completed

Crispin                     Standards Track                    [Page 11]



RFC 4467                IMAP - URLAUTH Extension                May 2006

8.  Additional Responses

   These responses are extensions to the [IMAP] base protocol.

   The section headings of these responses are intended to correspond
   with where they would be located in the base protocol document if
   they were part of that document.

BASE.7.1.URLMECH.  URLMECH Status Response Code

   The URLMECH status response code is followed by a list of URL
   authorization mechanism names.  Mechanism names other than INTERNAL
   may be appended with an "=" and BASE64-encoded form of mechanism-
   specific data.

   This status response code is returned in an untagged OK response in
   response to a RESETKEY, SELECT, or EXAMINE command.  In the case of
   the RESETKEY command, this status response code can be sent in the
   tagged OK response instead of requiring a separate untagged OK
   response.

   Example:

      C: a33 RESETKEY INBOX XSAMPLE
      S: a33 OK [URLMECH INTERNAL XSAMPLE=P34OKhO7VEkCbsiYY8rGEg==] done

   In this example, the server supports the INTERNAL mechanism and an
   experimental mechanism called XSAMPLE, which also holds some
   mechanism-specific data (the name "XSAMPLE" is for illustrative
   purposes only).

BASE.7.4.GENURLAUTH.   GENURLAUTH Response

   Contents:   One or more URLs

   The GENURLAUTH response returns the URLAUTH-authorized URL(s)
   requested by a GENURLAUTH command.

   Example:

      C: a777 GENURLAUTH "imap://joe@example.com/INBOX/;uid=20/
         ;section=1.2;urlauth=submit+fred" INTERNAL
      S: * GENURLAUTH "imap://joe@example.com/INBOX/;uid=20/;section=1.2
         ;urlauth=submit+fred:internal:91354a473744909de610943775f92038"
      S: a777 OK GENURLAUTH completed

Crispin                     Standards Track                    [Page 12]



RFC 4467                IMAP - URLAUTH Extension                May 2006

BASE.7.4.URLFETCH.  URLFETCH Response

   Contents:   One or more URL/nstring pairs

   The URLFETCH response returns the message text data associated with
   one or more IMAP URLs, as described in [IMAPURL] and extended by this
   document.  This response occurs as the result of a URLFETCH command.

   The returned data string is NIL if the URL is invalid for any reason
   (including validation failure).  If the URL is valid, but the IMAP
   fetch of the body part returned NIL (this should not happen), the
   returned data string should be the empty string ("") and not NIL.

      Note: This command does not require that the URL refer to the
      selected mailbox; nor does it require that any mailbox be
      selected.  It also does not in any way interfere with any selected
      mailbox.

   Example:

      C: a002 URLFETCH "imap://joe@example.com/INBOX/;uid=20/
         ;section=1.2;urlauth=submit+fred:internal
         :91354a473744909de610943775f92038"
      S: * URLFETCH "imap://joe@example.com/INBOX/;uid=20/;section=1.2
         ;urlauth=submit+fred:internal
         :91354a473744909de610943775f92038" {28}
      S: Si vis pacem, para bellum.
      S:
      S: a002 OK URLFETCH completed

9.  Formal Syntax

   The following syntax specification uses the Augmented Backus-Naur
   Form (ABNF) notation as specified in [ABNF].

   The following modifications are made to the Formal Syntax in [IMAP]:

resetkey        = "RESETKEY" [SP mailbox *(SP mechanism)]

capability      =/ "URLAUTH"

command-auth    =/ resetkey / genurlauth / urlfetch

resp-text-code  =/ "URLMECH" SP "INTERNAL" *(SP mechanism ["=" base64])

genurlauth      = "GENURLAUTH" 1*(SP url-rump SP mechanism)

genurlauth-data = "*" SP "GENURLAUTH" 1*(SP url-full)

Crispin                     Standards Track                    [Page 13]



RFC 4467                IMAP - URLAUTH Extension                May 2006

url-full        = astring
                     ; contains authimapurlfull as defined below

url-rump        = astring
                     ; contains authimapurlrump as defined below

urlfetch        = "URLFETCH" 1*(SP url-full)

urlfetch-data   = "*" SP "URLFETCH" 1*(SP url-full SP nstring)

   The following extensions are made to the Formal Syntax in [IMAPURL]:

authimapurl     = "imap://" enc-user [iauth] "@" hostport "/"
                     imessagepart
                     ; replaces "imapurl" and "iserver" rules for
                     ; URLAUTH authorized URLs

authimapurlfull = authimapurl iurlauth

authimapurlrump = authimapurl iurlauth-rump

enc-urlauth     = 32*HEXDIG

enc-user        = 1*achar
                     ; same as "enc_user" in RFC 2192

iurlauth        = iurlauth-rump ":" mechanism ":" enc-urlauth

iurlauth-rump   = [expire] ";URLAUTH=" access

access          = ("submit+" enc-user) / ("user+" enc-user) /
                    "authuser" / "anonymous"

expire          = ";EXPIRE=" date-time
                      ; date-time defined in [DATETIME]

mechanism       = "INTERNAL" / 1*(ALPHA / DIGIT / "-" / ".")
                     ; case-insensitive
                     ; new mechanisms MUST be registered with IANA

Crispin                     Standards Track                    [Page 14]



RFC 4467                IMAP - URLAUTH Extension                May 2006

10.  Security Considerations

   Security considerations are discussed throughout this memo.

   The mailbox access key SHOULD have at least 128 bits of entropy
   (refer to [RANDOM] for more details) and MUST be unpredictable.

   The server implementation of the INTERNAL mechanism SHOULD consider
   the possibility of needing to change the token generation algorithm,
   and SHOULD incorporate some means of identifying the token generation
   algorithm within the token.

   The URLMECH status response code may expose sensitive data in the
   mechanism-specific data for mechanisms other than INTERNAL.  A server
   implementation MUST implement a configuration that will not return a
   URLMECH status response code unless some mechanism is provided that
   protects the session from snooping, such as a TLS or SASL security
   layer that provides confidentiality protection.

   The calculation of an authorization token with a "plausible" key if
   the mailbox can not be identified is necessary to avoid attacks in
   which the server is probed to see if a particular mailbox exists on
   the server by measuring the amount of time taken to reject a known
   bad name versus some other name.

   To protect against a computational denial-of-service attack, a server
   MAY impose progressively longer delays on multiple URL requests that
   fail validation.

   The decision to use the "authuser" access identifier should be made
   with caution.  An "authuser" access identifier can be used by any
   authorized user of the IMAP server; therefore, use of this access
   identifier should be limited to content that may be disclosed to any
   authorized user of the IMAP server.

   The decision to use the "anonymous" access identifier should be made
   with extreme caution.  An "anonymous" access identifier can be used
   by anyone; therefore, use of this access identifier should be limited
   to content that may be disclosed to anyone.  Many IMAP servers do not
   permit anonymous access; in this case, the "anonymous" access
   identifier is equivalent to "authuser", but this MUST NOT be relied
   upon.

   Although this specification does not prohibit the theoretical
   capability to generate a URL with a server component other than the
   logged in userid and server, this capability should only be provided

Crispin                     Standards Track                    [Page 15]



RFC 4467                IMAP - URLAUTH Extension                May 2006

   when the logged in userid/server has been authorized as equivalent to
   the server component userid/server, or otherwise has access to that
   userid/server mailbox access key table.

11.  IANA Considerations

   This document constitutes registration of the URLAUTH capability in
   the imap4-capabilities registry.

   URLAUTH authorization mechanisms are registered by publishing a
   standards track or IESG-approved experimental RFC.  The registry is
   currently located at:

http://www.iana.org/assignments/urlauth-authorization-mechanism-registry

   This registry is case-insensitive.

   This document constitutes registration of the INTERNAL URLAUTH
   authorization mechanism.

   IMAP URLAUTH Authorization Mechanism Registry

      Mechanism Name           Reference
      --------------           ---------
      INTERNAL                 [RFC4467]

Crispin                     Standards Track                    [Page 16]



RFC 4467                IMAP - URLAUTH Extension                May 2006

12.  Normative References

   [ABNF]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 4234, October 2005.

   [BURL]     Newman, C., "Message Submission BURL Extension", RFC 4468,
              May 2006.

   [DATETIME] Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, July 2002.

   [IMAP]     Crispin, M., "Internet Message Access Protocol - Version
              4rev1", RFC 3501, March 2003.

   [IMAPURL]  Newman, C., "IMAP URL Scheme", RFC 2192, September 1997.

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

13.  Informative References

   [HMAC]     Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
              Hashing for Message Authentication", RFC 2104, February
              1997.

   [RANDOM]   Eastlake, D., 3rd, Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              June 2005.

Author's Address

   Mark R. Crispin
   Networks and Distributed Computing
   University of Washington
   4545 15th Avenue NE
   Seattle, WA  98105-4527

   Phone: (206) 543-5762
   EMail: MRC@CAC.Washington.EDU

Crispin                     Standards Track                    [Page 17]



RFC 4467                IMAP - URLAUTH Extension                May 2006

Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Crispin                     Standards Track                    [Page 18]