Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication

[Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>]

Alexey Melnikov wrote:

>>> The multi-line response client to server confuse me.  
>>> Which SASL mechanism needs this ?

>> There's no multi-line response (unless I'm missing something).

> Indeed.
> There are mechanisms with multiple challenges/responses.

Let's see, I hope I got it now.  What really happens is this:

C: AUTH mech initial-response-if-allowed-for-mech
S: + callenge
C: response
S: + challenge
C: response
S: +OK your're logged in, maibox locked, have fun

However the ABNF put's the complete part of the client into one
<auth-command> = "AUTH" mech [SP ir] *( CRLF [base64]) CRLF

My confusion was that I thought the client sends this complete
multi-line <auth-command> at once, without intervening server
challenges.

Maybe it's only me, then forget it.  Otherwise the ABNF has a
<continue-req> for the "+" SP [base64] CRLF from the server,
it could similarl also define a <continue-response>:

auth-command     = "AUTH" mech [initial-response] CRLF *(response)
initial-response = SP (base64 / "=")   ; a single "=" if empty
response         = [base64] CRLF       ; after server challenge

  [Abhijit Menon-Sen wrote:]
>> there's no very good way to express this in the ABNF

Yes, but maybe using an explicit <response> with a comment helps.

For Hector's multi-line observation I'm not sure what that was,
an implementor confused like me, or some kind of pipelining.


Frank