Re: Fwd: "POP3 SASL Authentication Mechanism" submitted for publication

[Alexey Melnikov <alexey.melnikov@xxxxxxxxx>]

Frank Ellermann wrote:

> Alexey Melnikov wrote:
>  
>
> > > > The multi-line response client to server confuse me.  
> > > > Which SASL mechanism needs this ?
> > > >        
> > > There's no multi-line response (unless I'm missing something).
> > >      
> > Indeed.
> > There are mechanisms with multiple challenges/responses.
> >    
> Let's see, I hope I got it now.  What really happens is this:
>
> C: AUTH mech initial-response-if-allowed-for-mech
> S: + challenge
> C: response
> S: + challenge
> C: response
> S: +OK your're logged in, maibox locked, have fun
>  
Correct.

> However the ABNF put's the complete part of the client into one
> <auth-command> = "AUTH" mech [SP ir] *( CRLF [base64]) CRLF
>
> My confusion was that I thought the client sends this complete
> multi-line <auth-command> at once, without intervening server
> challenges.
>  
Right.

> Maybe it's only me, then forget it.  Otherwise the ABNF has a
> <continue-req> for the "+" SP [base64] CRLF from the server,
> it could similarl also define a <continue-response>:
>
> auth-command     = "AUTH" mech [initial-response] CRLF *(response)
> initial-response = SP (base64 / "=")   ; a single "=" if empty
> response         = [base64] CRLF       ; after server challenge
>  
I don't object to something like this.

>  [Abhijit Menon-Sen wrote:]
>  
>
> > > there's no very good way to express this in the ABNF
> > >      
> Yes, but maybe using an explicit <response> with a comment helps.
>
> For Hector's multi-line observation I'm not sure what that was,
> an implementor confused like me, or some kind of pipelining.
>