Framework for authentication and data security in Internet protocols
Simple Authentication and Security Layer (SASL) is a
framework for
authentication and
data security in Internet
protocols. It decouples authentication mechanisms from
application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses SASL. Authentication mechanisms can also support proxy authorization, a facility allowing one user to assume the identity of another. They can also provide a data security layer offering data integrity and data confidentiality services. DIGEST-MD5 provides an example of mechanisms which can provide a data-security layer. Application protocols that support SASL typically also support
Transport Layer Security (TLS) to complement the services offered by SASL.
John Gardiner Myers wrote the original SASL specification (RFC 2222) in 1997. In 2006, that document was replaced by RFC 4422 authored by Alexey Melnikov and Kurt D. Zeilenga. SASL, as defined by RFC 4422 is an
IETFStandard Track protocol and is, as of 2006[update], a Proposed Standard.
SASL mechanisms
A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms[1] include:
EXTERNAL
where authentication is implicit in the context (e.g., for protocols already using
IPsec or
TLS)
Application protocols define their representation of SASL exchanges with a profile. A protocol has a service name such as "ldap" in a registry shared with
GSSAPI and
Kerberos.[7]
As of 2012[update] protocols currently supporting SASL include: