imapext-2007: docs/rfc/rfc4314.txt annotate

imapext-2007

annotate docs/rfc/rfc4314.txt @ 0:ada5e610ab86

imap-2007e

author	yuuji@gentei.org
date	Mon, 14 Sep 2009 15:17:45 +0900
parents
children

rev	line source
yuuji@0	1
yuuji@0	2
yuuji@0	3
yuuji@0	4
yuuji@0	5
yuuji@0	6
yuuji@0	7 Network Working Group A. Melnikov
yuuji@0	8 Request for Comments: 4314 Isode Ltd.
yuuji@0	9 Obsoletes: 2086 December 2005
yuuji@0	10 Category: Standards Track
yuuji@0	11
yuuji@0	12
yuuji@0	13 IMAP4 Access Control List (ACL) Extension
yuuji@0	14
yuuji@0	15 Status of this Memo
yuuji@0	16
yuuji@0	17 This document specifies an Internet standards track protocol for the
yuuji@0	18 Internet community, and requests discussion and suggestions for
yuuji@0	19 improvements. Please refer to the current edition of the "Internet
yuuji@0	20 Official Protocol Standards" (STD 1) for the standardization state
yuuji@0	21 and status of this protocol. Distribution of this memo is unlimited.
yuuji@0	22
yuuji@0	23 Copyright Notice
yuuji@0	24
yuuji@0	25 Copyright (C) The Internet Society (2005).
yuuji@0	26
yuuji@0	27 Abstract
yuuji@0	28
yuuji@0	29 The Access Control List (ACL) extension (RFC 2086) of the Internet
yuuji@0	30 Message Access Protocol (IMAP) permits mailbox access control lists
yuuji@0	31 to be retrieved and manipulated through the IMAP protocol.
yuuji@0	32
yuuji@0	33 This document is a revision of RFC 2086. It defines several new
yuuji@0	34 access control rights and clarifies which rights are required for
yuuji@0	35 different IMAP commands.
yuuji@0	36
yuuji@0	37
yuuji@0	38
yuuji@0	39
yuuji@0	40
yuuji@0	41
yuuji@0	42
yuuji@0	43
yuuji@0	44
yuuji@0	45
yuuji@0	46
yuuji@0	47
yuuji@0	48
yuuji@0	49
yuuji@0	50
yuuji@0	51
yuuji@0	52
yuuji@0	53
yuuji@0	54
yuuji@0	55
yuuji@0	56
yuuji@0	57
yuuji@0	58 Melnikov Standards Track [Page 1]
yuuji@0	59
yuuji@0	60 RFC 4314 IMAP ACL December 2005
yuuji@0	61
yuuji@0	62
yuuji@0	63 Table of Contents
yuuji@0	64
yuuji@0	65 1. Introduction and Overview .......................................3
yuuji@0	66 1.1. Conventions Used in This Document ..........................3
yuuji@0	67 2. Access Control ..................................................3
yuuji@0	68 2.1. Standard Rights ............................................5
yuuji@0	69 2.1.1. Obsolete Rights .....................................5
yuuji@0	70 2.2. Rights Defined in RFC 2086 .................................8
yuuji@0	71 3. Access control management commands and responses ................8
yuuji@0	72 3.1. SETACL Command .............................................8
yuuji@0	73 3.2. DELETEACL Command ..........................................9
yuuji@0	74 3.3. GETACL Command ............................................10
yuuji@0	75 3.4. LISTRIGHTS Command ........................................10
yuuji@0	76 3.5. MYRIGHTS Command ..........................................11
yuuji@0	77 3.6. ACL Response ..............................................11
yuuji@0	78 3.7. LISTRIGHTS Response .......................................12
yuuji@0	79 3.8. MYRIGHTS Response .........................................12
yuuji@0	80 4. Rights Required to Perform Different IMAP4rev1 Commands ........12
yuuji@0	81 5. Other Considerations ...........................................17
yuuji@0	82 5.1. Additional Requirements and Implementation Notes ..........17
yuuji@0	83 5.1.1. Servers ............................................17
yuuji@0	84 5.1.2. Clients ............................................18
yuuji@0	85 5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY
yuuji@0	86 Response Codes ............................................19
yuuji@0	87 6. Security Considerations ........................................20
yuuji@0	88 7. Formal Syntax ..................................................21
yuuji@0	89 8. IANA Considerations ............................................22
yuuji@0	90 9. Internationalization Considerations ............................22
yuuji@0	91 Appendix A. Changes since RFC 2086 ................................23
yuuji@0	92 Appendix B. Compatibility with RFC 2086 ...........................24
yuuji@0	93 Appendix C. Known Deficiencies ....................................24
yuuji@0	94 Appendix D. Acknowledgements ......................................25
yuuji@0	95 Normative References ..............................................25
yuuji@0	96 Informative References ............................................25
yuuji@0	97
yuuji@0	98
yuuji@0	99
yuuji@0	100
yuuji@0	101
yuuji@0	102
yuuji@0	103
yuuji@0	104
yuuji@0	105
yuuji@0	106
yuuji@0	107
yuuji@0	108
yuuji@0	109
yuuji@0	110
yuuji@0	111
yuuji@0	112
yuuji@0	113
yuuji@0	114 Melnikov Standards Track [Page 2]
yuuji@0	115
yuuji@0	116 RFC 4314 IMAP ACL December 2005
yuuji@0	117
yuuji@0	118
yuuji@0	119 1. Introduction and Overview
yuuji@0	120
yuuji@0	121 The ACL (Access Control List) extension of the Internet Message
yuuji@0	122 Access Protocol [IMAP4] permits mailbox access control lists to be
yuuji@0	123 retrieved and manipulated through the IMAP protocol.
yuuji@0	124
yuuji@0	125 This document is a revision of RFC 2086 [RFC2086]. It tries to
yuuji@0	126 clarify different ambiguities in RFC 2086, in particular, the use of
yuuji@0	127 UTF-8 [UTF-8] in access identifiers, which rights are required for
yuuji@0	128 different IMAP4 commands, and how READ-WRITE/READ-ONLY response codes
yuuji@0	129 are related to ACL.
yuuji@0	130
yuuji@0	131 1.1. Conventions Used in This Document
yuuji@0	132
yuuji@0	133 In examples, "C:" and "S:" indicate lines sent by the client and
yuuji@0	134 server respectively.
yuuji@0	135
yuuji@0	136 In all examples "/" character is used as hierarchy separator.
yuuji@0	137
yuuji@0	138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
yuuji@0	139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
yuuji@0	140 document are to be interpreted as described in RFC 2119 [KEYWORDS].
yuuji@0	141
yuuji@0	142 The phrase "ACL server" is just a shortcut for saying "IMAP server
yuuji@0	143 that supports ACL extension as defined in this document".
yuuji@0	144
yuuji@0	145 2. Access Control
yuuji@0	146
yuuji@0	147 The ACL extension is present in any IMAP4 implementation that returns
yuuji@0	148 "ACL" as one of the supported capabilities to the CAPABILITY command.
yuuji@0	149
yuuji@0	150 A server implementation conformant to this document MUST also return
yuuji@0	151 rights (see below) not defined in Section 2.2 in the "RIGHTS="
yuuji@0	152 capability.
yuuji@0	153
yuuji@0	154 An access control list is a set of <access identifier,rights> pairs.
yuuji@0	155 An ACL applies to a mailbox name.
yuuji@0	156
yuuji@0	157 Access identifier (or just "identifier") is a UTF-8 [UTF-8] string.
yuuji@0	158 The identifier "anyone" is reserved to refer to the universal
yuuji@0	159 identity (all authentications, including anonymous). All user name
yuuji@0	160 strings accepted by the LOGIN or AUTHENTICATE commands to
yuuji@0	161 authenticate to the IMAP server are reserved as identifiers for the
yuuji@0	162 corresponding users. Identifiers starting with a dash ("-") are
yuuji@0	163 reserved for "negative rights", described below. All other
yuuji@0	164 identifier strings are interpreted in an implementation-defined
yuuji@0	165 manner.
yuuji@0	166
yuuji@0	167
yuuji@0	168
yuuji@0	169
yuuji@0	170 Melnikov Standards Track [Page 3]
yuuji@0	171
yuuji@0	172 RFC 4314 IMAP ACL December 2005
yuuji@0	173
yuuji@0	174
yuuji@0	175 Rights is a string listing a (possibly empty) set of alphanumeric
yuuji@0	176 characters, each character listing a set of operations that is being
yuuji@0	177 controlled. Lowercase letters are reserved for "standard" rights,
yuuji@0	178 listed in Section 2.1. (Note that for compatibility with deployed
yuuji@0	179 clients and servers uppercase rights are not allowed.) The set of
yuuji@0	180 standard rights can only be extended by a standards-track document.
yuuji@0	181 Digits are reserved for implementation- or site-defined rights.
yuuji@0	182
yuuji@0	183 An implementation MAY tie rights together or MAY force rights to
yuuji@0	184 always or never be granted to particular identifiers. For example,
yuuji@0	185 in an implementation that uses UNIX mode bits, the rights "swite" are
yuuji@0	186 tied, the "a" right is always granted to the owner of a mailbox and
yuuji@0	187 is never granted to another user. If rights are tied in an
yuuji@0	188 implementation, the implementation must be conservative in granting
yuuji@0	189 rights in response to SETACL commands--unless all rights in a tied
yuuji@0	190 set are specified, none of that set should be included in the ACL
yuuji@0	191 entry for that identifier. A client can discover the set of rights
yuuji@0	192 that may be granted to a given identifier in the ACL for a given
yuuji@0	193 mailbox name by using the LISTRIGHTS command.
yuuji@0	194
yuuji@0	195 It is possible for multiple identifiers in an access control list to
yuuji@0	196 apply to a given user. For example, an ACL may include rights to be
yuuji@0	197 granted to the identifier matching the user, one or more
yuuji@0	198 implementation-defined identifiers matching groups that include the
yuuji@0	199 user, and/or the identifier "anyone". How these rights are combined
yuuji@0	200 to determine the user's access is implementation defined. An
yuuji@0	201 implementation may choose, for example, to use the union of the
yuuji@0	202 rights granted to the applicable identifiers. An implementation may
yuuji@0	203 instead choose, for example, to use only those rights granted to the
yuuji@0	204 most specific identifier present in the ACL. A client can determine
yuuji@0	205 the set of rights granted to the logged-in user for a given mailbox
yuuji@0	206 name by using the MYRIGHTS command.
yuuji@0	207
yuuji@0	208 When an identifier in an ACL starts with a dash ("-"), that indicates
yuuji@0	209 that associated rights are to be removed from the identifier prefixed
yuuji@0	210 by the dash. This is referred to as a "negative right". This
yuuji@0	211 differs from DELETEACL in that a negative right is added to the ACL
yuuji@0	212 and is a part of the calculation of the rights.
yuuji@0	213
yuuji@0	214 Let's assume that an identifier "fred" refers to a user with login
yuuji@0	215 "fred". If the identifier "-fred" is granted the "w" right, that
yuuji@0	216 indicates that the "w" right is to be removed from users matching the
yuuji@0	217 identifier "fred", even though the user "fred" might have the "w"
yuuji@0	218 right as a consequence of some other identifier in the ACL. A
yuuji@0	219 DELETEACL of "fred" simply deletes the identifier "fred" from the
yuuji@0	220 ACL; it does not affect any rights that the user "fred" may get from
yuuji@0	221 another entry in the ACL, in particular it doesn't affect rights
yuuji@0	222 granted to the identifier "-fred".
yuuji@0	223
yuuji@0	224
yuuji@0	225
yuuji@0	226 Melnikov Standards Track [Page 4]
yuuji@0	227
yuuji@0	228 RFC 4314 IMAP ACL December 2005
yuuji@0	229
yuuji@0	230
yuuji@0	231 Server implementations are not required to support "negative right"
yuuji@0	232 identifiers.
yuuji@0	233
yuuji@0	234 2.1. Standard Rights
yuuji@0	235
yuuji@0	236 The currently defined standard rights are (note that the list below
yuuji@0	237 doesn't list all commands that use a particular right):
yuuji@0	238
yuuji@0	239 l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE
yuuji@0	240 mailbox)
yuuji@0	241 r - read (SELECT the mailbox, perform STATUS)
yuuji@0	242 s - keep seen/unseen information across sessions (set or clear
yuuji@0	243 \SEEN flag via STORE, also set \SEEN during APPEND/COPY/
yuuji@0	244 FETCH BODY[...])
yuuji@0	245 w - write (set or clear flags other than \SEEN and \DELETED via
yuuji@0	246 STORE, also set them during APPEND/COPY)
yuuji@0	247 i - insert (perform APPEND, COPY into mailbox)
yuuji@0	248 p - post (send mail to submission address for mailbox,
yuuji@0	249 not enforced by IMAP4 itself)
yuuji@0	250 k - create mailboxes (CREATE new sub-mailboxes in any
yuuji@0	251 implementation-defined hierarchy, parent mailbox for the new
yuuji@0	252 mailbox name in RENAME)
yuuji@0	253 x - delete mailbox (DELETE mailbox, old mailbox name in RENAME)
yuuji@0	254 t - delete messages (set or clear \DELETED flag via STORE, set
yuuji@0	255 \DELETED flag during APPEND/COPY)
yuuji@0	256 e - perform EXPUNGE and expunge as a part of CLOSE
yuuji@0	257 a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS)
yuuji@0	258
yuuji@0	259 2.1.1. Obsolete Rights
yuuji@0	260
yuuji@0	261 Due to ambiguity in RFC 2086, some existing RFC 2086 server
yuuji@0	262 implementations use the "c" right to control the DELETE command.
yuuji@0	263 Others chose to use the "d" right to control the DELETE command. For
yuuji@0	264 the former group, let's define the "create" right as union of the "k"
yuuji@0	265 and "x" rights, and the "delete" right as union of the "e" and "t"
yuuji@0	266 rights. For the latter group, let's define the "create" rights as a
yuuji@0	267 synonym to the "k" right, and the "delete" right as union of the "e",
yuuji@0	268 "t", and "x" rights.
yuuji@0	269
yuuji@0	270 For compatibility with RFC 2086, this section defines two virtual
yuuji@0	271 rights "d" and "c".
yuuji@0	272
yuuji@0	273 If a client includes the "d" right in a rights list, then it MUST be
yuuji@0	274 treated as if the client had included every member of the "delete"
yuuji@0	275 right. (It is not an error for a client to specify both the "d"
yuuji@0	276 right and one or more members of the "delete" right, but the effect
yuuji@0	277 is no different than if just the "d" right or all members of the
yuuji@0	278 "delete" right had been specified.)
yuuji@0	279
yuuji@0	280
yuuji@0	281
yuuji@0	282 Melnikov Standards Track [Page 5]
yuuji@0	283
yuuji@0	284 RFC 4314 IMAP ACL December 2005
yuuji@0	285
yuuji@0	286
yuuji@0	287 When any of the "delete" member rights is set in a list of rights,
yuuji@0	288 the server MUST also include the "d" right when returning the list in
yuuji@0	289 a MYRIGHTS or ACL response. This is to enable older clients
yuuji@0	290 conforming to RFC 2086 to work with newer servers. (*)
yuuji@0	291
yuuji@0	292 Example: C: A001 SeTacl INBOX/Drafts David lrswida
yuuji@0	293 S: A001 OK Setacl complete
yuuji@0	294
yuuji@0	295 The client has specified the "d" right in the SETACL command above
yuuji@0	296 and it expands to "et" on the server:
yuuji@0	297
yuuji@0	298 C: A002 getacl INBOX/Drafts
yuuji@0	299 S: * ACL INBOX Fred rwipslxcetda David lrswideta
yuuji@0	300 S: A002 OK Getacl complete
yuuji@0	301
yuuji@0	302 If the identifier specified in the LISTRIGHTS command can be granted
yuuji@0	303 any of the "delete" member rights on a mailbox, then the server MUST
yuuji@0	304 include the "d" right in the corresponding LISTRIGHTS response. (*)
yuuji@0	305 If the member rights aren't tied to non-member rights, then the "d"
yuuji@0	306 right is returned by itself in the LISTRIGHTS response. If any of
yuuji@0	307 the member rights needs to be tied to one (or more) non-member right,
yuuji@0	308 then the "d" right and all of the member rights need to be tied to
yuuji@0	309 the same non-member right(s) (**).
yuuji@0	310
yuuji@0	311 If a client includes the "c" right in a rights list, then it MUST be
yuuji@0	312 treated as if the client had included every member of the "create"
yuuji@0	313 right. (It is not an error for a client to specify both the "c"
yuuji@0	314 right and one or more members of the "create" right, but the effect
yuuji@0	315 is no different than if just the "c" right or all members of the
yuuji@0	316 "create" right had been specified.)
yuuji@0	317
yuuji@0	318 When any of the "create" member rights is set in a list of rights,
yuuji@0	319 the server MUST also include the "c" right when returning the list in
yuuji@0	320 a MYRIGHTS or ACL response. This is to enable older clients
yuuji@0	321 conforming to RFC 2086 to work with newer servers. (*)
yuuji@0	322
yuuji@0	323 Example: C: A003 Setacl INBOX/Drafts Byron lrswikda
yuuji@0	324 S: A001 OK Setacl complete
yuuji@0	325 C: A002 getAcl INBOX/Drafts
yuuji@0	326 S: * ACL INBOX Fred rwipslxcetda Byron lrswikcdeta
yuuji@0	327 S: A002 OK Getacl complete
yuuji@0	328
yuuji@0	329 The client has specified the "d" right in the SETACL command above
yuuji@0	330 and it expands to "et" on the server: As the client has specified the
yuuji@0	331 "k" right (which is a member of the "c" right), the server also
yuuji@0	332 returns the "c" right.
yuuji@0	333
yuuji@0	334
yuuji@0	335
yuuji@0	336
yuuji@0	337
yuuji@0	338 Melnikov Standards Track [Page 6]
yuuji@0	339
yuuji@0	340 RFC 4314 IMAP ACL December 2005
yuuji@0	341
yuuji@0	342
yuuji@0	343 If the identifier specified in the LISTRIGHTS command can be granted
yuuji@0	344 any of the "create" member rights on a mailbox, then the server MUST
yuuji@0	345 include the "c" right in the corresponding LISTRIGHTS response. (*)
yuuji@0	346 If the member rights aren't tied to non-member rights, then the "c"
yuuji@0	347 right is returned by itself in the LISTRIGHTS response. If any of
yuuji@0	348 the member rights needs to be tied to one (or more) non-member right,
yuuji@0	349 then the "c" right and all of the member rights need to be tied to
yuuji@0	350 the same non-member right(s) (**).
yuuji@0	351
yuuji@0	352 Example: The server that ties the rights as follows:
yuuji@0	353
yuuji@0	354 lr s w i p k x t
yuuji@0	355
yuuji@0	356 and c=k
yuuji@0	357
yuuji@0	358 will return:
yuuji@0	359
yuuji@0	360 S: * LISTRIGHTS archive/imap anyone ""
yuuji@0	361 lr s w i p k x t c d
yuuji@0	362
yuuji@0	363 Example: The server that ties the rights as follows:
yuuji@0	364
yuuji@0	365 lr s w i p k xte
yuuji@0	366
yuuji@0	367 and c=k
yuuji@0	368
yuuji@0	369 will return:
yuuji@0	370
yuuji@0	371 S: * LISTRIGHTS archive/imap anyone ""
yuuji@0	372 lr s w i p k xte c d
yuuji@0	373
yuuji@0	374 Example: The server that ties the rights as follows:
yuuji@0	375
yuuji@0	376 lr s w i p k x te
yuuji@0	377
yuuji@0	378 and c=k
yuuji@0	379
yuuji@0	380 will return:
yuuji@0	381
yuuji@0	382 S: * LISTRIGHTS archive/imap anyone ""
yuuji@0	383 lr s w i p k c x te d
yuuji@0	384
yuuji@0	385 Example: The server that ties the rights as follows:
yuuji@0	386
yuuji@0	387 lr swte i p k x
yuuji@0	388
yuuji@0	389 and c=kx
yuuji@0	390
yuuji@0	391
yuuji@0	392
yuuji@0	393
yuuji@0	394 Melnikov Standards Track [Page 7]
yuuji@0	395
yuuji@0	396 RFC 4314 IMAP ACL December 2005
yuuji@0	397
yuuji@0	398
yuuji@0	399 will return:
yuuji@0	400
yuuji@0	401 S: * LISTRIGHTS archive/imap anyone ""
yuuji@0	402 lr swted i p k x c
yuuji@0	403
yuuji@0	404 (*) Clients conforming to this document MUST ignore the virtual "d"
yuuji@0	405 and "c" rights in MYRIGHTS, ACL, and LISTRIGHTS responses.
yuuji@0	406
yuuji@0	407 (**) The IMAPEXT Working Group has debated this issue in great length
yuuji@0	408 and after reviewing existing ACL implementations concluded that
yuuji@0	409 this is a reasonable restriction.
yuuji@0	410
yuuji@0	411 2.2. Rights Defined in RFC 2086
yuuji@0	412
yuuji@0	413 The "RIGHTS=" capability MUST NOT include any of the rights defined
yuuji@0	414 in RFC 2086: "l", "r", "s", "w", "i", "p", "a", "c", "d", and the
yuuji@0	415 digits ("0" .. "9").
yuuji@0	416
yuuji@0	417 3. Access control management commands and responses
yuuji@0	418
yuuji@0	419 Servers, when processing a command that has an identifier as a
yuuji@0	420 parameter (i.e., any of SETACL, DELETEACL, and LISTRIGHTS commands),
yuuji@0	421 SHOULD first prepare the received identifier using "SASLprep" profile
yuuji@0	422 [SASLprep] of the "stringprep" algorithm [Stringprep]. If the
yuuji@0	423 preparation of the identifier fails or results in an empty string,
yuuji@0	424 the server MUST refuse to perform the command with a BAD response.
yuuji@0	425 Note that Section 6 recommends additional identifier's verification
yuuji@0	426 steps.
yuuji@0	427
yuuji@0	428 3.1. SETACL Command
yuuji@0	429
yuuji@0	430 Arguments: mailbox name
yuuji@0	431 identifier
yuuji@0	432 access right modification
yuuji@0	433
yuuji@0	434 Data: no specific data for this command
yuuji@0	435
yuuji@0	436 Result: OK - setacl completed
yuuji@0	437 NO - setacl failure: can't set acl
yuuji@0	438 BAD - arguments invalid
yuuji@0	439
yuuji@0	440 The SETACL command changes the access control list on the specified
yuuji@0	441 mailbox so that the specified identifier is granted permissions as
yuuji@0	442 specified in the third argument.
yuuji@0	443
yuuji@0	444 The third argument is a string containing an optional plus ("+") or
yuuji@0	445 minus ("-") prefix, followed by zero or more rights characters. If
yuuji@0	446 the string starts with a plus, the following rights are added to any
yuuji@0	447
yuuji@0	448
yuuji@0	449
yuuji@0	450 Melnikov Standards Track [Page 8]
yuuji@0	451
yuuji@0	452 RFC 4314 IMAP ACL December 2005
yuuji@0	453
yuuji@0	454
yuuji@0	455 existing rights for the identifier. If the string starts with a
yuuji@0	456 minus, the following rights are removed from any existing rights for
yuuji@0	457 the identifier. If the string does not start with a plus or minus,
yuuji@0	458 the rights replace any existing rights for the identifier.
yuuji@0	459
yuuji@0	460 Note that an unrecognized right MUST cause the command to return the
yuuji@0	461 BAD response. In particular, the server MUST NOT silently ignore
yuuji@0	462 unrecognized rights.
yuuji@0	463
yuuji@0	464 Example: C: A001 GETACL INBOX/Drafts
yuuji@0	465 S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswi
yuuji@0	466 S: A001 OK Getacl complete
yuuji@0	467 C: A002 SETACL INBOX/Drafts Chris +cda
yuuji@0	468 S: A002 OK Setacl complete
yuuji@0	469 C: A003 GETACL INBOX/Drafts
yuuji@0	470 S: * ACL INBOX/Drafts Fred rwipslxetad Chris lrswicdakxet
yuuji@0	471 S: A003 OK Getacl complete
yuuji@0	472
yuuji@0	473
yuuji@0	474 C: A035 SETACL INBOX/Drafts John lrQswicda
yuuji@0	475 S: A035 BAD Uppercase rights are not allowed
yuuji@0	476
yuuji@0	477
yuuji@0	478 C: A036 SETACL INBOX/Drafts John lrqswicda
yuuji@0	479 S: A036 BAD The q right is not supported
yuuji@0	480
yuuji@0	481 3.2. DELETEACL Command
yuuji@0	482
yuuji@0	483 Arguments: mailbox name
yuuji@0	484 identifier
yuuji@0	485
yuuji@0	486 Data: no specific data for this command
yuuji@0	487
yuuji@0	488 Result: OK - deleteacl completed
yuuji@0	489 NO - deleteacl failure: can't delete acl
yuuji@0	490 BAD - arguments invalid
yuuji@0	491
yuuji@0	492 The DELETEACL command removes any <identifier,rights> pair for the
yuuji@0	493 specified identifier from the access control list for the specified
yuuji@0	494 mailbox.
yuuji@0	495
yuuji@0	496 Example: C: B001 getacl INBOX
yuuji@0	497 S: * ACL INBOX Fred rwipslxetad -Fred wetd $team w
yuuji@0	498 S: B001 OK Getacl complete
yuuji@0	499 C: B002 DeleteAcl INBOX Fred
yuuji@0	500 S: B002 OK Deleteacl complete
yuuji@0	501
yuuji@0	502
yuuji@0	503
yuuji@0	504
yuuji@0	505
yuuji@0	506 Melnikov Standards Track [Page 9]
yuuji@0	507
yuuji@0	508 RFC 4314 IMAP ACL December 2005
yuuji@0	509
yuuji@0	510
yuuji@0	511 C: B003 GETACL INBOX
yuuji@0	512 S: * ACL INBOX -Fred wetd $team w
yuuji@0	513 S: B003 OK Getacl complete
yuuji@0	514
yuuji@0	515 3.3. GETACL Command
yuuji@0	516
yuuji@0	517 Arguments: mailbox name
yuuji@0	518
yuuji@0	519 Data: untagged responses: ACL
yuuji@0	520
yuuji@0	521 Result: OK - getacl completed
yuuji@0	522 NO - getacl failure: can't get acl
yuuji@0	523 BAD - arguments invalid
yuuji@0	524
yuuji@0	525 The GETACL command returns the access control list for mailbox in an
yuuji@0	526 untagged ACL response.
yuuji@0	527
yuuji@0	528 Some implementations MAY permit multiple forms of an identifier to
yuuji@0	529 reference the same IMAP account. Usually, such implementations will
yuuji@0	530 have a canonical form that is stored internally. An ACL response
yuuji@0	531 caused by a GETACL command MAY include a canonicalized form of the
yuuji@0	532 identifier that might be different from the one used in the
yuuji@0	533 corresponding SETACL command.
yuuji@0	534
yuuji@0	535 Example: C: A002 GETACL INBOX
yuuji@0	536 S: * ACL INBOX Fred rwipsldexta
yuuji@0	537 S: A002 OK Getacl complete
yuuji@0	538
yuuji@0	539 3.4. LISTRIGHTS Command
yuuji@0	540
yuuji@0	541 Arguments: mailbox name
yuuji@0	542 identifier
yuuji@0	543
yuuji@0	544 Data: untagged responses: LISTRIGHTS
yuuji@0	545
yuuji@0	546 Result: OK - listrights completed
yuuji@0	547 NO - listrights failure: can't get rights list
yuuji@0	548 BAD - arguments invalid
yuuji@0	549
yuuji@0	550 The LISTRIGHTS command takes a mailbox name and an identifier and
yuuji@0	551 returns information about what rights can be granted to the
yuuji@0	552 identifier in the ACL for the mailbox.
yuuji@0	553
yuuji@0	554 Some implementations MAY permit multiple forms of an identifier to
yuuji@0	555 reference the same IMAP account. Usually, such implementations will
yuuji@0	556 have a canonical form that is stored internally. A LISTRIGHTS
yuuji@0	557
yuuji@0	558
yuuji@0	559
yuuji@0	560
yuuji@0	561
yuuji@0	562 Melnikov Standards Track [Page 10]
yuuji@0	563
yuuji@0	564 RFC 4314 IMAP ACL December 2005
yuuji@0	565
yuuji@0	566
yuuji@0	567 response caused by a LISTRIGHTS command MUST always return the same
yuuji@0	568 form of an identifier as specified by the client. This is to allow
yuuji@0	569 the client to correlate the response with the command.
yuuji@0	570
yuuji@0	571 Example: C: a001 LISTRIGHTS ~/Mail/saved smith
yuuji@0	572 S: * LISTRIGHTS ~/Mail/saved smith la r swicdkxte
yuuji@0	573 S: a001 OK Listrights completed
yuuji@0	574
yuuji@0	575 Example: C: a005 listrights archive/imap anyone
yuuji@0	576 S: * LISTRIGHTS archive.imap anyone ""
yuuji@0	577 l r s w i p k x t e c d a 0 1 2 3 4 5 6 7 8 9
yuuji@0	578 S: a005 Listrights successful
yuuji@0	579
yuuji@0	580 3.5. MYRIGHTS Command
yuuji@0	581
yuuji@0	582 Arguments: mailbox name
yuuji@0	583
yuuji@0	584 Data: untagged responses: MYRIGHTS
yuuji@0	585
yuuji@0	586 Result: OK - myrights completed
yuuji@0	587 NO - myrights failure: can't get rights
yuuji@0	588 BAD - arguments invalid
yuuji@0	589
yuuji@0	590 The MYRIGHTS command returns the set of rights that the user has to
yuuji@0	591 mailbox in an untagged MYRIGHTS reply.
yuuji@0	592
yuuji@0	593 Example: C: A003 MYRIGHTS INBOX
yuuji@0	594 S: * MYRIGHTS INBOX rwiptsldaex
yuuji@0	595 S: A003 OK Myrights complete
yuuji@0	596
yuuji@0	597 3.6. ACL Response
yuuji@0	598
yuuji@0	599 Data: mailbox name
yuuji@0	600 zero or more identifier rights pairs
yuuji@0	601
yuuji@0	602 The ACL response occurs as a result of a GETACL command. The first
yuuji@0	603 string is the mailbox name for which this ACL applies. This is
yuuji@0	604 followed by zero or more pairs of strings; each pair contains the
yuuji@0	605 identifier for which the entry applies followed by the set of rights
yuuji@0	606 that the identifier has.
yuuji@0	607
yuuji@0	608 Section 2.1.1 details additional server requirements related to
yuuji@0	609 handling of the virtual "d" and "c" rights.
yuuji@0	610
yuuji@0	611
yuuji@0	612
yuuji@0	613
yuuji@0	614
yuuji@0	615
yuuji@0	616
yuuji@0	617
yuuji@0	618 Melnikov Standards Track [Page 11]
yuuji@0	619
yuuji@0	620 RFC 4314 IMAP ACL December 2005
yuuji@0	621
yuuji@0	622
yuuji@0	623 3.7. LISTRIGHTS Response
yuuji@0	624
yuuji@0	625 Data: mailbox name
yuuji@0	626 identifier
yuuji@0	627 required rights
yuuji@0	628 list of optional rights
yuuji@0	629
yuuji@0	630 The LISTRIGHTS response occurs as a result of a LISTRIGHTS command.
yuuji@0	631 The first two strings are the mailbox name and identifier for which
yuuji@0	632 this rights list applies. Following the identifier is a string
yuuji@0	633 containing the (possibly empty) set of rights the identifier will
yuuji@0	634 always be granted in the mailbox.
yuuji@0	635
yuuji@0	636 Following this are zero or more strings each containing a set of
yuuji@0	637 rights the identifier can be granted in the mailbox. Rights
yuuji@0	638 mentioned in the same string are tied together. The server MUST
yuuji@0	639 either grant all tied rights to the identifier in the mailbox or
yuuji@0	640 grant none. Section 2.1.1 details additional server requirements
yuuji@0	641 related to handling of the virtual "d" and "c" rights.
yuuji@0	642
yuuji@0	643 The same right MUST NOT be listed more than once in the LISTRIGHTS
yuuji@0	644 command.
yuuji@0	645
yuuji@0	646 3.8. MYRIGHTS Response
yuuji@0	647
yuuji@0	648 Data: mailbox name
yuuji@0	649 rights
yuuji@0	650
yuuji@0	651 The MYRIGHTS response occurs as a result of a MYRIGHTS command. The
yuuji@0	652 first string is the mailbox name for which these rights apply. The
yuuji@0	653 second string is the set of rights that the client has.
yuuji@0	654
yuuji@0	655 Section 2.1.1 details additional server requirements related to
yuuji@0	656 handling of the virtual "d" and "c" rights.
yuuji@0	657
yuuji@0	658 4. Rights Required to Perform Different IMAP4rev1 Commands
yuuji@0	659
yuuji@0	660 Before executing a command, an ACL-compliant server MUST check which
yuuji@0	661 rights are required to perform it. This section groups command by
yuuji@0	662 functions they perform and list the rights required. It also gives
yuuji@0	663 the detailed description of any special processing required.
yuuji@0	664
yuuji@0	665 For the purpose of this section the UID counterpart of a command is
yuuji@0	666 considered to be the same command, e.g., both UID COPY and COPY
yuuji@0	667 commands require the same set of rights.
yuuji@0	668
yuuji@0	669
yuuji@0	670
yuuji@0	671
yuuji@0	672
yuuji@0	673
yuuji@0	674 Melnikov Standards Track [Page 12]
yuuji@0	675
yuuji@0	676 RFC 4314 IMAP ACL December 2005
yuuji@0	677
yuuji@0	678
yuuji@0	679 The table below summarizes different rights or their combinations
yuuji@0	680 that are required in order to perform different IMAP operations. As
yuuji@0	681 it is not always possible to express complex right checking and
yuuji@0	682 interactions, the description after the table should be used as the
yuuji@0	683 primary reference.
yuuji@0	684
yuuji@0	685 +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+
yuuji@0	686 \|Operations\Rights \| l \| r \| s \| w \| i \| k \| x \| t \| e \| a \|Any\|Non\|
yuuji@0	687 +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+
yuuji@0	688 \| commands in authenticated state \|
yuuji@0	689 +-------------------------------------------------------------------+
yuuji@0	690 \| LIST \| + \| \| \| \| \| \| \| \| \| \| \| \|
yuuji@0	691 \| SUBSCRIBE \| * \| \| \| \| \| \| \| \| \| \| \| * \|
yuuji@0	692 \| UNSUBSCRIBE \| \| \| \| \| \| \| \| \| \| \| \| + \|
yuuji@0	693 \| LSUB \| * \| \| \| \| \| \| \| \| \| \| \| * \|
yuuji@0	694 \|CREATE (for parent)\| \| \| \| \| \| + \| \| \| \| \| \| \|
yuuji@0	695 \| DELETE \| \| ? \| \| \| \| \| + \| ? \| ? \| \| \| \|
yuuji@0	696 \| RENAME \| \| \| \| \| \| + \| + \| \| \| \| \| \|
yuuji@0	697 \| SELECT/EXAMINE \| \| + \| \| \| \| \| \| \| \| \| \| \|
yuuji@0	698 \| STATUS \| \| + \| \| \| \| \| \| \| \| \| \| \|
yuuji@0	699 \| SETACL/DELETEACL \| \| \| \| \| \| \| \| \| \| + \| \| \|
yuuji@0	700 \| GETACL/LISTRIGHTS \| \| \| \| \| \| \| \| \| \| + \| \| \|
yuuji@0	701 \| MYRIGHTS \| \| \| \| \| \| \| \| \| \| \| + \| \|
yuuji@0	702 \| APPEND \| \| \| ? \| ? \| + \| \| \| ? \| \| \| \| \|
yuuji@0	703 +-------------------------------------------------------------------+
yuuji@0	704 \| commands in selected state \|
yuuji@0	705 +-------------------------------------------------------------------+
yuuji@0	706 \| COPY \| \| \| ? \| ? \| + \| \| \| ? \| \| \| \| \|
yuuji@0	707 \| EXPUNGE \| \| \| \| \| \| \| \| \| + \| \| \| \|
yuuji@0	708 \| CLOSE \| \| \| \| \| \| \| \| \| ? \| \| \| \|
yuuji@0	709 \| FETCH \| \| \| ? \| \| \| \| \| \| \| \| \| \|
yuuji@0	710 \| STORE flags \| \| \| ? \| ? \| \| \| \| ? \| \| \| \| \|
yuuji@0	711 +-------------------+---+---+---+---+---+---+---+---+---+---+---+---+
yuuji@0	712
yuuji@0	713 Note: for all commands in the selected state, the "r" is implied,
yuuji@0	714 because it is required to SELECT/EXAMINE a mailbox. Servers are not
yuuji@0	715 required to check presence of the "r" right once a mailbox is
yuuji@0	716 successfully selected.
yuuji@0	717
yuuji@0	718 Legend:
yuuji@0	719 + - The right is required
yuuji@0	720 * - Only one of the rights marked with * is required
yuuji@0	721 (see description below)
yuuji@0	722 ? - The right is OPTIONAL (see description below)
yuuji@0	723 "Any" - at least one of the "l", "r", "i", "k", "x", "a" rights is
yuuji@0	724 required
yuuji@0	725 "Non" - No rights required to perform the command
yuuji@0	726
yuuji@0	727
yuuji@0	728
yuuji@0	729
yuuji@0	730 Melnikov Standards Track [Page 13]
yuuji@0	731
yuuji@0	732 RFC 4314 IMAP ACL December 2005
yuuji@0	733
yuuji@0	734
yuuji@0	735 Listing and subscribing/unsubscribing mailboxes:
yuuji@0	736 LIST - "l" right is required. However, unlike other commands
yuuji@0	737 (e.g., SELECT) the server MUST NOT return a NO response if it
yuuji@0	738 can't list a mailbox.
yuuji@0	739 Note that if the user has "l" right to a mailbox "A/B", but not to
yuuji@0	740 its parent mailbox "A", the LIST command should behave as if the
yuuji@0	741 mailbox "A" doesn't exist, for example:
yuuji@0	742
yuuji@0	743 C: A777 LIST "" *
yuuji@0	744 S: * LIST (\NoInferiors) "/" "A/B"
yuuji@0	745 S: * LIST () "/" "C"
yuuji@0	746 S: * LIST (\NoInferiors) "/" "C/D"
yuuji@0	747 S: A777 OK LIST completed
yuuji@0	748
yuuji@0	749
yuuji@0	750 SUBSCRIBE - "l" right is required only if the server checks for
yuuji@0	751 mailbox existence when performing SUBSCRIBE.
yuuji@0	752
yuuji@0	753 UNSUBSCRIBE - no rights required to perform this operation.
yuuji@0	754
yuuji@0	755 LSUB - "l" right is required only if the server checks for mailbox
yuuji@0	756 existence when performing SUBSCRIBE. However, unlike other
yuuji@0	757 commands (e.g., SELECT) the server MUST NOT return a NO response
yuuji@0	758 if it can't list a subscribed mailbox.
yuuji@0	759
yuuji@0	760 Mailbox management:
yuuji@0	761 CREATE - "k" right on a nearest existing parent mailbox. When a
yuuji@0	762 new mailbox is created, it SHOULD inherit the ACL from the parent
yuuji@0	763 mailbox (if one exists) in the defined hierarchy.
yuuji@0	764
yuuji@0	765 DELETE - "x" right on the mailbox. Note that some servers don't
yuuji@0	766 allow to delete a non-empty mailbox. If this is the case, the
yuuji@0	767 user would also need "r", "e", and "t" rights, in order to open
yuuji@0	768 the mailbox and empty it.
yuuji@0	769
yuuji@0	770 The DELETE command MUST delete the ACL associated with the deleted
yuuji@0	771 mailbox.
yuuji@0	772
yuuji@0	773 RENAME - Moving a mailbox from one parent to another requires the
yuuji@0	774 "x" right on the mailbox itself and the "k" right for the new
yuuji@0	775 parent. For example, if the user wants to rename the mailbox
yuuji@0	776 named "A/B/C" to "D/E", the user must have the "x" right for the
yuuji@0	777 mailbox "A/B/C" and the "k" right for the mailbox "D".
yuuji@0	778 The RENAME command SHOULD NOT change the ACLs on the renamed
yuuji@0	779 mailbox and submailboxes.
yuuji@0	780
yuuji@0	781
yuuji@0	782
yuuji@0	783
yuuji@0	784
yuuji@0	785
yuuji@0	786 Melnikov Standards Track [Page 14]
yuuji@0	787
yuuji@0	788 RFC 4314 IMAP ACL December 2005
yuuji@0	789
yuuji@0	790
yuuji@0	791 Copying or appending messages:
yuuji@0	792 Before performing a COPY/APPEND command, the server MUST check if
yuuji@0	793 the user has "i" right for the target mailbox. If the user
yuuji@0	794 doesn't have "i" right, the operation fails. Otherwise for each
yuuji@0	795 copied/appended message the server MUST check if the user has
yuuji@0	796 "t" right - when the message has \Deleted flag set
yuuji@0	797 "s" right - when the message has \Seen flag set
yuuji@0	798 "w" right - for all other message flags.
yuuji@0	799 Only when the user has a particular right are the corresponding
yuuji@0	800 flags stored for the newly created message. The server MUST NOT
yuuji@0	801 fail a COPY/APPEND if the user has no rights to set a particular
yuuji@0	802 flag.
yuuji@0	803
yuuji@0	804 Example: C: A003 MYRIGHTS TargetMailbox
yuuji@0	805 S: * MYRIGHTS TargetMailbox rwis
yuuji@0	806 S: A003 OK Myrights complete
yuuji@0	807
yuuji@0	808 C: A004 FETCH 1:3 (FLAGS)
yuuji@0	809 S: * 1 FETCH (FLAGS (\Draft \Deleted)
yuuji@0	810 S: * 2 FETCH (FLAGS (\Answered)
yuuji@0	811 S: * 3 FETCH (FLAGS ($Forwarded \Seen)
yuuji@0	812 S: A004 OK Fetch Completed
yuuji@0	813
yuuji@0	814 C: A005 COPY 1:3 TargetMailbox
yuuji@0	815 S: A005 OK Copy completed
yuuji@0	816
yuuji@0	817 C: A006 SELECT TargetMailbox
yuuji@0	818 ...
yuuji@0	819 S: A006 Select Completed
yuuji@0	820
yuuji@0	821 Let's assume that the copied messages received message numbers
yuuji@0	822 77:79.
yuuji@0	823
yuuji@0	824 C: A007 FETCH 77:79 (FLAGS)
yuuji@0	825 S: * 77 FETCH (FLAGS (\Draft))
yuuji@0	826 S: * 78 FETCH (FLAGS (\Answered))
yuuji@0	827 S: * 79 FETCH (FLAGS ($Forwarded \Seen))
yuuji@0	828 S: A007 OK Fetch Completed
yuuji@0	829
yuuji@0	830 \Deleted flag was lost on COPY, as the user has no "t" right in
yuuji@0	831 the target mailbox.
yuuji@0	832 If the MYRIGHTS command with the tag A003 would have returned:
yuuji@0	833
yuuji@0	834 S: * MYRIGHTS TargetMailbox rsti
yuuji@0	835
yuuji@0	836 the response from the FETCH with the tag A007 would have been:
yuuji@0	837
yuuji@0	838 C: A007 FETCH 77:79 (FLAGS)
yuuji@0	839
yuuji@0	840
yuuji@0	841
yuuji@0	842 Melnikov Standards Track [Page 15]
yuuji@0	843
yuuji@0	844 RFC 4314 IMAP ACL December 2005
yuuji@0	845
yuuji@0	846
yuuji@0	847 S: * 77 FETCH (FLAGS (\Deleted))
yuuji@0	848 S: * 78 FETCH (FLAGS ())
yuuji@0	849 S: * 79 FETCH (FLAGS (\Seen))
yuuji@0	850 S: A007 OK Fetch Completed
yuuji@0	851
yuuji@0	852 In the latter case, \Answered, $Forwarded, and \Draft flags were
yuuji@0	853 lost on COPY, as the user has no "w" right in the target mailbox.
yuuji@0	854
yuuji@0	855 Expunging the selected mailbox:
yuuji@0	856 EXPUNGE - "e" right on the selected mailbox.
yuuji@0	857
yuuji@0	858 CLOSE - "e" right on the selected mailbox. If the server is
yuuji@0	859 unable to expunge the mailbox because the user doesn't have the
yuuji@0	860 "e" right, the server MUST ignore the expunge request, close the
yuuji@0	861 mailbox, and return the tagged OK response.
yuuji@0	862
yuuji@0	863 Fetch information about a mailbox and its messages:
yuuji@0	864 SELECT/EXAMINE/STATUS - "r" right on the mailbox.
yuuji@0	865
yuuji@0	866 FETCH - A FETCH request that implies setting \Seen flag MUST NOT
yuuji@0	867 set it, if the current user doesn't have "s" right.
yuuji@0	868
yuuji@0	869 Changing flags:
yuuji@0	870 STORE - the server MUST check if the user has
yuuji@0	871 "t" right - when the user modifies \Deleted flag
yuuji@0	872 "s" right - when the user modifies \Seen flag
yuuji@0	873 "w" right - for all other message flags.
yuuji@0	874 STORE operation SHOULD NOT fail if the user has rights to modify
yuuji@0	875 at least one flag specified in the STORE, as the tagged NO
yuuji@0	876 response to a STORE command is not handled very well by deployed
yuuji@0	877 clients.
yuuji@0	878
yuuji@0	879 Changing ACLs:
yuuji@0	880 SETACL/DELETEACL - "a" right on the mailbox.
yuuji@0	881
yuuji@0	882 Reading ACLs:
yuuji@0	883 GETACL - "a" right on the mailbox.
yuuji@0	884
yuuji@0	885 MYRIGHTS - any of the following rights is required to perform the
yuuji@0	886 operation: "l", "r", "i", "k", "x", "a".
yuuji@0	887
yuuji@0	888 LISTRIGHTS - "a" right on the mailbox.
yuuji@0	889
yuuji@0	890
yuuji@0	891
yuuji@0	892
yuuji@0	893
yuuji@0	894
yuuji@0	895
yuuji@0	896
yuuji@0	897
yuuji@0	898 Melnikov Standards Track [Page 16]
yuuji@0	899
yuuji@0	900 RFC 4314 IMAP ACL December 2005
yuuji@0	901
yuuji@0	902
yuuji@0	903 5. Other Considerations
yuuji@0	904
yuuji@0	905 5.1. Additional Requirements and Implementation Notes
yuuji@0	906
yuuji@0	907 5.1.1. Servers
yuuji@0	908
yuuji@0	909 This document defines an additional capability that is used to
yuuji@0	910 announce the list of extra rights (excluding the ones defined in RFC
yuuji@0	911 2086) supported by the server. The set of rights MUST include "t",
yuuji@0	912 "e", "x", and "k". Note that the extra rights can appear in any
yuuji@0	913 order.
yuuji@0	914
yuuji@0	915 Example: C: 1 capability
yuuji@0	916 S: * CAPABILITY IMAP4REV1 STARTTLS LITERAL+
yuuji@0	917 ACL RIGHTS=texk
yuuji@0	918 S: 1 OK completed
yuuji@0	919
yuuji@0	920 Any server implementing an ACL extension MUST accurately reflect the
yuuji@0	921 current user's rights in FLAGS and PERMANENTFLAGS responses.
yuuji@0	922
yuuji@0	923 Example: C: A142 SELECT INBOX
yuuji@0	924 S: * 172 EXISTS
yuuji@0	925 S: * 1 RECENT
yuuji@0	926 S: * OK [UNSEEN 12] Message 12 is first unseen
yuuji@0	927 S: * OK [UIDVALIDITY 3857529045] UIDs valid
yuuji@0	928 S: * OK [UIDNEXT 4392] Predicted next UID
yuuji@0	929 S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
yuuji@0	930 S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L
yuuji@0	931 S: A142 OK [READ-WRITE] SELECT completed
yuuji@0	932 C: A143 MYRIGHTS INBOX
yuuji@0	933 S: * MYRIGHTS INBOX lrwis
yuuji@0	934 S: A143 OK completed
yuuji@0	935
yuuji@0	936 Note that in order to get better performance the client MAY pipeline
yuuji@0	937 SELECT and MYRIGHTS commands:
yuuji@0	938
yuuji@0	939 C: A142 SELECT INBOX
yuuji@0	940 C: A143 MYRIGHTS INBOX
yuuji@0	941 S: * 172 EXISTS
yuuji@0	942 S: * 1 RECENT
yuuji@0	943 S: * OK [UNSEEN 12] Message 12 is first unseen
yuuji@0	944 S: * OK [UIDVALIDITY 3857529045] UIDs valid
yuuji@0	945 S: * OK [UIDNEXT 4392] Predicted next UID
yuuji@0	946 S: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
yuuji@0	947 S: * OK [PERMANENTFLAGS (\Seen \Answered \Flagged \*)] L
yuuji@0	948 S: A142 OK [READ-WRITE] SELECT completed
yuuji@0	949 S: * MYRIGHTS INBOX lrwis
yuuji@0	950 S: A143 OK completed
yuuji@0	951
yuuji@0	952
yuuji@0	953
yuuji@0	954 Melnikov Standards Track [Page 17]
yuuji@0	955
yuuji@0	956 RFC 4314 IMAP ACL December 2005
yuuji@0	957
yuuji@0	958
yuuji@0	959 Servers MAY cache the rights a user has on a mailbox when the mailbox
yuuji@0	960 is selected, so that if a client's rights on a mailbox are changed
yuuji@0	961 with SETACL or DELETEACL, commands specific to the selected state
yuuji@0	962 (e.g., STORE, EXPUNGE) might not reflect the changed rights until the
yuuji@0	963 mailbox is re-selected. If the server checks the rights on each
yuuji@0	964 command, then it SHOULD send FLAGS and PERMANENTFLAGS responses if
yuuji@0	965 they have changed. If such server detects that the user no longer
yuuji@0	966 has read access to the mailbox, it MAY send an untagged BYE response
yuuji@0	967 and close connection. It MAY also refuse to execute all commands
yuuji@0	968 specific to the selected state until the mailbox is closed; however,
yuuji@0	969 server implementors should note that most clients don't handle NO
yuuji@0	970 responses very well.
yuuji@0	971
yuuji@0	972 An ACL server MAY modify one or more ACLs for one or more identifiers
yuuji@0	973 as a side effect of modifying the ACL specified in a
yuuji@0	974 SETACL/DELETEACL. If the server does that, it MUST send untagged ACL
yuuji@0	975 response(s) to notify the client about the changes made.
yuuji@0	976
yuuji@0	977 An ACL server implementation MUST treat received ACL modification
yuuji@0	978 commands as a possible ambiguity with respect to subsequent commands
yuuji@0	979 affected by the ACL, as described in Section 5.5 of [IMAP4]. Hence a
yuuji@0	980 pipeline SETACL + MYRIGHTS is an ambiguity with respect to the
yuuji@0	981 server, meaning that the server must execute the SETACL command to
yuuji@0	982 completion before the MYRIGHTS. However, clients are permitted to
yuuji@0	983 send such a pipeline.
yuuji@0	984
yuuji@0	985 5.1.2. Clients
yuuji@0	986
yuuji@0	987 The following requirement is put on clients in order to allow for
yuuji@0	988 future extensibility. A client implementation that allows a user to
yuuji@0	989 read and update ACLs MUST preserve unrecognized rights that it
yuuji@0	990 doesn't allow the user to change. That is, if the client
yuuji@0	991
yuuji@0	992 1) can read ACLs
yuuji@0	993 and
yuuji@0	994 2) can update ACLs
yuuji@0	995 but
yuuji@0	996 3) doesn't allow the user to change the rights the client doesn't
yuuji@0	997 recognize, then it MUST preserve unrecognized rights.
yuuji@0	998
yuuji@0	999 Otherwise the client could risk unintentionally removing permissions
yuuji@0	1000 it doesn't understand.
yuuji@0	1001
yuuji@0	1002
yuuji@0	1003
yuuji@0	1004
yuuji@0	1005
yuuji@0	1006
yuuji@0	1007
yuuji@0	1008
yuuji@0	1009
yuuji@0	1010 Melnikov Standards Track [Page 18]
yuuji@0	1011
yuuji@0	1012 RFC 4314 IMAP ACL December 2005
yuuji@0	1013
yuuji@0	1014
yuuji@0	1015 5.2. Mapping of ACL Rights to READ-WRITE and READ-ONLY Response Codes
yuuji@0	1016
yuuji@0	1017 A particular ACL server implementation MAY allow "shared multiuser
yuuji@0	1018 access" to some mailboxes. "Shared multiuser access" to a mailbox
yuuji@0	1019 means that multiple different users are able to access the same
yuuji@0	1020 mailbox, if they have proper access rights. "Shared multiuser
yuuji@0	1021 access" to the mailbox doesn't mean that the ACL for the mailbox is
yuuji@0	1022 currently set to allow access by multiple users. Let's denote a
yuuji@0	1023 "shared multiuser write access" as a "shared multiuser access" when a
yuuji@0	1024 user can be granted flag modification rights (any of "w", "s", or
yuuji@0	1025 "t").
yuuji@0	1026
yuuji@0	1027 Section 4 describes which rights are required for modifying different
yuuji@0	1028 flags.
yuuji@0	1029
yuuji@0	1030 If the ACL server implements some flags as shared for a mailbox
yuuji@0	1031 (i.e., the ACL for the mailbox MAY be set up so that changes to those
yuuji@0	1032 flags are visible to another user), let's call the set of rights
yuuji@0	1033 associated with these flags (as described in Section 4) for that
yuuji@0	1034 mailbox collectively as "shared flag rights". Note that the "shared
yuuji@0	1035 flag rights" set MAY be different for different mailboxes.
yuuji@0	1036
yuuji@0	1037 If the server doesn't support "shared multiuser write access" to a
yuuji@0	1038 mailbox or doesn't implement shared flags on the mailbox, "shared
yuuji@0	1039 flag rights" for the mailbox is defined to be the empty set.
yuuji@0	1040
yuuji@0	1041 Example 1: Mailbox "banan" allows "shared multiuser write access" and
yuuji@0	1042 implements flags \Deleted, \Answered, and $MDNSent as
yuuji@0	1043 shared flags. "Shared flag rights" for the mailbox "banan"
yuuji@0	1044 is a set containing flags "t" (because system flag
yuuji@0	1045 \Deleted requires "t" right) and "w" (because both
yuuji@0	1046 \Answered and $MDNSent require "w" right).
yuuji@0	1047
yuuji@0	1048 Example 2: Mailbox "apple" allows "shared multiuser write access" and
yuuji@0	1049 implements \Seen system flag as shared flag. "Shared flag
yuuji@0	1050 rights" for the mailbox "apple" contains "s" right
yuuji@0	1051 because system flag \Seen requires "s" right.
yuuji@0	1052
yuuji@0	1053 Example 3: Mailbox "pear" allows "shared multiuser write access" and
yuuji@0	1054 implements flags \Seen, \Draft as shared flags. "Shared
yuuji@0	1055 flag rights" for the mailbox "apple" is a set containing
yuuji@0	1056 flags "s" (because system flag \Seen requires "s" right)
yuuji@0	1057 and "w" (because system flag \Draft requires "w" right).
yuuji@0	1058
yuuji@0	1059 The server MUST include a READ-ONLY response code in the tagged OK
yuuji@0	1060 response to a SELECT command if none of the following rights is
yuuji@0	1061 granted to the current user:
yuuji@0	1062
yuuji@0	1063
yuuji@0	1064
yuuji@0	1065
yuuji@0	1066 Melnikov Standards Track [Page 19]
yuuji@0	1067
yuuji@0	1068 RFC 4314 IMAP ACL December 2005
yuuji@0	1069
yuuji@0	1070
yuuji@0	1071 "i", "e", and "shared flag rights"(***).
yuuji@0	1072
yuuji@0	1073 The server SHOULD include a READ-WRITE response code in the tagged OK
yuuji@0	1074 response if at least one of the "i", "e", or "shared flag
yuuji@0	1075 rights"(***) is granted to the current user.
yuuji@0	1076
yuuji@0	1077 (***) Note that a future extension to this document can extend the
yuuji@0	1078 list of rights that causes the server to return the READ-WRITE
yuuji@0	1079 response code.
yuuji@0	1080
yuuji@0	1081 Example 1 (continued): The user that has "lrs" rights for the mailbox
yuuji@0	1082 "banan". The server returns READ-ONLY
yuuji@0	1083 response code on SELECT, as none of "iewt"
yuuji@0	1084 rights is granted to the user.
yuuji@0	1085
yuuji@0	1086 Example 2 (continued): The user that has "rit" rights for the mailbox
yuuji@0	1087 "apple". The server returns READ-WRITE
yuuji@0	1088 response code on SELECT, as the user has "i"
yuuji@0	1089 right.
yuuji@0	1090
yuuji@0	1091 Example 3 (continued): The user that has "rset" rights for the
yuuji@0	1092 mailbox "pear". The server returns READ-WRITE
yuuji@0	1093 response code on SELECT, as the user has "e"
yuuji@0	1094 and "s" rights.
yuuji@0	1095
yuuji@0	1096 6. Security Considerations
yuuji@0	1097
yuuji@0	1098 An implementation MUST make sure the ACL commands themselves do not
yuuji@0	1099 give information about mailboxes with appropriately restricted ACLs.
yuuji@0	1100 For example, when a user agent executes a GETACL command on a mailbox
yuuji@0	1101 that the user has no permission to LIST, the server would respond to
yuuji@0	1102 that request with the same error that would be used if the mailbox
yuuji@0	1103 did not exist, thus revealing no existence information, much less the
yuuji@0	1104 mailbox's ACL.
yuuji@0	1105
yuuji@0	1106 IMAP clients implementing ACL that are able to modify ACLs SHOULD
yuuji@0	1107 warn a user that wants to give full access (or even just the "a"
yuuji@0	1108 right) to the special identifier "anyone".
yuuji@0	1109
yuuji@0	1110 This document relies on [SASLprep] to describe steps required to
yuuji@0	1111 perform identifier canonicalization (preparation). The preparation
yuuji@0	1112 algorithm in SASLprep was specifically designed such that its output
yuuji@0	1113 is canonical, and it is well-formed. However, due to an anomaly
yuuji@0	1114 [PR29] in the specification of Unicode normalization, canonical
yuuji@0	1115 equivalence is not guaranteed for a select few character sequences.
yuuji@0	1116 Identifiers prepared with SASLprep can be stored and returned by an
yuuji@0	1117 ACL server. The anomaly affects ACL manipulation and evaluation of
yuuji@0	1118 identifiers containing the selected character sequences. These
yuuji@0	1119
yuuji@0	1120
yuuji@0	1121
yuuji@0	1122 Melnikov Standards Track [Page 20]
yuuji@0	1123
yuuji@0	1124 RFC 4314 IMAP ACL December 2005
yuuji@0	1125
yuuji@0	1126
yuuji@0	1127 sequences, however, do not appear in well-formed text. In order to
yuuji@0	1128 address this problem, an ACL server MAY reject identifiers containing
yuuji@0	1129 sequences described in [PR29] by sending the tagged BAD response.
yuuji@0	1130 This is in addition to the requirement to reject identifiers that
yuuji@0	1131 fail SASLprep preparation as described in Section 3.
yuuji@0	1132
yuuji@0	1133 Other security considerations described in [IMAP4] are relevant to
yuuji@0	1134 this document. In particular, ACL information is sent in the clear
yuuji@0	1135 over the network unless confidentiality protection is negotiated.
yuuji@0	1136
yuuji@0	1137 This can be accomplished either by the use of STARTTLS, negotiated
yuuji@0	1138 privacy protection in the AUTHENTICATE command, or some other
yuuji@0	1139 protection mechanism.
yuuji@0	1140
yuuji@0	1141 7. Formal Syntax
yuuji@0	1142
yuuji@0	1143 Formal syntax is defined using ABNF [ABNF], extending the ABNF rules
yuuji@0	1144 in Section 9 of [IMAP4]. Elements not defined here can be found in
yuuji@0	1145 [ABNF] and [IMAP4].
yuuji@0	1146
yuuji@0	1147 Except as noted otherwise, all alphabetic characters are case
yuuji@0	1148 insensitive. The use of uppercase or lowercase characters to define
yuuji@0	1149 token strings is for editorial clarity only. Implementations MUST
yuuji@0	1150 accept these strings in a case-insensitive fashion.
yuuji@0	1151
yuuji@0	1152 LOWER-ALPHA = %x61-7A ;; a-z
yuuji@0	1153
yuuji@0	1154 acl-data = "ACL" SP mailbox *(SP identifier SP
yuuji@0	1155 rights)
yuuji@0	1156
yuuji@0	1157 capability =/ rights-capa
yuuji@0	1158 ;;capability is defined in [IMAP4]
yuuji@0	1159
yuuji@0	1160 command-auth =/ setacl / deleteacl / getacl /
yuuji@0	1161 listrights / myrights
yuuji@0	1162 ;;command-auth is defined in [IMAP4]
yuuji@0	1163
yuuji@0	1164 deleteacl = "DELETEACL" SP mailbox SP identifier
yuuji@0	1165
yuuji@0	1166 getacl = "GETACL" SP mailbox
yuuji@0	1167
yuuji@0	1168 identifier = astring
yuuji@0	1169
yuuji@0	1170 listrights = "LISTRIGHTS" SP mailbox SP identifier
yuuji@0	1171
yuuji@0	1172 listrights-data = "LISTRIGHTS" SP mailbox SP identifier
yuuji@0	1173 SP rights *(SP rights)
yuuji@0	1174
yuuji@0	1175
yuuji@0	1176
yuuji@0	1177
yuuji@0	1178 Melnikov Standards Track [Page 21]
yuuji@0	1179
yuuji@0	1180 RFC 4314 IMAP ACL December 2005
yuuji@0	1181
yuuji@0	1182
yuuji@0	1183 mailbox-data =/ acl-data / listrights-data / myrights-data
yuuji@0	1184 ;;mailbox-data is defined in [IMAP4]
yuuji@0	1185
yuuji@0	1186 mod-rights = astring
yuuji@0	1187 ;; +rights to add, -rights to remove
yuuji@0	1188 ;; rights to replace
yuuji@0	1189
yuuji@0	1190 myrights = "MYRIGHTS" SP mailbox
yuuji@0	1191
yuuji@0	1192 myrights-data = "MYRIGHTS" SP mailbox SP rights
yuuji@0	1193
yuuji@0	1194 new-rights = 1*LOWER-ALPHA
yuuji@0	1195 ;; MUST include "t", "e", "x", and "k".
yuuji@0	1196 ;; MUST NOT include standard rights listed
yuuji@0	1197 ;; in section 2.2
yuuji@0	1198
yuuji@0	1199 rights = astring
yuuji@0	1200 ;; only lowercase ASCII letters and digits
yuuji@0	1201 ;; are allowed.
yuuji@0	1202
yuuji@0	1203 rights-capa = "RIGHTS=" new-rights
yuuji@0	1204 ;; RIGHTS=... capability
yuuji@0	1205
yuuji@0	1206 setacl = "SETACL" SP mailbox SP identifier
yuuji@0	1207 SP mod-rights
yuuji@0	1208
yuuji@0	1209 8. IANA Considerations
yuuji@0	1210
yuuji@0	1211 IMAP4 capabilities are registered by publishing a standards-track or
yuuji@0	1212 IESG-approved experimental RFC. The registry is currently located
yuuji@0	1213 at:
yuuji@0	1214
yuuji@0	1215 http://www.iana.org/assignments/imap4-capabilities
yuuji@0	1216
yuuji@0	1217 This document defines the RIGHTS= IMAP capability. IANA has added
yuuji@0	1218 this capability to the registry.
yuuji@0	1219
yuuji@0	1220 9. Internationalization Considerations
yuuji@0	1221
yuuji@0	1222 Section 3 states requirements on servers regarding
yuuji@0	1223 internationalization of identifiers.
yuuji@0	1224
yuuji@0	1225
yuuji@0	1226
yuuji@0	1227
yuuji@0	1228
yuuji@0	1229
yuuji@0	1230
yuuji@0	1231
yuuji@0	1232
yuuji@0	1233
yuuji@0	1234 Melnikov Standards Track [Page 22]
yuuji@0	1235
yuuji@0	1236 RFC 4314 IMAP ACL December 2005
yuuji@0	1237
yuuji@0	1238
yuuji@0	1239 Appendix A. Changes since RFC 2086
yuuji@0	1240
yuuji@0	1241 1. Changed the charset of "identifier" from US-ASCII to UTF-8.
yuuji@0	1242 2. Specified that mailbox deletion is controlled by the "x" right
yuuji@0	1243 and EXPUNGE is controlled by the "e" right.
yuuji@0	1244 3. Added the "t" right that controls STORE \Deleted. Redefined the
yuuji@0	1245 "d" right to be a macro for "e", "t", and possibly "x".
yuuji@0	1246 4. Added the "k" right that controls CREATE. Redefined the "c"
yuuji@0	1247 right to be a macro for "k" and possibly "x".
yuuji@0	1248 5. Specified that the "a" right also controls DELETEACL.
yuuji@0	1249 6. Specified that the "r" right also controls STATUS.
yuuji@0	1250 7. Removed the requirement to check the "r" right for CHECK, SEARCH
yuuji@0	1251 and FETCH, as this is required for SELECT/EXAMINE to be
yuuji@0	1252 successful.
yuuji@0	1253 8. LISTRIGHTS requires the "a" right on the mailbox (same as
yuuji@0	1254 SETACL).
yuuji@0	1255 9. Deleted "PARTIAL", this is a deprecated feature of RFC 1730.
yuuji@0	1256 10. Specified that the "w" right controls setting flags other than
yuuji@0	1257 \Seen and \Deleted on APPEND. Also specified that the "s" right
yuuji@0	1258 controls the \Seen flag and that the "t" right controls the
yuuji@0	1259 \Deleted flag.
yuuji@0	1260 11. Specified that SUBSCRIBE is NOT allowed with the "r" right.
yuuji@0	1261 12. Specified that the "l" right controls SUBSCRIBE.
yuuji@0	1262 13. GETACL is NOT allowed with the "r" right, even though there are
yuuji@0	1263 several implementations that allows that. If a user only has
yuuji@0	1264 "r" right, GETACL can disclose information about identifiers
yuuji@0	1265 existing on the mail system.
yuuji@0	1266 14. Clarified that RENAME requires the "k" right for the new parent
yuuji@0	1267 and the "x" right for the old name.
yuuji@0	1268 15. Added new section that describes which rights are required
yuuji@0	1269 and/or checked when performing various IMAP commands.
yuuji@0	1270 16. Added mail client security considerations when dealing with
yuuji@0	1271 special identifier "anyone".
yuuji@0	1272 17. Clarified that negative rights are not the same as DELETEACL.
yuuji@0	1273 18. Added "Compatibility with RFC 2086" section.
yuuji@0	1274 19. Added section about mapping of ACL rights to READ-WRITE and
yuuji@0	1275 READ-ONLY response codes.
yuuji@0	1276 20. Changed BNF to ABNF.
yuuji@0	1277 21. Added "Implementation Notes" section.
yuuji@0	1278 22. Updated "References" section.
yuuji@0	1279 23. Added more examples.
yuuji@0	1280 24. Clarified when the virtual "c" and "d" rights are returned in
yuuji@0	1281 ACL, MYRIGHTS, and LISTRIGHTS responses.
yuuji@0	1282
yuuji@0	1283
yuuji@0	1284
yuuji@0	1285
yuuji@0	1286
yuuji@0	1287
yuuji@0	1288
yuuji@0	1289
yuuji@0	1290 Melnikov Standards Track [Page 23]
yuuji@0	1291
yuuji@0	1292 RFC 4314 IMAP ACL December 2005
yuuji@0	1293
yuuji@0	1294
yuuji@0	1295 Appendix B. Compatibility with RFC 2086
yuuji@0	1296
yuuji@0	1297 This non-normative section gives guidelines as to how an existing RFC
yuuji@0	1298 2086 server implementation may be updated to comply with this
yuuji@0	1299 document.
yuuji@0	1300
yuuji@0	1301 This document splits the "d" right into several new different rights:
yuuji@0	1302 "t", "e", and possibly "x" (see Section 2.1.1 for more details). The
yuuji@0	1303 "d" right remains for backward-compatibility, but it is a virtual
yuuji@0	1304 right. There are two approaches for RFC 2086 server implementors to
yuuji@0	1305 handle the "d" right and the new rights that have replaced it:
yuuji@0	1306
yuuji@0	1307 a. Tie "t", "e" (and possibly "x) together - almost no changes.
yuuji@0	1308 b. Implement separate "x", "t" and "e". Return the "d" right in a
yuuji@0	1309 MYRIGHTS response or an ACL response containing ACL information
yuuji@0	1310 when any of the "t", "e" (and "x") is granted.
yuuji@0	1311
yuuji@0	1312 In a similar manner this document splits the "c" right into several
yuuji@0	1313 new different rights: "k" and possibly "x" (see Section 2.1.1 for
yuuji@0	1314 more details). The "c" right remains for backwards-compatibility but
yuuji@0	1315 it is a virtual right. Again, RFC 2086 server implementors can
yuuji@0	1316 choose to tie rights or to implement separate rights, as described
yuuji@0	1317 above.
yuuji@0	1318
yuuji@0	1319 Also check Sections 5.1.1 and 5.1.2, as well as Appendix A, to see
yuuji@0	1320 other changes required. Server implementors should check which
yuuji@0	1321 rights are required to invoke different IMAP4 commands as described
yuuji@0	1322 in Section 4.
yuuji@0	1323
yuuji@0	1324 Appendix C. Known Deficiencies
yuuji@0	1325
yuuji@0	1326 This specification has some known deficiencies including:
yuuji@0	1327
yuuji@0	1328 1. This is inadequate to provide complete read-write access to
yuuji@0	1329 mailboxes protected by Unix-style rights bits because there is no
yuuji@0	1330 equivalent to "chown" and "chgrp" commands nor is there a good
yuuji@0	1331 way to discover such limitations are present.
yuuji@0	1332 2. Because this extension leaves the specific semantics of how
yuuji@0	1333 rights are combined by the server as implementation defined, the
yuuji@0	1334 ability to build a user-friendly interface is limited.
yuuji@0	1335 3. Users, groups, and special identifiers (e.g., anyone) exist in
yuuji@0	1336 the same namespace.
yuuji@0	1337
yuuji@0	1338 The work-in-progress "ACL2" extension is intended to redesign this
yuuji@0	1339 extension to address these deficiencies without the constraint of
yuuji@0	1340 backward-compatibility and may eventually supercede this facility.
yuuji@0	1341
yuuji@0	1342
yuuji@0	1343
yuuji@0	1344
yuuji@0	1345
yuuji@0	1346 Melnikov Standards Track [Page 24]
yuuji@0	1347
yuuji@0	1348 RFC 4314 IMAP ACL December 2005
yuuji@0	1349
yuuji@0	1350
yuuji@0	1351 However, RFC 2086 is deployed in multiple implementations so this
yuuji@0	1352 intermediate step, which fixes the straightforward deficiencies in a
yuuji@0	1353 backward-compatible fashion, is considered worthwhile.
yuuji@0	1354
yuuji@0	1355 Appendix D. Acknowledgements
yuuji@0	1356
yuuji@0	1357 This document is a revision of RFC 2086 written by John G. Myers.
yuuji@0	1358
yuuji@0	1359 Editor appreciates comments received from Mark Crispin, Chris Newman,
yuuji@0	1360 Cyrus Daboo, John G. Myers, Dave Cridland, Ken Murchison, Steve Hole,
yuuji@0	1361 Vladimir Butenko, Larry Greenfield, Robert Siemborski, Harrie
yuuji@0	1362 Hazewinkel, Philip Guenther, Brian Candler, Curtis King, Lyndon
yuuji@0	1363 Nerenberg, Lisa Dusseault, Arnt Gulbrandsen, and other participants
yuuji@0	1364 of the IMAPEXT working group.
yuuji@0	1365
yuuji@0	1366 Normative References
yuuji@0	1367
yuuji@0	1368 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
yuuji@0	1369 Requirement Levels", BCP 14, RFC 2119, March 1997.
yuuji@0	1370
yuuji@0	1371 [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
yuuji@0	1372 Specifications: ABNF", RFC 4234, October 2005.
yuuji@0	1373
yuuji@0	1374 [IMAP4] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
yuuji@0	1375 4rev1", RFC 3501, March 2003.
yuuji@0	1376
yuuji@0	1377 [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
yuuji@0	1378 10646", STD 63, RFC 3629, November 2003.
yuuji@0	1379
yuuji@0	1380 [Stringprep] Hoffman, P. and M. Blanchet, "Preparation of
yuuji@0	1381 Internationalized Strings ("stringprep")", RFC 3454,
yuuji@0	1382 December 2002.
yuuji@0	1383
yuuji@0	1384 [SASLprep] Zeilenga, K., "SASLprep: Stringprep Profile for User
yuuji@0	1385 Names and Passwords", RFC 4013, February 2005.
yuuji@0	1386
yuuji@0	1387 Informative References
yuuji@0	1388
yuuji@0	1389 [RFC2086] Myers, J., "IMAP4 ACL extension", RFC 2086,
yuuji@0	1390 January 1997.
yuuji@0	1391
yuuji@0	1392 [PR29] "Public Review Issue #29: Normalization Issue",
yuuji@0	1393 February 2004,
yuuji@0	1394 <http://www.unicode.org/review/pr-29.html>.
yuuji@0	1395
yuuji@0	1396
yuuji@0	1397
yuuji@0	1398
yuuji@0	1399
yuuji@0	1400
yuuji@0	1401
yuuji@0	1402 Melnikov Standards Track [Page 25]
yuuji@0	1403
yuuji@0	1404 RFC 4314 IMAP ACL December 2005
yuuji@0	1405
yuuji@0	1406
yuuji@0	1407 Author's Address
yuuji@0	1408
yuuji@0	1409 Alexey Melnikov
yuuji@0	1410 Isode Ltd.
yuuji@0	1411 5 Castle Business Village
yuuji@0	1412 36 Station Road
yuuji@0	1413 Hampton, Middlesex TW12 2BX
yuuji@0	1414 GB
yuuji@0	1415
yuuji@0	1416 EMail: alexey.melnikov@isode.com
yuuji@0	1417
yuuji@0	1418
yuuji@0	1419
yuuji@0	1420
yuuji@0	1421
yuuji@0	1422
yuuji@0	1423
yuuji@0	1424
yuuji@0	1425
yuuji@0	1426
yuuji@0	1427
yuuji@0	1428
yuuji@0	1429
yuuji@0	1430
yuuji@0	1431
yuuji@0	1432
yuuji@0	1433
yuuji@0	1434
yuuji@0	1435
yuuji@0	1436
yuuji@0	1437
yuuji@0	1438
yuuji@0	1439
yuuji@0	1440
yuuji@0	1441
yuuji@0	1442
yuuji@0	1443
yuuji@0	1444
yuuji@0	1445
yuuji@0	1446
yuuji@0	1447
yuuji@0	1448
yuuji@0	1449
yuuji@0	1450
yuuji@0	1451
yuuji@0	1452
yuuji@0	1453
yuuji@0	1454
yuuji@0	1455
yuuji@0	1456
yuuji@0	1457
yuuji@0	1458 Melnikov Standards Track [Page 26]
yuuji@0	1459
yuuji@0	1460 RFC 4314 IMAP ACL December 2005
yuuji@0	1461
yuuji@0	1462
yuuji@0	1463 Full Copyright Statement
yuuji@0	1464
yuuji@0	1465 Copyright (C) The Internet Society (2005).
yuuji@0	1466
yuuji@0	1467 This document is subject to the rights, licenses and restrictions
yuuji@0	1468 contained in BCP 78, and except as set forth therein, the authors
yuuji@0	1469 retain all their rights.
yuuji@0	1470
yuuji@0	1471 This document and the information contained herein are provided on an
yuuji@0	1472 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
yuuji@0	1473 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
yuuji@0	1474 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
yuuji@0	1475 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
yuuji@0	1476 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
yuuji@0	1477 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
yuuji@0	1478
yuuji@0	1479 Intellectual Property
yuuji@0	1480
yuuji@0	1481 The IETF takes no position regarding the validity or scope of any
yuuji@0	1482 Intellectual Property Rights or other rights that might be claimed to
yuuji@0	1483 pertain to the implementation or use of the technology described in
yuuji@0	1484 this document or the extent to which any license under such rights
yuuji@0	1485 might or might not be available; nor does it represent that it has
yuuji@0	1486 made any independent effort to identify any such rights. Information
yuuji@0	1487 on the procedures with respect to rights in RFC documents can be
yuuji@0	1488 found in BCP 78 and BCP 79.
yuuji@0	1489
yuuji@0	1490 Copies of IPR disclosures made to the IETF Secretariat and any
yuuji@0	1491 assurances of licenses to be made available, or the result of an
yuuji@0	1492 attempt made to obtain a general license or permission for the use of
yuuji@0	1493 such proprietary rights by implementers or users of this
yuuji@0	1494 specification can be obtained from the IETF on-line IPR repository at
yuuji@0	1495 http://www.ietf.org/ipr.
yuuji@0	1496
yuuji@0	1497 The IETF invites any interested party to bring to its attention any
yuuji@0	1498 copyrights, patents or patent applications, or other proprietary
yuuji@0	1499 rights that may cover technology that may be required to implement
yuuji@0	1500 this standard. Please address the information to the IETF at ietf-
yuuji@0	1501 ipr@ietf.org.
yuuji@0	1502
yuuji@0	1503 Acknowledgement
yuuji@0	1504
yuuji@0	1505 Funding for the RFC Editor function is currently provided by the
yuuji@0	1506 Internet Society.
yuuji@0	1507
yuuji@0	1508
yuuji@0	1509
yuuji@0	1510
yuuji@0	1511
yuuji@0	1512
yuuji@0	1513
yuuji@0	1514 Melnikov Standards Track [Page 27]
yuuji@0	1515