[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Question regarding draft-dotson-sip-mutual-auth-03

To: "Nils Ohlmeier" <lists at ohlmeier.org>, <sip at ietf.org>
Subject: Re: [Sip] Question regarding draft-dotson-sip-mutual-auth-03
From: "Sumanth Channabasappa" <sumanth at cablelabs.com>
Date: Thu, 12 Mar 2009 14:24:38 -0600
Cc: Stuart Hoggan <s.hoggan at cablelabs.com>, steve.dotson at cox.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <828cd554936c9f74cee1a9351f03aaed.squirrel at www.ohlmeier.com>
List-archive: <http://www.ietf.org/mail-archive/web/sip>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <828cd554936c9f74cee1a9351f03aaed.squirrel at www.ohlmeier.com>
Thread-index: AcmjRFlGTE0A8XCwRay5FQHA6ZYHrQACLCKA
Thread-topic: Question regarding draft-dotson-sip-mutual-auth-03

Nils,

In the case you describe, the UAC cannot trust the response. So it can
take actions similar to when it does not receive a valid response: e.g.,
it can reasonably retry, log the error, and/or any other appropriate
behavior specified by the architecture. 

RFC3261 supports the Authentication-Info header (used in registration)
and not the Proxy-Authentication-Info header; which is why this I-D was
authored in the first place. The reference was to ensure that the
behavior is kept consistent, and available irrespective of registration
and non-registration messages. 

In any case, please refer to the following small thread (3 emails) for
the feedback I received during offline discussions at the last IETF:

http://www.ietf.org/mail-archive/web/sip/current/msg25882.html

	
- S

-----Original Message-----
From: Nils Ohlmeier [mailto:lists at ohlmeier.org] 
Sent: Thursday, March 12, 2009 12:50 PM
To: sip at ietf.org
Cc: steve.dotson at cox.com; Stuart Hoggan; Sumanth Channabasappa
Subject: Question regarding draft-dotson-sip-mutual-auth-03

Hello,

after reading the mutual auth draft:

http://tools.ietf.org/id/draft-dotson-sip-mutual-auth-03.txt

I have an open question:
what should the client do if the server send authentication informations
in a Proxy-Authentication-Info header back in a let say 200 response,
but
when the client computes response it comes to a different result (e.g.
because man in the middle changed something in the messages)?

In chapter 5 of your draft you are simply referring to RFC3261 for more
details regarding the implementation of the UAC. But I failed to find
any
information about the UAC handling of this header in 3261. Even RFC2617
gives no hints, at least I did not found any, what a client should do
when
the server authentication fails.
So it is probably not your fault, but still an interesting question I
think. Especially because the client has already send its credentials
when
the check of the server authentication fails.

Best regards
  Nils Ohlmeier

Follow-Ups:
- Re: [Sip] Question regarding draft-dotson-sip-mutual-auth-03
  - From: Nils Ohlmeier
- Re: [Sip] Question regarding draft-dotson-sip-mutual-auth-03
  - From: Victor Pascual Ávila

References:
- [Sip] Question regarding draft-dotson-sip-mutual-auth-03
  - From: Nils Ohlmeier

Prev by Date: Re: [Sip] Terminology (was RE: Fwd:I-DACTION:draft-rosenberg-sip-target-uri-delivery-01.txt
Next by Date: Re: [Sip] Issue 3 - two tags (was RE: I-D ACTION:draft-rosenberg-sip-target-uri-delivery-01.txt
Previous by thread: [Sip] Question regarding draft-dotson-sip-mutual-auth-03
Next by thread: Re: [Sip] Question regarding draft-dotson-sip-mutual-auth-03
Index(es):
- Date
- Thread