On Oct 23, 2008, at 9:18 AM, Elwell, John wrote:
I need a decision on one outstanding issue. We previously agreed that PAI could be used in any request. We recently agreed to removespecification of PAI in responses because there is no standardised meansof authenticating a UAS. Brett Tate pointed out that likewise there is no standardised means of authenticating a UAC when it sends CANCEL or ACK (these cannot be challenged, and cannot be rejected ifauthentication is wrong). I have so far received no further opinions onthis. To be consistent I believe we have to make exceptions of CANCEL and ACK and say that PAI cannot be used with these methods. If I receive no objections by 26th October I will update the draft on 27th.
The problems is that some network architectures DO allow authentication of both responses and CANCEL/ACK.
PAI is quite widely used in those networks. In fact, it came to us as a P-header for use specifically in those networks.
What is probably needed is an applicability statement that explains the environment in which PAI is usable in "digest authenticable requests" , and goes on to explain the environment in which PAI is usable in other requests and responses.
-- Dean _______________________________________________ Sipping mailing list https://www.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors at cs.columbia.edu for questions on current sip Use sip at ietf.org for new developments of core SIP