[Devel] "SIP identity" module
Klaus Darilion
klaus.mailinglists at pernau.at
Mon May 14 12:25:29 CEST 2007
The module is both: an authentication service and a verifier.
The verifier will verify the signature. As this should be done before
manipulating the request there is no problem.
The authentication service adds the signature on behalf of the user.
Thus, here message manipulation matters.
btw: If also come around a problem if a client does verification too:
alice---atlanta-proxy---------biloxy-proxy---bob
atlanta proxy will add the signature on behalf of alice. If this is done
after NAT traversal there is no problem.
Biloxy receives the request, can perform signature validation, and if
the signature is fine forwards the request to bob. If biloxy proxy
activates an RTP proxy, then bob can't validate the signature any more.
regards
klaus
Bogdan-Andrei Iancu wrote:
> Hi Klaus,
>
> do you have any idea if the module is for implementing server auth or
> also for client auth (for proxy 2 proxy scenarios)?
>
> if it's only for client-server auth, we do not care about changes...
>
> regards,
> bogdan
>
> Klaus Darilion wrote:
>>
>> Juha Heinanen wrote:
>>> Henning Westerholt writes:
>>>
>>> > Blocks this the inclusion of the module in the trunk?
>>>
>>> not necessarily if someone thinks that he/she needs this module even
>>> if it doesn't work with nathelper or this someone is willing to fix the
>>> module so that it does start working with nathelper.
>>>
>>> taking a quick look at the rfc, i didn't see any other showstoppers for
>>> identity digest calculation except message body.
>>
>> The digest also includes Contact header and Date header. Thus, in most
>> cases the digest can't be added immediately - only by looping the
>> message back to openser after applying the message manipulations.
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>
More information about the Devel
mailing list