[Serusers] Questions about domain field in Proxy-Authenticate

Jan Janak jan at iptel.org
Mon May 30 19:38:55 CEST 2005 

>From RFC2617:

   domain
        A quoted, space-separated list of URIs, as specified in RFC XURI
	[7], that define the protection space.  If a URI is an
	abs_path, it is relative to the canonical root URL (see section 1.2
        above) of the server being accessed. An absoluteURI in this
        list may refer to a different server than the one being accessed. 
	The client can use this list to determine the set of URIs for which 
	the same authentication information may be sent: any URI that has a 
	URI in this list as a prefix (after both have been made absolute)
	may be assumed to be in the same protection space. If this directive 
	is omitted or its value is empty, the client should assume that the
	protection space consists of all URIs on the responding server.

        This directive is not meaningful in Proxy-Authenticate headers, for
        which the protection space is always the entire proxy; if present
       it should be ignored.

So a proxy server can restrict the set of URIs to which the credentials
can be applied even more -- SER does not support this parameter and I
have never seen any user agent that would support it.

  Jan.

On 24-05-2005 10:25, Paul Belanger wrote:
> >From RFC3261:
> 
> 20.27 Proxy-Authenticate
> 
>    A Proxy-Authenticate header field value contains an authentication
>    challenge.
> 
>    The use of this header field is defined in [H14.33].  See Section
>    22.3 for further details on its usage.
> 
>    Example:
> 
>       Proxy-Authenticate: Digest realm="atlanta.com",
>        domain="sip:ss1.carrier.com", qop="auth",
>        nonce="f84f1cec41e6cbe5aea9c8e88d359",
>        opaque="", stale=FALSE, algorithm=MD5
> 
> My question revolves around the domain="sip:ss1.carrier.com" field.  I notice that SER does not
> use the option, however I have another proxy that does.  I have searched for information about
> this field, but not able to get the information I need.  Why would you use a realm and domain
> field at the same time?  Is 1 preferred to another?  Should both be used?
> 
> Any help would be great.
> 
> PB
> 
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers

More information about the sr-users mailing list