Comments inline... Thanks & Regards, Nataraju A.B.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:sip-implementors- > [EMAIL PROTECTED] On Behalf Of Scott Lawrence > Sent: Sunday, June 18, 2006 3:27 AM > To: Clinkert Jack-G3295C > Cc: [email protected] > Subject: Re: [Sip-implementors] SIP authentication credentials > > On Fri, 2006-06-16 at 14:14 -0500, Clinkert Jack-G3295C wrote: > > Are SIP authentication credentials typically cached across multiple > > dialogs? Seems (to me anyway) that RFC 3261 is vague on the subject. > > It is talked about in Section 22.2: > > > > Once authentication credentials have been supplied > > (either directly by the user, or discovered in an internal keyring), > > UAs SHOULD cache the credentials for a given value of the To header > > field and "realm" and attempt to re-use these values on the next > > request for that destination. UAs MAY cache credentials in any way > > they would like. > > > > > > Seems the benefit to cache credentials across multiple dialogs is to > > reduce traffic (can avoid the challenge/response messaging). Seems a > > drawback is that the "copy attack" risk associated with digest > > authentication is increased however. In other words, the longer cached > > credentials are allowed to be used, the greater the availaibility for an > > attacker to use them. > > Cacheing the credentials refers to not prompting the user for them - > something few UAs do anyway. Whether or not you must provide an > Authorization or Proxy-Authorization header in any given request is > purely up to the server. Once you have a challenge, there is nothing to > prevent you from preemptively inserting the authorization in subsequent > messages in the dialog to prevent the extra round-trip. Whether or not > the server will accept those (when it decides to send you a new nonce) > is up to the server. > > [ABN] any client/server can decide to cache the credentials for some duration to challenge/response due to authentication procedures. I personally feel its better to cache the credentials for a short duration. Hence we can reduce the request/response transactions if the messaging happens very often. Once the time expired then that set of credentials become stale, after that message would be authenticated as new requests. Just for instance, assume (OMA POC) client is synchronizing with server, this generate a series of HTTP requests. If the credentials were cached, then it reduces a large % of messaging. > -- > Scott Lawrence tel:+1-781-938-5306;ext=162 or sip:[EMAIL PROTECTED] > sipXpbx project coordinator - SIPfoundry http://www.sipfoundry.org/sipX > Chief Architect - Pingtel Corp. http://www.pingtel.com/ > > > _______________________________________________ > Sip-implementors mailing list > [email protected] > https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
