Well SIP RFC allows for User-to-User Authentication, RFC3261, sec 22.2. This can be used in application where UASs at the user agent level will not accept any calls other than from a number of trusted originators. Credential validation can be implemented with a central provisioning/data server outside the scope of sip for example. The provisioning server will provision the user agents with its credentials and when UAS receives INVITE with Authorization header, it can do backend query to the data server to validate the credential.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Uttam Kumar Sarkar Sent: Thursday, August 10, 2006 1:45 PM To: Anish George; [email protected] Subject: Re: [Sip-implementors] User-to-User Authentication I don't see any specific application where an UA can verify other UA's credential. Generally Registrar or B2BUA or Proxy can have stored credential for their UA to verify those UA's credential. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anish George Sent: Thursday, August 10, 2006 6:51 AM To: [email protected] Subject: [Sip-implementors] User-to-User Authentication Hi Guys, i have a doubt about User-to-User Authentication. if an UAS wants to challenge any request from peer, i belive it can send a 401 Unauthorized response with a WWW-Authenticate header. once UAC had add its credentials in the next request, how do a UAS verifies it. tipically, UAC generates credentials with its username and password which is known only for UAC and Registrar/Proxy. but how do a UAS, being an UA verify whether the credentials supplied are correct. INVITE UAC --------------------> UAS 401 Unauthorized (with WWW-Authenticate header) UAC <--------------------UAS INVITE (with credentials in Authorization header) UAC -----------------------> UAS Now, how do UAS verifies the credentials and authenticate request. i belive, the username and password cannot be shared with the other UAs. can anybody throw some light on this?? Is anything wrong in my understanding? Is there any standards (rfc) which talk about User-to-User Authentication ? i would appreciate any information you can provide on this issue. Thanks Anish _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
