Re: [Sip-implementors] Regarding authentication

[Attila Sipos]

 
sorry, I think you are right.
the UA has to send 2 Proxy-Authorization headers and so has to store some 
information
to reproduce the first Proxy-Authorization.
 
I think you would always need to send all the Proxy-Authorization headers
since if both proxies were stateless they wouldn't work.  For example, if you 
only
sent the authorization header for proxy2 and proxy1 was stateless, all that 
you'd
get is proxy1 re-challenging for authorizaton again.  So you need them both.
 
I guess it may also theoretically (and maybe not in practice) possible to get
2 Proxy-Authenticate headers, in which case you'd recalculate both and
send 2 new Proxy-Authorization headers.
 
Regards,
Attila
 

        -----Original Message----- 
        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
        Sent: Wed 24/01/2007 22:40 
        To: Attila Sipos 
        Cc: SIP Implementors 
        Subject: RE: [Sip-implementors] Regarding authentication
        
        

        But as per Section 3.3 flow of RFC 3665, second 407 contains only one 
Proxy-authenticate header and not two headers, so how will UA know that he has 
to send two Proxy-Authorization headers in INVITE message. 
        
        Am I missing something? 
        
        
        
        
"Attila Sipos" <[EMAIL PROTECTED]> 

01/24/2007 05:26 PM 

To
Udit Goyal/C/IN/[EMAIL PROTECTED], "SIP Implementors" 
<sip-implementors@cs.columbia.edu> 
cc
Subject
RE: [Sip-implementors] Regarding authentication 

                




        yes, you can have multiple Proxy-Authenticate headers.
        
        You might be able to store the response provided the challenge
        hasn't changed.  I'm not sure.
        
        But you could definitely just recalculate both authentication
        responses (so you wouldn't have to store anything).
        For the user being challenged you'd just have separate
        passwords for each realm ( I assume the Proxy-Authenticate
        headers would have different realms)
        
        Regards,
        
        Attila
        
        
        
        -----Original Message-----
        From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
        Sent: Wed 24/01/2007 19:51
        To: SIP Implementors
        Cc:
        Subject: [Sip-implementors] Regarding authentication 
        
        
        
        Hi,
        
        Can UAC receive 407 response with multiple Proxy-authenticate headers?
        
        As per RFC 3665 Section 3.3. flow, for multiple proxy authentication 
flow,
        when proxy 2 challenges the request, proxy 1 sends 407 back to UAC with
        only one Proxy-authenticate header containing the challenge of only 
proxy
        2. 
        
        Is it responsibility of UAC to store the previous Proxy-Authorization 
that
        it sent to proxy 1, and when it receives 407 again from proxy1 with
        different challenge, sends the collated invite with both authorization
        headers. 
        
        Regards,
        Udit
        _______________________________________________
        Sip-implementors mailing list
        Sip-implementors@cs.columbia.edu
        https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors 
        
        
        


_______________________________________________
Sip-implementors mailing list
Sip-implementors@cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors