2009/5/21 friend friend <[email protected]>: > In RFC 3665 : > Bob sends a register request to the Proxy Server containing no > Contact headers, indicating the user wishes to query the server for > the user's current contact list. Since the user already has > authenticated with the server, the user supplies authentication > credentials with the request and is not challenged by the server. > The SIP server validates the user's credentials. The server returns > a response (200 OK) which includes the user's current registration > list in Contact headers. > > We have an answer for REGISTER(with Credentials) without Contact... > > > But REGISTER (without credentials) without Contact, why do we need to > authenticate?
It's really easy. If the registrar doesn't require authentication for a REGISTER with no Contact, then I could send a spoofed REGISTER with no Contact and some AoR in the "To" header and I would get all the registered locations for that AoR. It's just a privacy issue. -- Iñaki Baz Castillo <[email protected]> _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
