On Fri, 2009-01-02 at 17:45 +0100, Johansson Olle E wrote: > So in that case, the implementation guideline for an UA set for both > methods would be to first try with the strongest algorithm, then upon > reception of a 401/407 to that one, test with the next one in list until it > is > out of algorithms in which case the 401/407 means that the password is indeed > > wrong.
I don't see why you'd want to have a multiple-try algorithm -- if you're willing to send the MD5 hash at all, you should send it the first time. Otherwise you're just adding round-trips before you send the MD5 hash. > The UA could also, as you point out, send all headers at once to make it > a quicker round-trip, but doing it that way would also expose the > weaker MD5 hash which we want to avoid. We actually haven't resolved the question whether using MD5 *exposes* your key. As far as I can tell, what's been shown is that *trusting* an MD5 is not a good idea. But I'm not a crypto expert. Dale _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
