Re: digest-auth: proposed text for SIP-AOR, Realm

[Miguel Garcia <Miguel.An.Garcia@nokia.com>]

Hi Wolfgang:

I am fine with the current text. I have a minor improvement: since the 
purpose of the atttribute is two fold, authentication and authorization, 
I would suggest to add the "authorization" bit to the description of the 
attribute:

      The SIP-AOR attribute identifies the URI the use of which must
      be authenticated and authorized.
                       ^^^^^^^^^^^^^^^

BR,

     Miguel

Beck01, Wolfgang wrote:

> to close issue 53, I propose the following text:
>
> 2.20  SIP-AOR
>
>    This attribute is for the authorization of SIP messages.
>
>    Type
>          [IANA:use 121 if possible] for SIP-AOR
>    Length
>          >=3
>    String
>          The syntax of this attribute corresponds either to a SIP URI
>          (with the format defined in [RFC3261] or a TEL URI (with the
>          format defined in [RFC3966]).
>          The SIP-AOR attribute identifies the URI the use of which must
>          be authenticated.  The RADIUS server uses this attribute to
>          authorize the processing of the SIP request.  The SIP-AOR can
>          be derived from, e.g., the To header field in a SIP REGISTER
>          request (user under registration), or the From header field in
>          other SIP requests.  However, the exact mapping of this
>          attribute to SIP can change due to new developments in the
>          protocol.
>          This attribute MUST only be used when the RADIUS client wants
>          to authorize SIP users and MUST only be used in Access-Request
>          messages.
>
> Issue 43, choosing the correct credentials from a set of authorization headers:
>
> RADIUS Client Behaviour
> [..] 
> On reception of an HTTP-style request message, the RADIUS client checks
> whether it is responsible to authenticate the request.
> There are situation where an HTTP-style request traverses several proxies,
> and each of the proxies request to authenticate the HTTP-style client. In
> this situation, it is a valid scenario that a HTTP-style request received
> at a HTTP-style server contains several sets of credentials. The 'realm'
> directive in HTTP is the key that the RADIUS client can use to determine
> which credential is applicable. It may happen also that none of the
> realms are of interests to the RADIUS client, in which case the RADIUS
> client MUST consider that no credentials (of interest) were sent. In
> any case, a RADIUS client MUST send zero or exactly one credential to
> the RADIUS server. The RADIUS client MUST choose the credential of the
> (Proxy-)Authorization header where the realm directive matches its locally
> configured realm value.  If such a header is present and contains HTTP
> digest information, the RADIUS client checks the 'nonce' parameter.
> If the RADIUS client generates nonces but did not issue the received
> nonce, it responds with a 401 (Unauthorized) or 407 (Proxy Authentication
> Required) to the HTTP-style client. In this error response, the RADIUS
> client sends a new nonce.
>
>
> Wolfgang
>
> --
> T-Systems
> Internet Platforms
> +49 6151 937 2863
> Am Kavalleriesand 3
> 64295 Darmstadt
> Germany 

--
Miguel A. Garcia           tel:+358-50-4804586
Nokia Research Center      Helsinki, Finland

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>