RE: [Sip-implementors] Issue with authentication usernames

[Jonathan Rosenberg]

 

> -----Original Message-----
> From: Rick Dean [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 25, 2001 12:53 PM
> To: Jonathan Rosenberg
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Sip-implementors] Issue with authentication usernames
> 
> 
> 
> Thank you Jonathan.
> 
> How ironic you cite the need to minimize user entry problems.
> Our interface is limited, and our end users are unfamiliar, 
> so we are as sensitive or more to the need of entering multiple
> username/passwords.  Without a username context this
> is less possible when calling multiple realms.
> Alternatively, the username would likely need to become 
> a full length globalized number (like +18475551212) or nearly so.

Huh? The realm is present in both the challenge and its response. That
provides the context for the username.

> I see the argument of needing to keep only the
> hash of the "username:realm:password" in the authenticating
> database for security, and this is made difficult with 
> many domain aliases.  Although, databases will already code 
> multiple hashes per user to support shorter
> centrex style nicknames, and stealing the backup tapes
> is not safe because users don't enter enough entropy
> to thwart dictionary attack.

All of this has nothing to do with the issue at hand. The issue
at hand is the relationship between what the user enters to the system
when challenged for a username/password, and what is sent. I am saying that
it is important that these two be equal. You can build systems with
usernames as nicknames, full user@hosts, or whatever; but keeping the
flexibility requires that a client not make assumptions about the formatting
of usernames.

> 
> P.S.  Is it more okay to mention company names and
> implementation specifics on the sip-implementors
> list than the IETF ones?  I should think
> it is, and more useful to speak about implementations
> directly.  

I'd rather not. I do not (and did not) in this case, mention company names.
I will frequently describe scenarios, which is usually enough to clue in
selected folks that I am referring to them without telling anyone else.

-Jonathan R.

---
Jonathan D. Rosenberg                       72 Eagle Rock Ave.
Chief Scientist                             First Floor
dynamicsoft                                 East Hanover, NJ 07936
[EMAIL PROTECTED]                     FAX:   (973) 952-5050
http://www.cs.columbia.edu/~jdrosen         PHONE: (973) 952-5000
http://www.dynamicsoft.com
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors