RE: [Sip-implementors] LDAP servers and SIP Authentication

[Arunachalam Venkatraman]

Ranjit I am not sure I understand your question. If you want to send passwords securely on an unsecured network, you must use some encryption mechanism. For MD5 digest authentication, the algorithm does not require knowledge of the password, if H(A1) is known.   Thanks Venkat   -----Original Message----- From: Ranjit Kumar Avasarala [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 05, 2002 1:12 AM To: Arunachalam Venkatraman; Avshalom Houri; [EMAIL PROTECTED] Cc: Ran Bar-Lavie Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication   Hi     so what is the way to transport passwords?   TIA Ranjit -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Arunachalam Venkatraman Sent: Monday, November 04, 2002 10:38 PM To: Avshalom Houri; [EMAIL PROTECTED] Cc: Ran Bar-Lavie Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication How about storing H(A1), instead of the password, in the LDAP server?   This is actually discussed in RFC2617 in section 3.2.2.1   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avshalom Houri Sent: Monday, November 04, 2002 10:00 AM To: [EMAIL PROTECTED] Cc: Ran Bar-Lavie Subject: [Sip-implementors] LDAP servers and SIP Authentication Since basic authentication has been deprecated from SIP and LDAP servers do not support a uniform way for querying passwords. It seems that there is a problem with using SIP with LDAP server as a directory. For example, some LDAP servers return the user's password hashed (using MD5 or SHA or something else) but we cannot compare this with the hashed password from the client, even if the same hashing algorithm was used, because LDAP returns only the password hashed, while the client-supplied hash includes more info in the digest. The only way we can do this is by getting the password cleartext from LDAP, and do our own digest, but most LDAP servers do not allow that, not even for the directory admin. Any ideas? Thanks Avshalom