James Your observation is correct. I think the original issue was not the security of the password but some difficulty in getting the password from a LDAP server. The use of H(a1) was suggested as an alternative. Thanks Venkat
-----Original Message----- From: James Undery [mailto:jundery@;ubiquity.net] Sent: Tuesday, November 05, 2002 9:33 AM To: Arunachalam Venkatraman; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication Hi, What I would make explicit is that sending H(A1) without encryption is not much better than sending the password in the clear. i.e. you've still provided someone snooping the traffic all they need to authenticate any message they choose. James -----Original Message----- From: Arunachalam Venkatraman [mailto:arunvenk@;cisco.com] Sent: 05 November 2002 15:22 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Sip-implementors] LDAP servers and SIP Authentication Ranjit I am not sure I understand your question. If you want to send passwords securely on an unsecured network, you must use some encryption mechanism. For MD5 digest authentication, the algorithm does not require knowledge of the password, if H(A1) is known. Thanks Venkat _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
