Re: [Sip-implementors] question about registration

Tue, 16 Dec 2003 18:50:35 -0800 

Thank you for your answer. 

You mean that the REGISTRAR should not check whether 
the uri is same as the ReqUri but just calculate the response 
using the uri the UA provides?

But quoting from RFC2617:
   The authenticating server must assure that the resource designated by
   the "uri" directive is the same as the resource specified in the
   Request-Line; if they are not, the server SHOULD return a 400 Bad
   Request error. (Since this may be a symptom of an attack, server
   implementers may want to consider logging such errors.) The purpose
   of duplicating information from the request URL in this field is to
   deal with the possibility that an intermediate proxy may alter the
   client's Request-Line. This altered (but presumably semantically
   equivalent) request would not result in the same digest as that
   calculated by the client.

And also in RFC2617:
   digest-uri
     The URI from Request-URI of the Request-Line; duplicated here
     because proxies are allowed to change the Request-Line in transit.

Are they inconsistent? And how should the REGISTRAR process the uri?

Thanks.
--
Wendy

----- Original Message ----- 
From: "Arunachalam Venkatraman" <[EMAIL PROTECTED]>
To: "wendy" <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 1:01 AM
Subject: RE: [Sip-implementors] question about registration


> Wendy
> The uri is set by the UA to the ReqUri in the REGISTER message.
> The ReqUri received by the REGISTRAR may be different because of a proxy
> rewriting it.
> 
> 
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of wendy
> Sent: Tuesday, December 16, 2003 2:27 AM
> To: [EMAIL PROTECTED]
> Subject: [Sip-implementors] question about registration
> 
> 
> Hello,
> 
> Normally, the UA adds the 'uri' parameter to the Authorization header
> and calculates a 'response' value from this 'uri' value and some other
> values.
> 
> Can the server assign the value of this 'uri' parameter which the UA must
> use
> in the Authorization header?
> 
> Thanks a lot!
> --
> Wendy
> 
> _______________________________________________
> Sip-implementors mailing list
> [EMAIL PROTECTED]
> http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to