Right ..
So, when the UAC receives the 403, what can the user do?
His/her only recourse (assuming a GUI user agent) is to retry authentication and choose a different username/password combo, correct? Meaning that in effect we are "forgetting" the credentials for this realm because they are useless (we can't register, so why try)..
From the user standpoint this is very similar to a 401 or 407 on that realm with stale=false.
Also another minor point is that the 403 doesn't contain a realm indication, so if you used multiple Authorization headers (or, more likely multiple Proxy-Authorization headers), we don't know which credentials are "known but useless".
Harpreet Juneja wrote:
401, 403 and 407
401 Unauthorized
This response indicates that the request requires the user to perform
authentication. This response is generally sent by a user agent, since
the 407 Proxy Authentication Required is sent by a proxy that requires
authentication. The exception is a registrar server, which sends a 401
Unauthorized response to a REGISTER message that does not contain the
proper credentials.
403 Forbidden
This response is used to deny a request without giving the caller any recourse. It is sent when the server has understood the request, found the request to be correctly formulated, but will not service the request. This response is not used when authorization is required.
407 Proxy Authentication Required
This request sent by a proxy indicates that the UAC must first authenticate itself with the proxy before the request can be processed. The response should contain information about the type of credentials required by the proxy in a Proxy-Authenticate header field. The request can be resubmitted with the proper credentials in a Proxy-Authorization header field. Unlike in HTTP, this response may not be used by a proxy to authenticate another proxy.
I hope these help.
So now if I try to think of the case where this discussion started, the
following implementation is okay, as for some valid credentials it will
be ...
A --- REGISTER ---> B A <----- 401 ------ B A --- REGISTER ---> B (with valid and non stale auth info) A <----- 403 ------ B
and for others it may be ...
A --- REGISTER ---> B A <----- 401 ------ B A --- REGISTER ---> B (with valid and non stale auth info) A <----- 200 ------ B
We need to authenticate the credentials and not all may be allowed to REGISTER, but some may ...
What do you say?
Best regards, Harpreet S Juneja [EMAIL PROTECTED]
--- Scott Lawrence <[EMAIL PROTECTED]> wrote:
On Tue, 2004-08-10 at 11:03, [EMAIL PROTECTED] wrote:
FYI
403 Forbidden
This response is used to deny a request without giving the caller
any recourse. It is sent when the server has understood the request, found the request to be correctly formulated, but will not service the request. This response is not used when authorization is required.
That's a reasonable interpretation. We chose to return an authentication failure (40[17]) if the credentials are not good, but that does leave open the possibility that the UA could try again.
Personally, I don't think 403 is the best possible response to a REGISTER request unless the credentials were good but the requested operation was not (we know who you are, but you're not allowed to register - doesn't make much sense to me), but I wouldn't call it 'broken'. If they are returning 403 when the credentials are incorrect, (the username is known and the realm is right but the response hash is incorrect, indicating a bad password), then that's broken.
--
Scott Lawrence
Consulting Engineer
Pingtel Corp. sip:[EMAIL PROTECTED]
+1.781.938.5306 x162
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
-- David Stuart, SIPquest Email: dave (at) sipquest (dot) com Phone: 254-8886 x234 Web: http://www.sipquest.com/ Address: 106 - 350 Terry Fox Drive, Kanata Ontario, K2K 2P5
_______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
