As the motivation for Proxy-Authorization is from HTTP, I think the statement below is relevant here.
RFC 2616, section 14.34 states: "Unlike Authorization, the Proxy-Authorization header field **applies only to the next outbound proxy that demanded authentication using the Proxy-Authenticate** field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed by the first outbound proxy that was expecting to receive credentials. A proxy MAY relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively authenticate a given request." > There is also the failure mode where two different proxies in a chain > authenticate against the same realm. If the first proxy "consumes" > all Proxy-Authorization headers for that realm, the second proxy will > *never* pass the request because the UA can never get a Proxy- > Authorization for that realm to it. I don't think a proxy that hasn't demanded authentication using Proxy-Authenticate can consume Proxy-Authorization even if it is for the same realm. -Ramakrishna -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vijay K. Gurbani Sent: Thursday, December 08, 2005 10:02 PM To: Dale R. Worley Cc: Sip-Implementors Subject: Re: [Sip-implementors] Spiraling request Dale R. Worley wrote: > The whole concept of "consuming" authorization headers (or any other > header) is a Bad Idea and should never be done. I am curious ... why? Is it only because as you write: > There is also the failure mode where two different proxies in a chain > authenticate against the same realm. If the first proxy "consumes" > all Proxy-Authorization headers for that realm, the second proxy will > *never* pass the request because the UA can never get a Proxy- > Authorization for that realm to it. Even if that was the case, the nonce generated at one proxy may not hold meaning for the next proxy in the same realm. Is it common for a request to be passed through multiple proxies in the same realm? So far, at the bakeoffs and such, I have seen proxies consuming their authorization headers, and things appear to work as intended. The SIP Services Call Flow (rfc3665) also shows proxies consuming the header (I know rfc3665 is not normative...). Thanks, - vijay -- Vijay K. Gurbani [EMAIL PROTECTED],research.bell-labs.com,acm.org} Lucent Technologies/Bell Laboratories, 2000 Lucent Lane, Rm 6G-440 Naperville, Illinois 60566 Voice: +1 630 224 0216 Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
