From: "Bob Penfield" <[EMAIL PROTECTED]> How about 403 Forbidden?
That seems like a poor choice to me. Yes, the UA shouldn't have sent it, but there's a general principle regarding credentials: the supplicant might present you with a pile of credentials, and it's your job to sort through them to see what you recognize and determine what that means the supplicant may do. That's because the supplicant may have been given several credentials under several different (and possibly conflicting) security policies, and it may not know which ones are relevent to you. In that light, credentials that you don't recognize or that violate some of your rules should be ignored, rather than causing the request to be rejected. OTOH, in a more closed environment, where feedback from the proxy might cause useful corrective action to be taken by the owner of the UA, and where the proxy can make more authoritative judgements on the behavior of the UA, 403 might be the correct thing. Dale _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
