FWIW, Pingtel's public proxy uses 403 Forbidden as:- 4. Authenticated INVITE (403 Forbidden)
A call to 4ggx (for any x 1-9) will be challenged for authentication, but even when authenticated only a caller with an extension ending in 7, 8, or 9 is allowed to complete the call (which will ring 1ggx). Any other caller will get a 403 Forbidden response. This allows you to test whether or not your user interface communicates the reason for the call failure. http://interop.pingtel.com/#403 RFC 3261 states: 21.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help, and the request SHOULD NOT be repeated. Doesn't a 403 Forbidden indicate the following message from the proxy? I understand who you are but I can't allow you to do that!! * 401/407 represents a mechanism to determine that authentication is needed & will help. With a 403, authentication will not help. I would be interested in knowing whether a request is retried (if so, under what circumstances) after receiving a 403 response? GRUU suggests one of the uses of 403 is to avoid routing loops. Regards, Gaurav -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 12, 2007 7:19 AM To: [EMAIL PROTECTED] Subject: Re: [Sip-implementors] Basic Authentication From: "Bob Penfield" <[EMAIL PROTECTED]> How about 403 Forbidden? That seems like a poor choice to me. Yes, the UA shouldn't have sent it, but there's a general principle regarding credentials: the supplicant might present you with a pile of credentials, and it's your job to sort through them to see what you recognize and determine what that means the supplicant may do. That's because the supplicant may have been given several credentials under several different (and possibly conflicting) security policies, and it may not know which ones are relevent to you. In that light, credentials that you don't recognize or that violate some of your rules should be ignored, rather than causing the request to be rejected. OTOH, in a more closed environment, where feedback from the proxy might cause useful corrective action to be taken by the owner of the UA, and where the proxy can make more authoritative judgements on the behavior of the UA, 403 might be the correct thing. Dale _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
