On Jan 23, 2008 6:53 AM, Karthikeyan Gopal , TLS-Chennai <[EMAIL PROTECTED]> wrote: > > But as per RFC 3261 401 is to send Unauthorized response.
Sect 7.2, Responses (Page 28): [snip] The Status-Code is a 3-digit integer result code that indicates the outcome of an attempt to understand and satisfy a request. The Reason-Phrase is intended to give a short textual description of the Status-Code. The Status-Code is intended for use by automata, whereas the Reason-Phrase is intended for the human user. A client is not required to examine or display the Reason-Phrase. While this specification suggests specific wording for the reason phrase, implementations MAY choose other text, for example, in the language indicated in the Accept-Language header field of the request. [/snip] The key here is " While this specification suggests specific wording for the reason phrase, implementations MAY choose other text" -- Many SIP devices will display the reason phrase somewhere if registration fails - if not directly to the user, under a "status" section perhaps. However, bear in mind that displaying an //exact// error message lowers security. 'Invalid Password' or 'Invalid Username' provides a potential attacker with far more information than just 'Invalid Credentials", although obviously the former is far more useful to a legitimate user :-) ~ Theo _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
