>>>>> I??aki Baz Castillo <[EMAIL PROTECTED]> wrote: > Well, RFC 3261 says:
> 22.4 The Digest Authentication Scheme > 8 - ... > However, > servers MUST always send a "qop" parameter in WWW-Authenticate > and Proxy-Authenticate header field values. If a client > receives a "qop" parameter in a challenge header field, it > MUST send the "qop" parameter in any resulting authorization > header field. Note that there are too many proxies that does not send and count qop, so client really shall compute authorization also for variant without qop. For simple but working implementation, it's enough for UAS to generate nonces cryptographically randomly, keep a few last nonces and expire them periodically to protect against any replay attack later than nonce expiration. More complicated implementation shall keep nonce sent to each client separately... this can be too expensive. -- Valentin Nechayev PortaOne Inc., Software Engineer mailto:[EMAIL PROTECTED] _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
