> From: Peter Krebs [[email protected]] > > I have a question regarding the Digest-URI used to calculate the response > parameter which is put into an Authorization header. From RFC 3665 it seems > to me that the Digest-URI is the same as the Request-URI. However, in > draft-smit-sip-auth-examples the From-URI is clearly used in all > calculations and in the Authorization header. Which one should a UAC use, or > is it only required that whatever URI is used in the digest calculation is > conveyed in the uri parameter of the Authorization header? > > Another related question: In all examples I have seen so far, the Digest-URI > consisted only of user and host. What form of the URI should be used in the > calculation and Authorization header respectively, if there are URI > parameters and/or headers present? Should the parameters/headers be stripped > off and only the user+host (+password?) be used? Is there a canonical URI > format for digest authentication?
In the original use in HTTP, the URI used in the calculation was the same as that in the request. But in SIP, the request URI of a request in transit can be completely different from the original request URI, so the original request URI must be given as the 'uri' value in the Authoriztion header. In practice, the digest must be verified using the 'uri' value in the Authorization header, and there is no way for the verifier to tell if that value is actually the same as the original request URI. In principle, the verifier could demand at least that the 'uri' value be a syntactically correct SIP URI. In practice, all requesters use the original request URI which is almost always the same as the value they insert in the From URI. But a requester could use an arbitrary string value, it seems. Dale _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
