> 2011/12/6 Brett Tate <[email protected]>: > > The following are some questions concerning SIP Digest MD5 > Authorization. > > > > 1) Are UTF8-NONASCII allowed within username and realm? Based upon > the ABNF, it appears to be yes. However since SIP authentication is > based upon the HTTP specs (such as rfc2617 and rfc2616), I'm not sure > if the SIP ABNF changes to include UTF8-NONASCII was intentional > concerning the topic. More specifically, I not sure if the rfc2616 > TEXT snippet (or something else) somehow prevents UTF8-NONASCII. > > > > 2) Can the password used within Digest MD5 authentication calculation > include UTF8-NONASCII? > > > 3) If quoted-string username contains useless and required escaping > of characters, is the escaped or un-escaped username supposed to be > used within the calculation? I assume the un-escaped username; however > I thought I'd ask for completeness. > > If the username and realm fields allow UTF8-NONASCII symbols, > why to use hex-.escaped symbols? :)
My escaping question was not related to UTF8-NONASCII (and characters within quoted-string are escaped using backslash instead of % hex hex). Question 3 was basically associated with the applicability of the conclusion of the following "RFC 3261: quoted-string and quoted-pair" thread to SIP Digest MD5 Authorization: https://lists.cs.columbia.edu/pipermail/sip-implementors/2011-November/027928.html Concerning my first two questions, I noticed that RFC 2831 (similarly based upon RFC 2617 and RFC 2616) had to define and explain the charset parameter to help clarify and address questions similar those I'm asking. RFC 6331 also subsequently deprecated RFC 2831 using escaping and charset ambiguity/restrictions (similar to my 3 questions associated with RFC 3261) as part of the justification. RFC 2831: charset This directive, if present, specifies that the server supports UTF-8 encoding for the username and password. If not present, the username and password must be encoded in ISO 8859-1 (of which US-ASCII is a subset). The directive is needed for backwards compatibility with HTTP Digest, which only supports ISO 8859-1. This directive may appear at most once; if multiple instances are present, the client should abort the authentication exchange. RFC 6331: The requirement for backward compatibility with HTTP Digest means that the situation is even worse. For example, DIGEST-MD5 requires all usernames/passwords that can be entirely represented in the ISO-8859-1 charset to be down converted from UTF-8 [RFC3629] to ISO-8859-1 [ISO-8859-1]. Another example is the use of quoted strings. Handling of characters that need escaping is not properly described, and the DIGEST-MD5 document has no examples to demonstrate correct behavior. _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
