The "sips" thread is getting too darned long to follow.
I'll try and clearly state my issue, because I think it's gotten
muddled up.
Let's assume a very simple model with two users, Alice and Bob, and a
registrar/location server to which Bob registers.
Bob registers a SIPS contact with the LS.
Alice sends an authenticated INVITE to the LS. The R-URI of this
INVITE is Bob's AOR expressed as a SIP AOR.
The LS returns a 302 with a SIPS contact for Bob.
Alice's UA doesn't understand SIPS, so it sends a SIP INVITE to Bob's
Contact.
Whether or not Bob's UA rejects the INVITE, information potentially
sensitive to Bob has been disclosed outside of the authorization model.
Does the preceding violate the current specification? If so, in what
way?
Consider also that the LS could be replaced by an LDAP database, or
by the REGISTER-as-lookup mechanism of dSIP, or any number of other
analogous location-query protocols.
--
Dean
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
