On Fri, 2007-08-03 at 06:23 -0700, sengottuvelan srirangan wrote:
> Hi SIP experts,
>
> I don't understand about the usage of opaque field in SIP proxy
> authentication headers. For example.
>
> Proxy-Authenticate: Digest realm="atlanta.com",
> domain="sip:ss1.carrier.com", qop="auth",
> nonce="f84f1cec41e6cbe5aea9c8e88d359",
> opaque="", stale=FALSE, algorithm=MD5
>
> could you please anyone clarify the opaque field with an example?
The server can put anything it wants to into the value.
The client MUST just return that value if present in the
Authorization header.
RFC-2617 says:
Because the client is required to return the value of the opaque
directive given to it by the server for the duration of a session,
the opaque data may be used to transport authentication session state
information.
RFC-2617 also says:
Note that any such use can also be accomplished more
easily and safely by including the state in the nonce.
which was a nicer way of saying 'opaque is pointless and insecure'
because the opaque value is not protected by the response hash, it can
be replayed by an attacker. If you're implementing a server, it is best
not to include it. If you're implementing a client, just send it back
and ignore it.
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
