On Fri, 2009-01-02 at 17:17 +0100, Johansson Olle E wrote: > 2 jan 2009 kl. 16.34 skrev Dale Worley: > > > On Tue, 2008-12-30 at 21:30 +0100, Johansson Olle E wrote: > >> Also: How can we move away from MD5 digest auth? > > > > The authentication headers all allow the algorithm to be specified, so > > we can convert to SHA1 fairly straightforwardly. But the current > > attack > > benefits from the fact that one can spend hours synthesizing a > > certificate. I doubt one could attack a SIP session setup fast enough > > to be useful with reasonably-priced hardware. But that will come with > > time... > > We need some implementation guidelines for doing this. How do we > respond to an MD5 auth request we don't accept? > > If for some strange reason, I want to support both old MD5 UA's and > new SHAx UA's - how do I indicate both? > > We propably need some test code and test scenarios here.
There isn't any negotiation mechanism for auth algorithms. But if you generate both, you could include two auth headers for your realm, one with 'algorithm=MD5' and one with 'algorithm=SHA1'. Of course, we have yet to define the details of the header with 'algorithm=SHA1'. The current method of rejecting the use of any particular authentication system is for the UAS to ignore the auth header generated by that system, which usually results in the UAC receiving a 401/407 response to a request which carries all the credentials the UAC is prepared to attach to the request. So the UAC gives up on the request (and returns the 401/407 to the application layer). Dale _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
