On Tue, 2009-01-06 at 15:33 +0100, Nils Ohlmeier wrote: > > > But I think if we take that road we should consider some mechanism which > allows UAC and UAS to advertise and agree (?) on the most preferred > algorithm for the authentication. And I guess it should be mandatory that > this mechanism prevents that an attacker can modify the message exchange > in a way that the weakest algorithm is chosen (which is the case with > current proposed solution).
The mechanism exists. When it sends the challenge, the server sends a qop parameter whose value is the list of methods it supports, and when the client sends authentication, the qop parameter indicates which method it used. All that is needed is to define new qop token values and how they map to a new hash algorithm. _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
