Woof! On Tue, 28 Oct 2008 17:09:45 -0400, Scott Lawrence <[EMAIL PROTECTED]> wrote: Woof Asked: > What are you trying to protect against there?
Scott answered: > authentication is not authorization True statement--but it doesn't answer my question. What are you trying to protect against with this magic list of addresses that can be used for configuration? Some rogue sipXconfig process that is indavertantly off configuring other peoples machines? A hacker who is using the XML-RPC interface on a non-authorized machine that happens to have the correct certs? Seems to me, if I've gotten far enough to get the certs, I can get far enough to hand edit an ascii list of "authorized" IP addrs, or just change the darn config files themselves. So it doesn't seem to add any protection against rougues (that I can determine), yet it increases the complexity and the chances of failure and locking valid changes out of the system (as it did in my case). --Woof! _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
