On Mon, 2008-12-15 at 22:09 +0000, Scott Lawrence wrote: > On Mon, 2008-12-15 at 15:03 -0500, Dale Worley wrote: > > On Mon, 2008-12-15 at 11:26 -0500, Lawrence, Scott (BL60:9D30) wrote: > > > > If the proxy is already authorizing the request, could we not just > > > > check the p-asserted identity signature in the message instead of > > > > challenging it again? > > > > > > As long as the PAI header signature is associated with the callid I see > > > no reason not to... is the PAI signature time-limited? > > > > If we're going to treat PAI as equivalent to Authorization, why > > shouldn't we treat PAI, Authorization, and Proxy-Authorization as > > equivalent? > > I'd like to preserve the ability to write things independently of our > equivalences. The sipXtackLib support for authentication should > implement good practice for a SIP implementation, which includes knowing > which authorization headers you asked for and therefor which you attend > to. > > PAI is by defintion domain-specific, and so it's reasonable (and > efficient) for our services to take advantage of it when it's present.
It sounds like the correct solution is to have two levels of functions: One function(s) is the current get-authorization-info function, which extracts a specified value from the specified type of header. The other function(s) should encapsulate "how a proxy (or server) tests the authentication/authorization of a message", and would take into account sipX's equivalence of the three headers. (This has the advantage that we can factor out all that code in all the components, and ensure that they work consistently.) Can we nicely encapsulate all that logic so as to build the second function? Dale _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
