Scott Lawrence wrote: > On Wed, 2008-12-17 at 10:06 -0500, Arjun Nair wrote: >> Update: >> >> As per our discussion yesterday, turning off PAI authentication for >> SUBSCRIBEs works well. The phones have no problem answering just the >> UA (SipStatus) challenges (so, the issue is when we do a UA + Proxy >> challenge).. I will go ahead and restrict PAI challenges to INVITEs >> only. >> >> However, there is a second problem - the recently added >> SubscriptionAuth plugin will challenge all out-of-dialog, dialog event >> SUBSCRIBEs. So, in-dialog subscriptions to the RLS will again face the >> same two tier authentication problem. The options I see here are (1) >> turn off the SubscriptionAuth plugin challenge for dialog event >> SUBSCRIBEs, (2) In the SubscriptionAuth plugin, make a special >> exemption for all request URI's addressed to the RLS, (3) In the RLS, >> only check for authentication if the SUBSCRIBE does not match a known, >> active dialog. > > What is the SubscriptionAuth plugin for? >
This is our answer to: http://track.sipfoundry.org/browse/XECS-1606 - No authorization for dialog event subscriptions Description: This is a privacy issue. There does not seem to be authorization for dialog event package subscriptions. Anybody without valid account on the system can originate a dialog event subscription for individual user and sipX routes it to the registered phones unchallenged. This allows the whole world to monitor calls of any sipX user. Arjun _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
