On Oct 23, 2008, at 9:18 AM, Elwell, John wrote:
I need a decision on one outstanding issue. We previously agreed that
PAI could be used in any request. We recently agreed to remove
specification of PAI in responses because there is no standardised
means
of authenticating a UAS. Brett Tate pointed out that likewise there is
no standardised means of authenticating a UAC when it sends CANCEL or
ACK (these cannot be challenged, and cannot be rejected if
authentication is wrong). I have so far received no further opinions
on
this. To be consistent I believe we have to make exceptions of CANCEL
and ACK and say that PAI cannot be used with these methods.
If I receive no objections by 26th October I will update the draft on
27th.
The problems is that some network architectures DO allow
authentication of both responses and CANCEL/ACK.
PAI is quite widely used in those networks. In fact, it came to us as
a P-header for use specifically in those networks.
What is probably needed is an applicability statement that explains
the environment in which PAI is usable in "digest authenticable
requests" , and goes on to explain the environment in which PAI is
usable in other requests and responses.
--
Dean
_______________________________________________
Sipping mailing list https://www.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@xxxxxxxxxxxxxxx for questions on current sip
Use sip@xxxxxxxx for new developments of core SIP
