[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 79; digest-auth realm validation
> -----Original Message-----
> From: Beck01, Wolfgang [mailto:BeckW@t-systems.com]
> Sent: Tuesday, March 29, 2005 7:11 AM
> To: Salowey, Joe
> Cc: email@example.com
> Subject: Issue 79; digest-auth realm validation
> here is a text proposal:
> "The RADIUS server MUST check if the user identified by
> the User-Name attribute
> o is authorized to access the protection space defined by the
> Digest-URI and Digest-Realm attributes,
> o is authorized to use the URI included in the SIP-AOR
> attribute, if
> this attribute is present.
> If any of those checks fails, the RADIUS server MUST send an
> Does this resolve the issue?
[Joe] There is also a need to authorize the application server (radius
client) to prevent a RADIUS client from obtaining digest hashes (HA1
attribute) for another realm and from advertising a realm that is not
authorized to service.
"The RADIUS server MUST check if the RADIUS client making
o is authorized to act as part of the protection space
defined by the Digest-URI and Digest-Realm attributes
If this check fails, the RADIUS server MUST send an
I'm not sure if it makes any sense to check the SIP-AOR attribute. If
the SIP-AOR attribute is not part of the Digest calculation done by the
server then I do not think it makes sense to check it.
> T-Systems International GmbH
> Next Generation IP Services and Systems
> +49 6151 9372863
> Am Kavalleriesand 3
> 64295 Darmstadt
> to unsubscribe send a message to
> firstname.lastname@example.org with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.