[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 79; digest-auth realm validation
> -----Original Message-----
> From: Beck01, Wolfgang [mailto:BeckW@t-systems.com]
> Sent: Tuesday, March 29, 2005 7:11 AM
> To: Salowey, Joe
> Cc: radiusext@ops.ietf.org
> Subject: Issue 79; digest-auth realm validation
>
> Joe,
>
> here is a text proposal:
> "The RADIUS server MUST check if the user identified by
> the User-Name attribute
> o is authorized to access the protection space defined by the
> Digest-URI and Digest-Realm attributes,
> o is authorized to use the URI included in the SIP-AOR
> attribute, if
> this attribute is present.
> If any of those checks fails, the RADIUS server MUST send an
> Access-Reject."
>
> Does this resolve the issue?
>
[Joe] There is also a need to authorize the application server (radius
client) to prevent a RADIUS client from obtaining digest hashes (HA1
attribute) for another realm and from advertising a realm that is not
authorized to service.
"The RADIUS server MUST check if the RADIUS client making
the request
o is authorized to act as part of the protection space
defined by the Digest-URI and Digest-Realm attributes
If this check fails, the RADIUS server MUST send an
Access-Reject."
I'm not sure if it makes any sense to check the SIP-AOR attribute. If
the SIP-AOR attribute is not part of the Digest calculation done by the
server then I do not think it makes sense to check it.
> Wolfgang
>
> --
> T-Systems International GmbH
> Technologiezentrum
> Next Generation IP Services and Systems
> +49 6151 9372863
> Am Kavalleriesand 3
> 64295 Darmstadt
>
>
>
> --
> to unsubscribe send a message to
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>