[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 79; digest-auth realm validation



Here's a complete text proposal:

   The RADIUS server MUST check if the user identified by the User-Name
   attribute
   o  is authorized to access the protection space defined by the
      Digest-URI and Digest-Realm attributes,
   o  is authorized to use the URI included in the SIP-AOR attribute, if
      this attribute is present.
   If any of those checks fails, the RADIUS server MUST send an
   Access-Reject.

   Correlation between User-Name and SIP-AOR AVP values is required just
   to avoid that any user can register or misuse a SIP-AOR allocated to
   another user.

   A RADIUS server MUST check if the RADIUS client is authorized to
   serve users of the realm mentioned in the Digest-Realm attribute.  If
   the RADIUS client is not authorized, the RADIUS server sends an
   Access-Reject.  The RADIUS server considers this client as
   compromised.  It notifies the operator and rejects all future
   requests from this client, until some management action tells it to
   do so again.

Please send me a note if you have objections/additions about this text so
we can close the issue.

Wolfgang

--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>