[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 79; digest-auth realm validation

To: "Beck01, Wolfgang" <BeckW@t-systems.com>
Subject: Re: Issue 79; digest-auth realm validation
From: Miguel Garcia <Miguel.An.Garcia@nokia.com>
Date: Mon, 04 Apr 2005 12:23:02 +0300
Cc: aboba@internaut.com, jsalowey@cisco.com, radiusext@ops.ietf.org
In-reply-to: <76C27E1CE3FFC847B4D51C645D6F42AA15FE9E@E9JDF.mgb01.telekom.de>
References: <76C27E1CE3FFC847B4D51C645D6F42AA15FE9E@E9JDF.mgb01.telekom.de>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

I have a question:

What is the intention of this text:

   "The RADIUS server considers this client as
   compromised. "

What is this consideration? Is it that the RADIUS server marks "something" as "not being able to use the HTTP or SIP service any longer"?

I hope it does not mean that the RADIUS server marks the user in a black list or something similar.

I hope also that we can focus on the technical aspects of the protocol, and leave the issue of alarms, sirens, urgent e-mails and alike for the designers of products. I am not referring to this other paragraph:

   "It notifies the operator and rejects all future
   requests from this client, until some management action tells it to
   do so again."

/Miguel

Beck01, Wolfgang wrote:

Here's a complete text proposal:

   The RADIUS server MUST check if the user identified by the User-Name
   attribute
   o  is authorized to access the protection space defined by the
      Digest-URI and Digest-Realm attributes,
   o  is authorized to use the URI included in the SIP-AOR attribute, if
      this attribute is present.
   If any of those checks fails, the RADIUS server MUST send an
   Access-Reject.

   Correlation between User-Name and SIP-AOR AVP values is required just
   to avoid that any user can register or misuse a SIP-AOR allocated to
   another user.

   A RADIUS server MUST check if the RADIUS client is authorized to
   serve users of the realm mentioned in the Digest-Realm attribute.  If
   the RADIUS client is not authorized, the RADIUS server sends an
   Access-Reject.  The RADIUS server considers this client as
   compromised.  It notifies the operator and rejects all future
   requests from this client, until some management action tells it to
   do so again.

Please send me a note if you have objections/additions about this text so
we can close the issue.

Wolfgang

-- T-Systems Next Generation IP Services and Systems +49 6151 937 2863 Am Kavalleriesand 3 64295 Darmstadt Germany

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


--
Miguel A. Garcia           tel:+358-50-4804586
Nokia Research Center      Helsinki, Finland


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Re: Issue 79; digest-auth realm validation
  - From: "Beck01, Wolfgang" <BeckW@t-systems.com>

Prev by Date: Re: Issue 79; digest-auth realm validation
Next by Date: AW: Issue 79; digest-auth realm validation
Previous by thread: Re: Issue 79; digest-auth realm validation
Next by thread: RE: Issue 79; digest-auth realm validation
Index(es):
- Date
- Thread