[reSIProcate] Helper::advancedAuthenticateRequest() and old nonces

Byron Campen bcampen at estacado.net
Tue Mar 25 15:12:58 CDT 2008 

	Ok, maybe everyone would be happy if we made the behavior  
configurable (Alex)? (ie, have a bool that could be set when  
launching repro that specified whether we did a 403 or a 401 when a  
bad nonce came in)

Best regards,
Byron Campen

> We have had this issue after a server crash, and one of our lab  
> terminals, I dont remember wich brand, tried periodically to re- 
> register with the credentials based on the stale nonce but was  
> rejected every time with 403 and never got registered again (until  
> rebooted).
> I think it is the correct behaviour to send a 401 with a fresh  
> nonce if the server isn't happy with the one in the request.
>
> best regards
> Björn Andersson
>
> Alexander Altshuler wrote:
>> Exactly - we may have infinity message flow:
>> (Request with bad credential) <-> (401 with challenge)
>>
>> I don't see any use cases when 401 will help.
>> Even if you use pool of proxies - you may share one nonce helper key
>> among servers.
>> But if somebody provides credential for YOUR domain/ip and it does  
>> not
>> contain proper nonce - it should be rejected.
>>
>> Regards
>> Alexander Altshuler
>> http://xeepe.com
>>
>> -----Original Message-----
>> From: Byron Campen [mailto:bcampen at estacado.net] Sent: Wednesday,  
>> March 12, 2008 5:38 PM
>> To: Alexander Altshuler
>> Cc: 'resiprocate-devel'
>> Subject: Re: [reSIProcate] Helper::advancedAuthenticateRequest()  
>> and old
>> nonces
>>
>> 	This is certainly useful. Do you have an opinion on the 403 vs.
>> 401  issue though? It seems that sending a 403 buys us absolutely  
>> nothing,  and hurts interop besides. I see no reason to continue  
>> doing it. I  could maybe see sending a 403 if someone sends us  
>> credentials that  are malformed, on the assumption that the  
>> endpoint is broken and we  should just tell it to shut up. (This  
>> brings up the question of how  we deal with endpoints that don't  
>> know when to quit sending us bad  credentials.)
>>
>>
>> _______________________________________________
>> resiprocate-devel mailing list
>> resiprocate-devel at resiprocate.org
>> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
>>
>>
>
> -- 
> This communication is confidential and intended solely for the  
> addressee(s). Any unauthorized review, use, disclosure or  
> distribution is prohibited. If you believe this message has been  
> sent to you in error, please notify the sender by replying to this  
> transmission and delete the message without disclosing it. Thank you.
> E-mail including attachments is susceptible to data corruption,  
> interruption, unauthorized amendment, tampering and viruses, and we  
> only send and receive e-mails on the basis that we are not liable  
> for any such corruption, interception, amendment, tampering or  
> viruses or any consequences thereof.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20080325/bb71d954/attachment.bin>

More information about the resiprocate-devel mailing list