[AAA-WG]: issue with expected response calculation
Jo Hermans <jo.hermans@gmail.com> Tue, 12 April 2005 12:26 UTC
Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA24416 for <aaa-archive@lists.ietf.org>; Tue, 12 Apr 2005 08:26:26 -0400 (EDT)
Received: by trapdoor.merit.edu (Postfix) id 5C6B491211; Tue, 12 Apr 2005 08:26:09 -0400 (EDT)
Delivered-To: aaa-wg-outgoing@trapdoor.merit.edu
Received: by trapdoor.merit.edu (Postfix, from userid 56) id 27FF1912DF; Tue, 12 Apr 2005 08:26:09 -0400 (EDT)
Delivered-To: aaa-wg@trapdoor.merit.edu
Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id AAB5791211 for <aaa-wg@trapdoor.merit.edu>; Tue, 12 Apr 2005 08:26:07 -0400 (EDT)
Received: by segue.merit.edu (Postfix) id 926C258289; Tue, 12 Apr 2005 08:26:07 -0400 (EDT)
Delivered-To: aaa-wg@segue.merit.edu
Received: from testbed9.merit.edu (testbed9.merit.edu [198.108.1.10]) by segue.merit.edu (Postfix) with ESMTP id 4EEE358286 for <aaa-wg@segue.merit.edu>; Tue, 12 Apr 2005 08:26:07 -0400 (EDT)
Received: by testbed9.merit.edu (Postfix) id 54F271874; Tue, 12 Apr 2005 08:26:07 -0400 (EDT)
Delivered-To: aaa-wg@merit.edu
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by testbed9.merit.edu (Postfix) with ESMTP id 2DFA01861 for <aaa-wg@merit.edu>; Tue, 12 Apr 2005 08:26:06 -0400 (EDT)
Received: by wproxy.gmail.com with SMTP id 36so1395975wra for <aaa-wg@merit.edu>; Tue, 12 Apr 2005 05:26:06 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=QWU+4tFcdm1Hf19haQoXiYxzi4qo2QgmmiH4XQgjGtP6Fn11VL+NFp/3jm+D+UgjHVrDHo+/zq6QMLPdRGCbFMdG/G9We+Uox5NZgG8cUzsgehCQd11502RYAQX/LZBUtstaf9fPcQ82GXQKQ4+eb9WjxQlfzFUGTknoV5MutC8=
Received: by 10.54.55.6 with SMTP id d6mr2990797wra; Tue, 12 Apr 2005 05:26:06 -0700 (PDT)
Received: by 10.54.43.21 with HTTP; Tue, 12 Apr 2005 05:26:05 -0700 (PDT)
Message-ID: <a4ba2af605041205262c911cf6@mail.gmail.com>
Date: Tue, 12 Apr 2005 14:26:05 +0200
From: Jo Hermans <jo.hermans@gmail.com>
Reply-To: Jo Hermans <jo.hermans@gmail.com>
To: aaa-wg@merit.edu
Subject: [AAA-WG]: issue with expected response calculation
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1528_3917012.1113308765929"
Sender: owner-aaa-wg@merit.edu
Precedence: bulk
I have a problem with paragraph 8.5.6.1 <http://8.5.6.1> in
draft-ietf-aaa-diameter-sip-app-07 , 3th paragraph ("Please note that the
expected response ...")
The draft mentions that the expected response calculation can't be done when
the SIP UA has sent a expected response based on client nonces. It then
mentions that this is the case when the qop-parameter is present in the
client request.
That last part I don't understand. I though that H(A1) is dependent on the
algorithm, not qop. Qop has only influence on the A2 and digest, which are
both calculated in the Diameter Client (SIP Server). See also <
http://danforsberg.info:8080/draft-ietf-aaa-diameter-sip/issue40>
But even then I don't understand. I think that the Diameter Server does has
the client-nonces available (they're in the SIP-Authorization AVP, and were
used to calculate the request digest !)), and is able to calculate a H(A1).
Even if MD5-sess was used, it could still calculate H(A1). MD5-sess also has
the added advantage that H(A1) could only be used once, which is also the
reason why draft-sterman-aaa-sip-04.txt doesn't want to use MD5 unless the
message is protected against eavesdropping.
I agree that if qop is missing and algorithm is MD5, client-nonces aren't
used at all (backwards compatibility with RFC2069). H(A1) might be stored
inside the Diameter Client (SIP server) when it's first received, and reused
later on. Is it this that the draft is alluding to ?
--
Jo Hermans
"Eagles may soar, but weasels aren't sucked into jet engines"