Re: [rtcweb] SIP on the Web: presentation and video

Iñaki Baz Castillo <> Tue, 11 October 2011 10:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 103AE21F8C4D for <>; Tue, 11 Oct 2011 03:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[AWL=0.181, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0qwzFIMAhaxJ for <>; Tue, 11 Oct 2011 03:58:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6CC7821F8C3E for <>; Tue, 11 Oct 2011 03:58:00 -0700 (PDT)
Received: by vws5 with SMTP id 5so6679200vws.31 for <>; Tue, 11 Oct 2011 03:57:59 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id a11mr17779857vdg.1.1318330679767; Tue, 11 Oct 2011 03:57:59 -0700 (PDT)
Received: by with HTTP; Tue, 11 Oct 2011 03:57:59 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 11 Oct 2011 12:57:59 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
To: Neil Stratford <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [rtcweb] SIP on the Web: presentation and video
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Oct 2011 10:58:01 -0000

2011/10/11 Neil Stratford <>uk>:
> This is a great demo of what you can do in javascript.

I hope the SIP proxy implementing WebSocket transport is also an
important piece :)

> How would you deal with SIP credentials if you didn't want to expose them to
> the user but instead use an existing authenticated web session? Would it
> require a custom SIP authentication scheme to be implemented in the SIP
> proxy/registrar?

Good question. There are some alternatives:

WebSocket allows sending a "Cookie" header during the WebSocket
handshake between client and server (which is a HTTP GET request).
Such "Cookie" header is populated by the *web* server once the user
has logged in the web (by following any existing login mechanism).
Then the WebSocket server could validate the "Cookie" header in order
to authenticate SIP requests from the user.
If the proxy implementing WebSocket transport is just an outbound
proxy (not a registrar for example) it could add a
"P-Asserted-Identity" header to the SIP REGISTER request before
routing it to the registrar server.

Another alternative would be: the user (the web browser) retrieves his
SIP username and password from the web server (hopefully by mandating
HTTPS) and uses them to calculate the Digest credentials when the SIP
proxy replies 401/407.


Iñaki Baz Castillo