<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>13 feb 2013 kl. 16:14 skrev Mark Michelson <<a href="mailto:mmichelson@digium.com">mmichelson@digium.com</a>>:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/13/2013 02:07 AM, Olle E.
Johansson wrote:<br>
</div>
<blockquote cite="mid:D21D995E-BF46-49EB-986E-4AFC0597B3E7@edvina.net" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<br>
<div>However, that quote answers my question about migrating to
SHA256, even though I think there's a policy issue here - why
would you want to offer a bad auth mech when you have a better.
How should a client respond? I think there is work to be done
here. Let's discuss that at SIPit.</div>
<div><br>
</div>
<div>/O</div>
<br>
</blockquote>
<br>
<tt>I think the idea behind offering multiple schemes is that a
server may support both MD5 and SHA256, but the client that is
trying to authenticate may only support MD5. Even though SHA256 is
the better scheme, the server also accepts MD5 for compatibility
purposes.<br></tt></div></blockquote>I do understand that, but as I said - you don't want that in reality. You challenge with the strongest and want the strongest auth. If that fails, you may downgrade in the next challenge. There's no reason to say "I want your ID and passport, but if that fails, any membership card in a bookclub will do".</div><div><br></div><div>Now, if we challenge with SHA256 and the client fail to support that, will it retry? How do we handle this migration and negotiation without downgrading everything even if the client supports the strong one? I don't really trust developers to "pick the strongest one". People will use the book-club membership cards. Or other club cards that I don't want to mention in this forum.</div><div><br><blockquote type="cite"><div text="#000000" bgcolor="#FFFFFF"><tt>
<br>
If a client is presented with multiple schemes that it knows how
to use, then my thought is that the client should determine which
scheme is "strongest" and respond to that challenge only. We can
discuss it more at SIPit for sure. We just need to be sure to
document what we come up with on the wiki.<br></tt></div></blockquote></div>See you next week!<div><br></div><div>/O</div></body></html>