[OpenSIPS-Devel] Add X-XCAP-Preferred-Identity header to XCAP clients

Iñaki Baz Castillo ibc at aliax.net
Thu Nov 19 01:00:15 CET 2009


El Jueves, 19 de Noviembre de 2009, Iñaki Baz Castillo escribió:
> This header can be:
> 
>   X-XCAP-Preferred-Identity
>     and/or
>   X-3GPP-Preferred-Identity

References:
- OMA-TS-XDM_Core-V1_1-20080627-A (6.3.2 XDM Client identity assertion)
- 3GPP TS 24.109 (7.2 Authentication)


However there is other approach:

1) The client doesn't include a identity header.

2) The XCAP proxy/server requires autentication, but it *doesn't* set the 
realm based on the XUI domain. Instead it sets the realm with a constant value 
(i.e.: "provider.com") even if it's a multidomain environment.

3) The client creates the credentials and sets as username the *full* SPI URI 
("sip:alice at domain.org").

4) The servers checks the credentials and parses the credentials username so 
it already knows the identity of the client and can check authorization based 
on the identity, the xui and the requested document.


But it's important to understand that Digest credentials username should 
contain a SIP URI (or TEL URI) rather than just the SIP username or a pseudo-
uri ("alice at domain.org").

In fact, I would like that OpenSIPS itself adds a new field "ha1c" in 
subscriber table so:

  ha1  => credentials username = "alice"
  ha1b => credentials username = "alice at domain.org"
  ha1c => credentials username = "sip:alice at domain.org"


Also, OMA specs mandate it:

----------------------------------------------
OMA-TS-XDM_Core_V2

 5.1 Security Procedures
   3. The “username” parameter SHALL have the value of the XUI (i.e. the SIP
      URI or Tel URI) identifying the user (the public user identity);
----------------------------------------------


Regards.


-- 
Iñaki Baz Castillo <ibc at aliax.net>



More information about the Devel mailing list