Martin,
Okay, I added your info to the table. However, it seems like invalidPermission, rather than securityDenial, should be returned by the gatekeeper if the endpoint is not allowed to use a service. IOW, securityDenial refers to the security mechanism, while invalidPermission refers to the (non-security) services the endpoint was trying to access. I doubt whether it matters, though. Most endpoints aren't going to behave differently depending on whether invalidPermission or securityDenial are returned.
Paul Long Smith Micro Software, Inc.
-----Original Message----- From: Euchner Martin [mailto:Martin.Euchner@ICN.SIEMENS.DE] Sent: Wednesday, September 20, 2000 9:35 AM To: ITU-SG16@MAILBAG.INTEL.COM Subject: Re: ARJ reject reasons?
Paul and others,
let me shortly explain the purpose of security denial:
H.235 and security profiles say, that this value is returned in the reject messages whenever the received cryptoTokens are not acceptable for some security reason. This may occur due to failed authentication, lack of authorization (= permission) or failed integrity but also as part of security negotiation when the received crypto parameters are not acceptable or understood.
Of course there several more reasons why security might fail and the responder sends security denial: the password/shared secret is invalid or not available, the endpoint is not allowed to use a service, replay detected, integrity violation detected, digital signature wrong, certificate expired....
Kind regards,
Martin Euchner.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help on this mail list, send "HELP ITU-SG16" in a message to listserv@mailbag.intel.com