Paul and others,
let me shortly explain the purpose of security denial:
H.235 and security profiles say, that this value is returned in the reject messages whenever the received cryptoTokens are not acceptable for some security reason. This may occur due to failed authentication, lack of authorization (= permission) or failed integrity but also as part of security negotiation when the received crypto parameters are not acceptable or understood.
Of course there several more reasons why security might fail and the responder sends security denial: the password/shared secret is invalid or not available, the endpoint is not allowed to use a service, replay detected, integrity violation detected, digital signature wrong, certificate expired....
Kind regards,
Martin Euchner. ----------------------------------------------------------------------- | Dipl.-Inf. Phone: +49 89 722 55790 | Martin Euchner Fax : +49 89 722 46841 | Siemens AG | ICN M NT 18 mailto:Martin.Euchner@icn.siemens.de mailto:Martin.Euchner@icn.siemens.de | mailto:martin.euchner@ties.itu.int mailto:martin.euchner@ties.itu.int | Hofmannstr. 51 Intranet: http://zt-security.mchp.siemens.de/de/Competence/Standardization/ITU-T_SG16/... http://zt-security.mchp.siemens.de/de/Competence/Standardization/ITU-T_SG16/index.html | D-81359 Muenchen Internet: http://www.siemens.de http://www.siemens.de | __________________ | Germany -----------------------------------------------------------------------
-----Ursprüngliche Nachricht----- Von: Paul Long [SMTP:Plong@SMITHMICRO.COM] Gesendet am: Mittwoch, 20. September 2000 15:17 An: ITU-SG16@mailbag.cps.intel.com Betreff: Re: ARJ reject reasons?
I put together a table that summarizes the meanings of the ARJ reject reasons if anyone is interested. It's at the top of this page: http://www.packetizer.com/h225impl.html. Let me know if you disagree with any of it.
Paul Long Smith Micro Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help on this mail list, send "HELP ITU-SG16" in a message to listserv@mailbag.intel.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help on this mail list, send "HELP ITU-SG16" in a message to listserv@mailbag.intel.com
Martin,
Okay, I added your info to the table. However, it seems like invalidPermission, rather than securityDenial, should be returned by the gatekeeper if the endpoint is not allowed to use a service. IOW, securityDenial refers to the security mechanism, while invalidPermission refers to the (non-security) services the endpoint was trying to access. I doubt whether it matters, though. Most endpoints aren't going to behave differently depending on whether invalidPermission or securityDenial are returned.
Paul Long Smith Micro Software, Inc.
-----Original Message----- From: Euchner Martin [mailto:Martin.Euchner@ICN.SIEMENS.DE] Sent: Wednesday, September 20, 2000 9:35 AM To: ITU-SG16@MAILBAG.INTEL.COM Subject: Re: ARJ reject reasons?
Paul and others,
let me shortly explain the purpose of security denial:
H.235 and security profiles say, that this value is returned in the reject messages whenever the received cryptoTokens are not acceptable for some security reason. This may occur due to failed authentication, lack of authorization (= permission) or failed integrity but also as part of security negotiation when the received crypto parameters are not acceptable or understood.
Of course there several more reasons why security might fail and the responder sends security denial: the password/shared secret is invalid or not available, the endpoint is not allowed to use a service, replay detected, integrity violation detected, digital signature wrong, certificate expired....
Kind regards,
Martin Euchner.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help on this mail list, send "HELP ITU-SG16" in a message to listserv@mailbag.intel.com
participants (2)
-
Euchner Martin -
Paul Long