4 May
2005
4 May
'05
11:25 a.m.
Juha Heinanen wrote:
i never suggested that you should try to authenticate
in-dialog requests
(which do have to-tag). what i questioned is why you would reject an
INITIAL request, just because it includes a Route header, and you still
haven't answered THAT question.
OK, got the point. The answer is simple: it's easier to deny things than
to think about potential risks and how to authenticate calls. I can't
think about a scenario where a user needs to send a request via my
proxy. This sounds like using the proxy as smart-relay and there is no
need for that.
Of course I could allow it loose_route out-of dialog requests and apply
proper authentication logic, but what do I lose if I simply prohibit
such requests?
regards,
klaus