4 May
2005
4 May
'05
8:25 a.m.
Juha Heinanen wrote:
i never suggested that you should try to authenticate in-dialog requests (which do have to-tag). what i questioned is why you would reject an INITIAL request, just because it includes a Route header, and you still haven't answered THAT question.
OK, got the point. The answer is simple: it's easier to deny things than to think about potential risks and how to authenticate calls. I can't think about a scenario where a user needs to send a request via my proxy. This sounds like using the proxy as smart-relay and there is no need for that.
Of course I could allow it loose_route out-of dialog requests and apply proper authentication logic, but what do I lose if I simply prohibit such requests?
regards, klaus