RFC 4740, "Diameter Session Initiation Protocol (SIP) Application", November 2006

Errata ID: 2315
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Alexandre Westfahl
Date Reported: 2010-06-28
Rejected by: Dan Romascanu
Date Rejected: 2011-08-03

Section 9.5.4 says:

      SIP-Authorization ::= < AVP Header: 380 >
                            { Digest-Username }
                            { Digest-Realm }
                            { Digest-Nonce }
                            { Digest-URI }
                            { Digest-Response }
                            [ Digest-Algorithm ]
                            [ Digest-CNonce ]
                            [ Digest-Opaque ]
                            [ Digest-QoP ]
                            [ Digest-Nonce-Count ]
                            [ Digest-Method]
                            [ Digest-Entity-Body-Hash ]
                          * [ Digest-Auth-Param ]
                          * [ AVP ]

It should say:

      SIP-Authorization ::= < AVP Header: 380 >
                        ***    [ Digest-Username ]
                        ***    [ Digest-Realm ]
                        ***    [ Digest-Nonce ]
                            { Digest-URI }
                        ***    [ Digest-Response ]
                            [ Digest-Algorithm ]
                            [ Digest-CNonce ]
                            [ Digest-Opaque ]
                            [ Digest-QoP ]
                            [ Digest-Nonce-Count ]
                            [ Digest-Method]
                            [ Digest-Entity-Body-Hash ]
                          * [ Digest-Auth-Param ]
                          * [ AVP ]

Notes:

According to RFC5090, defining Digest Authentication, we only have Digest-Method and Digest-URI during the first round trip.
As it is possible to add a Digest-Realm and Digest-Username, it is impossible to add a Digest-Nonce in the first round trip! The nonce is calculated in the diameter server so the RADIUS/Diameter gateway can't add a nonce when the first request arrive. This problem is not limited to Radius/Diameter gateway, a diameter peer can't add a nonce during the first MAR/MAA.

Maybe I was no clear enough in my explanation, since I am implementing Diameter-SIP now, I am sure there is a problem. I am available if you need more details or explanation.
--VERIFIER NOTES--
The errata is wrong.

The SIP-Authorization AVP carries the content of the Authorization header provided by the user in the SIP request.
As you can see below, the content of the

credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )

And username, realm, nonce, digest-uri, response are mandatory parameters in this header.
So the syntax is correct.

Report New Errata