Client Initiated. A UA negotiates the security mechanism to be used with its outbound proxy without knowing beforehand which mechanisms the proxy supports. UAC Proxy UAS | | | |----(1) OPTIONS---->| | | | | |<-----(2) 494-------| | | | | |<=======TLS========>| | | | | |----(3) INVITE----->| | | |----(4) INVITE--->| | | | Xxxxx et al [Page 11] INTERNET-DRAFT SIP Sec Agreement May 2002 | |<---(5) 200 OK | |<---(6) 200 OK------| | | | | |------(7) ACK------>| | | |-----(8) ACK >| | | | | | | | | | | | | Figure 2: Negotiation initiated by the client The UAC sends an OPTIONS request to its outbound proxy, indicating that it is able to negotiate security mechanisms and that it supports TLS and digest-integrity (Step 1 of figure 1). The outbound proxy challenges the UAC with its own list of security mechanisms – IPsec and TLS (Step 2 of figure 1). The only common security mechanism is TLS, so they establish a TLS connection between them (Step 3 of figure 1). When the connection is successfully established, the UAC sends an INVITE over the TLS connection just established (Step 4 of figure 1). This INVITE contains the server’s security list. The server verifies it, and since it matches its static list, it processes the INVITE and forwards it to the next hop. If this example was run without Security-Server header in Step 2, the UAC would not know what kind of security the other one supports, and would be forced to error-prone trials. More seriously, if the Security-verify was omitted in Step 4, the whole process would be prone for MitM attacks. An attacker could spoof "ICMP Port Unreachable" message on the trials, or remove the stronger security option from the header in Step 1, therefore substantially reducing the security.
Client Initiated. In the event that Client desires to modify or amend the Statement of Work, Client will work with Tyler to initiate a Change Order to Tyler noting the general scope, Deliverables, and timeline requirements for the services requested. Tyler must timely respond in writing, providing a specific recommendation for the solution, and providing Client with an estimated cost for the work proposed in the Change Order, if applicable. Tyler’s written response will include sufficient detail to evaluate the response, including, as appropriate, a breakdown of the number of staff hours, level of personnel needed to effect this change, and technical design information for the proposed solution. If Client elects to move forward with the Change Order, the Change Order shall not become binding until agreed upon by both parties in writing. There is no charge for the preparation of Tyler’s response. Client’s submission of an unsolicited Change Order request to Tyler does not modify or amend the Statement of Work in any way and creates no Tyler obligations.
Client Initiated. A client wishing to establish some type of security with its first- hop proxy SHOULD add a Security-Client header field to a request addressed to this proxy (i.e., the destination of the request is the first-hop proxy). This header field contains a list of all the security mechanisms that the client supports. The client SHOULD NOT add preference parameters to this list. The client MUST also add a Require header field with the value "sec-agree" to its request. The Security-Client header field is used by the server to include any necessary information in its response. For example, if digest- integrity is the chosen mechanism, the server includes a WWW- Authenticate header in the response. If S/MIME is chosen, the appropriate certificate is included. If the security mechanisms supported by the client do not need any further information to be established (e.g., TLS) the client MAY choose not to include the Security-Client header field in its request. Xxxxx et al [Page 7] INTERNET-DRAFT SIP Sec Agreement May 2002 A server receiving a request that contains a Require header field with the value "sec-agree" MUST challenge the client with a 494 (Security Agreement Required) response. The server MUST add a Security-Server header field to this response listing the security mechanisms that the server supports. The server MUST add its list to the response even if there are no common security mechanisms in the client's and server's lists. The serverÆs list MUST NOT depend on the contents of the client's list. The server MUST compare the list received in the Security-Client header field with the list to be sent in the Security-Server header field. When the client receives this response, it will choose the common security mechanism with the higher preference value. Therefore, the server MUST add the necessary information so that the client can initiate that mechanism (e.g., a WWW-Authenticate header field for digest-integrity). When the client receives a response with a Security-Server header field, it SHOULD choose the security mechanism in the serverÆs list with the highest "q" value among all the mechanisms that are known to the client. Then, it MUST initiate that particular security mechanism as described in Section 3.5. This initiation may be carried out without involving any SIP message exchange (e.g., establishing a TLS connection). If an attacker modified the Security-Client header field in the request, the server may not include in its response the information ne...
Client Initiated the end user carries a device that can connect to a gateway device (in most cases over wireless) and support the necessary security procedures but does not require special dedicated software to supported federated access. Gateways are assumed to implement external federation functionality and to allow remote end users to connect to the gateway (e.g., through WiFi).
Client Initiated. An end user connects to a federation gateway and explicitly signals to that gateway that it wants to access foreign federation services.
Client Initiated a device that can connect to a gateway device (in most cases over wireless) and support the necessary security procedures and requires special dedicated software to support remote federated access (similar to VPN client).
Client Initiated. Client, at any time prior to Final Completion, may propose Changes or Extra Work in writing. H&H shall respond by submitting to Client a written proposal containing the estimated cost to perform the Change or Extra Work (including Hard Costs and H&H Fees), annual energy and annual utility, operational and maintenance cost savings, payback period, and a schedule for completion of the Change or Extra Work within fifteen (15) days of Client’s request. H&H shall perform the Changes or Extra Work only upon receipt of Client’s approval of the written proposal. Any Change or Extra Work performed by H&H which is not approved by Client’s Contact in writing shall not be approved for payment and will not be included in the final Scope of Work. The Parties will amend any exhibits affected by the Change and/or Extra Work accordingly.
