[IDS] [IPP] Updates to print-by-reference

[IDS] [IPP] Updates to print-by-reference

Randy Turner rturner at amalfisystems.com
Tue Aug 20 19:17:33 UTC 2013 



Hi Mike,


As I said, there are other issues that we could nip in the bud, I think the authorization issue is a bit more glaring, but I'm assuming by "access" you mean that the IPP server might not have IP reachability to a resource (like the resource might be behind a firewall or other middlebox). That's an issue too, and important to understand.


One problem that was identified to me recently is being able to have a cloud printer print my photos that reside on another site like "photobucket.com"


I think these are interesting issues to address, yes, even more interesting than "fax" :)


Thanks!
Randy




-----Original Message-----
From: Michael Sweet [mailto:msweet at apple.com]
Sent: Tuesday, August 20, 2013 11:13 AM
To: rturner at amalfisystems.com
Cc: ipp at pwg.org, ids at pwg.org
Subject: Re: [IPP] Updates to print-by-reference

Randy,

What Ira said, but also an observation: authorization is just one of the glaring issues of print-by-reference. Access (as in, can I even connect to the server hosting the referenced document?) is an equal partner in the scenario you provided.






On 2013-08-20, at 1:19 PM, "Randy Turner" <rturner at amalfisystems.com> wrote:




Hi All,


I commented on IPP work items (email from Mike Sweet) yesterday with a brief statement about "...making print-by-reference work better"


I would like to expand on that comment by saying that there are a number of print-by-reference use-cases, some of which we've talked about, others we haven't, for which we really don't have a good solution. Support for print-by-reference has been in IPP since we originally documented IPP on stone tablets in our caves (at least it feels that way to me :)


However, there have always been "gotchas" with respect to accessing remote documents; mainly due to the fact that an IPP server needs to access remote URLs and the IPP server may not have access rights to those resources.


There are also other "credential delegation" scenarios that I think we might want to nip in the bud while we're at it.


The model for credential delegation today is a mashup of federation techniques and OAUTH tokens, and this is something we might want to use. However, most OAUTH use-cases involve access to a resource through a browser, which might be supported through some type of IPP cloud service, but would not help IPP clients that are embedded into OS printing interfaces. OAUTH 2.0 is trying to address the non-browser case, but there goals are not very ambitious.


There is an IETF working group (ABFAB) that is currently trying to address the federated/credential-delegation problem for ordinary non-web application scenarios. They have even included printing as a potential use-case, which I am including below for reference:


A visitor from one organisation to the premises of another often
 requires the use of print services. Their home organisation may of
 course offer printing, but the output could be a long way away so the
 home service is not useful. The user will typically want to print
 from within a desktop or mobile application.


 Where this service is currently offered it would usually be achieved
 through the use of 'open' printers (i.e. printers that allow
 anonymous print requests), where printer availability is advertised
 through the use of Bonjour or other similar protocols. If the
 organisation requires authenticated print requests (usually for
 accounting purposes), the the visitor would usually have to be given
 credentials that allow this, often supplemented with pay-as-you-go
 style payment systems.


 Adding federated authentication to IPP [RFC2911] (and other relevant
 protocols) would enable this kind of remote printing service without
 the administrative overhead of credentialing these visitors (who, of
 course, may well one time visitors to the organisation). This would
 be immediately applicable to higher education, where this use case is
 increasingly important thanks to the success of federated network
 authentication systems such as eduroam but could also be used in
 other contexts such as commercial print kiosks, or in large,
 heterogeneous organizations.





You can judge for yourself the value of this particular use-case, but regardless, I think it would be nice if the IPP WG (possibly with the assistance of IDS) worked out a profile for these types of use-cases that require delegated authorization. 


Randy




_______________________________________________
ipp mailing list
ipp at pwg.org
https://www.pwg.org/mailman/listinfo/ipp


_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20130820/65fde6fd/attachment-0001.html>

More information about the ids mailing list