>>>>> "RT" == Randy Turner <rturner at sharplabs.com> writes:
RT> We talked about basic authentication in Memphis and we decided
RT> that low-end IPP servers could use this because it is simple. We
RT> really only need two levels of security, simple and advanced, for
RT> interoperability's sake. The simple case would be basic auth.,
RT> which alot of vendors are already supporting (username and
RT> password) in their products.
>>>>> "CM" == Carl-Uno Manros <cmanros at cp10.es.xerox.com> writes:
CM> You can certainly use the basic stuff that is in your document,
CM> but if used, that will fall into the category "no security" as seen by the
CM> SEC subgroup.
The HTTP Basic Authentication scheme is no authentication at all,
and I suspect will be treated as such by IESG reviewers. To quote
from the report on a recent meeting of the IAB
<http://www.iab.org/iab/secrets.html>, in a section titled "To be
Killed: Plaintext Passwords":
"Any protocol that relies on the transmission of unencrypted
passwords is terminally broken."
If the IPP security mapping document mentions the Basic
authentication scheme it at all, it should be to explicitly disallow
it as a means of providing a security service.
Scott Lawrence EmWeb Embedded Server <lawrence at agranat.com>
Agranat Systems, Inc. Engineering http://www.agranat.com/