Harry Lewis wrote:
>> Randy wrote:
>> >The fact that scenarios exist where security is not
> >necessary, do not obviate the need for the standard
> >to specify security as a requirement
>> I would restate this, slightly... "The fact that scenarios exist where
> security is not necessary does not obviate the need for the standard
> to SPECIFY THE REQUIREMENTS FOR SECURITY".
Yes, I like this wording better.
>> I think the IETF is trying to tell us "not to build a protocol without
> addressing security". We are interpreting this to mean "do not allow an
> implementation which is not secure".
>> Is every web server, on the Internet today, required to support HTTPS?
> Why? Many servers would have no need to be secure.
They are required by de facto, not by a pure standard, to support HTTPS
because no commercial vendor of HTTP servers would introduce a server
incapable of providing the capability for internet commerce.
Its like I was saying a previous message about TCP, you don't design
a protocol for the easy case, you design it to scale from the easy
to the more advanced, which is why, yes, for an intranet application,
you might need HTTPS, but that scenario doesn't deter vendors from
including it in their product, because they're not interested in
rolling <N> different products to support <N> different scenarios.
Just ship one product that scales nicely.
HTTP 1.1 will probably require digest authentication, so if IPP
is implemented over HTTP 1.1, then this would be a requirement. This
is one of the reasons why I'm not so sure it would be overly
burdensome to require IPP servers to support MD5 digest authentication,
whether its used by HTTP or SSL3/TLS.
>> MAKING every IPP printer behave in a secure fashion could be misleading
I'm curious why this would be misleading...