At 02:55 PM 11/7/97 PST, Turner, Randy wrote:
>>I have placed a draft of my IPP security proposal on the
>PWG FTP server.
>>There is a Microsoft Word 2.0 document version
>>ftp://ftp.pwg.org/pub/pwg/ipp/drafts/ippsec.doc>>and an HTML version
Thanks for taking the time to put your ideas on paper.
I looked over your proposal and would like you to comment on the following
I expect to get back with more detailed comments after having spoken to my
security guys on Monday.
1) I was disappointed that you did not spell out what is now the minimum
"extra stuff" that every implementation would have to include if we
mandated TLS negotiation for all IPP clients and servers. My latest
impression is that it is a lot more than we anticipated when the subject
was discussed in the Boulder PWG meeting.
2) Earlier today Keith Moore came up with a proposal to take a new look at
SASL, which might eliviate some of the extra burden that 1) above might
incur. Do you or anybody else knows if "the world" is really going to
implement SASL in the foreseeable future (or are we up against yet another
road block here)? Judging from the comments on the DL recently, a number of
people have asked for a very light weight mechanism to do the initial
security negotiation, with the option to say "NO I do not want any
security", and I am still not convinced that TLS will deliver that.
If I have interpreted the feelings of the WG on this subject correctly, I
would like to draw a comparison with safe sex:
If you tend to mix with new or potentially unreliable partners, you are
quite likely to want to have some form of protection and would welcome the
subject to be brought up before you get too intimate. However, if you only
practise it with a steady and wellknown partner, you would probably be
upset to have to go through a forced negotitation about different types of
preventive tools and methods every time. If you trust your partner, you
should be allowed to practise unsafe sex at your own risk, without any
lengthy negotiation beforehand!
Principal Engineer - Advanced Printing Standards - Xerox Corporation
701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231
Phone +1-310-333 8273, Fax +1-310-333 5514
Email: manros at cp10.es.xerox.com