My apologies for having been a bit too slow to communicate this to the
people who were not present in the IETF meeting.
Here are a couple of explanations to what we need to do in the way of
security in order to meet the agreements in our IPP meeting.
1) The meaning of "all clients have to support both kinds of URIs and their
associated security" means that ALL clients have to support the HTTP
security, including RC 2069, as well as a suitable subset of TLS.
2) The TLS specs require that every application specifies a profile on how
they use TLS. Such a documrent has obviously not yet been produced for IPP.
A couple of guys from the TLS group promissed to quickly produce a document
for HTTP over TLS. It might be possible for us to just use that, but if we
are not happy with what that document states, we will have to create our
own. It is unlikely that the IPP documents will be accepted as Proposed
Standards before we can reference a TLS profile document.
I have asked my local security guys to get involved in the HTTT/TLS profile
draft and urge others from the IPP group to also join in, as this is now on
our critical path.