I agree that the IETF (and particularly you and Harald) should
develop new protocol standards with provision for strong security.
I just think that the interoperability question is clouding an
entirely separate issue, to whit, should customers be forced to
pay for security, if they don't want it.
Across the public Internet, it is highly desirable (at least)
for printing protocols to use strong security (and data
Within corporate intranets, the marketplace hasn't shown much
interest in paying for strong security. No printer vendor
can ignore that reality. Shoving the interoperability problem
onto the client end (who, per last weeks IETF discussion now
have to always support TLS, in order to be IPP clients) is just
pushing the problem around.
Why not address the real interoperability between mutually
secure clients and servers and SEPARATELY between mutually
insecure (or weakly secure with HTTP/1.1 native facilities)
clients and servers. Why should it matter that every IPP
client implements strong security?
But I agree that you should push for a solid security story
in IPP. Sorry I was obscure in my previous note.
- Ira McDonald (outside consultant at Xerox)