IPP> Comments / Issues on Security Proposal

IPP> Comments / Issues on Security Proposal

IPP> Comments / Issues on Security Proposal

Wenn, John C jwenn at cp10.es.xerox.com
Sat Sep 19 23:53:17 EDT 1998

1) The "AUTH" parameter is needed by the IPP client to establish a secure
connection with the IPP server.  Some security schemes (SSL, TLS) require
client start the security handshake, while others (DAA) have the server
start the security handshake. Look at several IPP method URI's:
   (1)  ipp://foo.com/printer1;AUTH=SSL
   (2)  ipp://foo.com/printer2;AUTH=TLS
   (3)  ipp://foo.com/printer2;AUTH=DAA
#1 (using SSL classic) would connect with the https method over port 443.
#2 (using TLS new and improved) would connect over port 631, and add the
HTTP header "Upgrade: TLS/1.0".  #3 would connect over port 631, not add
anything (if it didn't have a username and password already for that
printer), but would expect a HTTP response "401" from the server.  The AUTH
parameter is needed by the client in order to know what security schemes to
use and expect when connecting from an IPP URI.  Otherwise, how does the
client know that it should add the "Upgrade: TLS/1.0" header to the request?

2) "AUTH" was just the first string that looked good.  "SECURITY" would work
as well and is probably less confusing.

3) Other IPP drafts talk about authorization/access control policy: Model
document, section 8 contains most of it.  In general, they discuss potential
security policies (e.g. only the job creator may be allowed to cancel the
job) but not the security mechanisms.  An ACL on the server is a perfectly
fine way of controlling access, but IPP 1.0 is silent on how it's done.  So
for now, it's implementation dependent.  To quote from the model document
(page 123-124 of the June 30th draft)

  "Once the authenticated identity of the requester has been supplied to
  the IPP object, the object uses that identity to enforce any
  authorization policy that might be in place.  For example, one site's
  policy might be that only the job owner is allowed to cancel a job.
  The details and mechanisms to set up a particular access control
  policy are not part of IPP/1.0, and must be established via some other
  type of administrative or access control framework.  However, there
  are operation status codes that allow an IPP server to return
  information back to a client about any potential access control
  violations for an IPP object."


More information about the Ipp mailing list