IPP> Security and the progress of IPP

IPP> Security and the progress of IPP

IPP> Security and the progress of IPP

Harry Lewis harryl at us.ibm.com
Mon Oct 5 11:46:32 EDT 1998

Keith, I apologize that I was unable to attend the IETF meeting in Chicago
where IPP was reviewed. I was (and remain) very confident to have Carl-Uno as
our representative for IPP. As dedicated and articulate as Carl-Uno is, he
cannot always speak for the entire IPP WG body so I am taking this opportunity
to express my individual concerns.

Since June, I would characterize the specification of IPP as relatively stable
and complete. The group of interested printer and software product vendors
have  successfully developed (and are willing to adopt as standard) a protocol
for query, submission and monitoring of print jobs via HTTP. As our Area
Director, you have further recommended a specific port and URL scheme for
hooking up to "the web" in a manageable form.

Security, however, remains an open switch for the Internet, at large. The
existing predominant scheme for security with HTTP cannot be considered an IETF
standard because of intellectual property rights. Alternatives are emerging but
have not matured to the point of acceptance. It is disheartening that the
progression of IPP has been linked to this (temporarily) intractable security
standards situation. In contrast to the concrete recommendations regarding port
and URL scheme (topics which might have been debated but which, at least, are
feasible to understand and accommodate), the IETF's position on security simply
presents a problem with no reasonable solution.

It is ineffective for the IETF to organize it's resources in such a way as to
require all areas of expertise to provide ad-hoc solutions to related problems
- especially when they are as fundamental and global as security. As a printer
working group, our responsibility should be to identify describe and articulate
any unique or un-intuitive security issues and cooperate on their resolution.
Instead, we find ourselves defining general URL and registry schemes for
security which, ultimately, will result in niche implementations, not
ubiquitous Internet standards.

Security is a very important issue and I expect the state of the art to improve
rapidly throughout the Internet. The goal of IPP is to enhance the state of
printing. We should do so in harmony with evolving Internet security schemes,
not by inventing new ones. The fact that the primary form of security for HTTP
is not a recognized standard begs for progress in the Security area, not

I commend the IETF for it's role in orchestrating and arbitrating the otherwise
chaotic integration of elements that make up the Internet. A great benefit has
been demonstrated from this - witness the "the web" in our lives, our
workplace, our commerce. If I felt security was being overlooked by the IETF,
then I would insist on "special casing" it for IPP. To the contrary, the urgent
emphasis I sense in the IETF is exactly why I am confident that the IPP group
should not delay, but should be prepared to revise our specifications, as
appropriate, when there is clear evidence of a chosen standard for security in
the IETF.

Harry Lewis - IBM Printing Systems

More information about the Ipp mailing list