IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Moore paulmo at microsoft.com
Fri Apr 9 21:22:35 EDT 1999


Problem #1 isnt a problem - its an issue with pieces of paper. To say that
SSL3 isnt an Internet standard is a joke and you know it. 

Put in the spec
 - everybody must do basic if you want user authentication and SSL3 if you
want a secure pipe (which is what everyboduy will do anyway)
 - If you like you can do TLS and/or digest


-----Original Message-----
From: Carl-Uno Manros [mailto:carl at manros.com]
Sent: Friday, April 09, 1999 6:10 PM
To: Paul Moore; 'Larry Masinter'
Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
Authentication


Paul,

That's great, we all LIKE running code, but there are at least two problems
with your solution:

1) SSL3 is not an Internet standard. TLS is, so if we are talking about this
kind of solution, we have to consider Basic + TLS, SSL3 is out-of-scope. Are
you proposing that all IPP Printer and Client implementations MUST implement
Basic + TLS?

2) I expect that a number of people, who are building printers, given a
choice, would prefer to implement Digest rather than TLS, but I am happy to
be proven wrong on that.

I still think that the two alternatives A) and B) that I gave are the only
two worth discussing in the IETF environment. Leaving out security from an
Internet standard is NOT an option these days. I hope that is now abundantly
clear to everybody (and Basic alone is not sufficient to qualify).

We will never achieve interoperability between IPP implementations if we
have a list of OPTIONAL security features, and let each implementer choose
his/her own favorite flavor of security features, if any, for their product.

I did not go into details about the pros and cons, we have been over this
subject repeatedly for at least a year. Go and read the email archives if
you want to freshen up on all the details again. If you want to see them
repeated on the DL, or have any new details you want to share, I suggest you
take on the job to compile the list of pros and cons.

Carl-Uno

> -----Original Message-----
> From: owner-ipp at pwg.org [mailto:owner-ipp at pwg.org]On Behalf Of Paul
> Moore
> Sent: Friday, April 09, 1999 5:01 PM
> To: 'Larry Masinter'
> Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Basic and SSL work fine for me. It has the fiollowing benefits
> 1. Its works
> 2. Its secure
> 3. Any reasonable client supports it
> 4. Any reasonable server supports it.
>
>
> -----Original Message-----
> From: Larry Masinter [mailto:masinter at parc.xerox.com]
> Sent: Friday, April 09, 1999 4:13 PM
> To: Paul Moore
> Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> > I dont think that I said anything about not paying attention to
> security.
> > I'll will remind you that I was the only one with working SSL3
> > implementations on client and server at the recent bake-off. I am very
> > concerned about it.
> >
> > I was commenting that carl-uno's flowchart did not analyse the pros and
> cons
> > of the various security choices it merely said (and I
> paraphrase somewhat)
> > "We better do this becasue we wont get an RFC if we dont". I.e
> "even if it
> > sucks we'll do it anyway". BTW I'm not suggesting that anything
> does suck
> > either merely that being asked to turn my brain off to all logic other
> than
> > getting an RFC seemed too much.
>
> But we've heard repeatedly that the requirement for "getting an RFC"
> is to come up with a plan for securing printers that makes sense.
> Keith wrote:
>
> "The bottom line is that IPP will not get a standard out of IETF
> unless it provides a minimum level of security."
>
> To continue to characterize this simple and sensible requirement
> as "turn my brain off" is, well, turning off your brain.
>
> If the proposal for "a minimum level of security" via Digest
> authentication doesn't work for you, then propose something else
> that provides a minimum level of security. Saying "well, only
> implementing Basic Authentication is OK" doesn't provide a minimum
> level of security, so it's not OK. I don't know why this is
> so hard.
>
> Larry
>



More information about the Ipp mailing list