Michael Sweet wrote:
> Without auth-int you can spoof authorization with varying degrees of
> ease. Sure, you won't get the original password, but without auth-int
> you don't need it!
You're wrong. Digest-authentication with qop=auth and algorithm=MD5-sess
or MD5 is adequate for IPP authentication for protecting against simple
attacks. The problem with Basic is that the user's "printer password"
is likely to be the user's password for other services, and so compromising
the printer password compromises everything _else_ the user has access
to. (That's also why MD5-sess is a good idea.) Digest Authentication
with qop=auth is adequate for protecting against evesdropping, and
is adequate for protecting against replay attacks. Any attempt to
hijack one person's print job with some false data would soon be
qop=auth-int has the problem that you have to hash the body of the request
before sending the request, which would interfere with IPP performance
if the print stream data is being computed as it is being sent.
Only if you want to deploy some kind of messaging application where
message integrity is important would auth-int be useful, and in those
cases, you probably also want privacy. If you want privacy, then you'll
want TLS. But if you have TLS, you should use TLS authentication and
not Basic or Digest with TLS.
I'd suggest setting TLS with TLS client authentication as a
"SHOULD implement"; for interoperability, the group would need
to decide on a set of options, algorithms, etc.