IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication

IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication

Hugo Parra HPARRA at novell.com
Mon Apr 12 14:00:33 EDT 1999


Larry,

Who says the printer or print server has to store passwords in the clear?  Novell's implementation can validate a password it receives on the wire (hopefully encrypted) without having to store any original passwords in the clear.  I agree with you that this approach requires encryption when only authentication is needed, but it is a working solution, not "just meaningless blather".  In practice, this solution is likely to be more secure than Digest Authentication in that administrators of large sites are more likely to disable security all-together if they're faced with the daunting task of client certificate management.

Just two cents,
-Hugo

>>> "Larry Masinter" <masinter at parc.xerox.com> 04/12/99 10:38AM >>>

> >>> Paul Moore <paulmo at microsoft.com> 04/09/99 06:01PM >>>
> Basic and SSL work fine for me. It has the fiollowing benefits
> 1. Its works

Actually, it doesn't work very well.

> 2. Its secure

No, it has serious security problems in the context of a printing
protocol. Maybe "its secure" for web browsing, but requiring the
printer to hold passwords in the clear leads to several vulnerabilities
that can be exploited. And if we're still in an export-sensitive
world, the security of "basic and SSL" creates an attractive nuisance.

> 3. Any reasonable client supports it
> 4. Any reasonable server supports it.


Depending on "reasonable": you're adding overhead to accomplish
privacy when all that's wanted is authentication. And without
further definition of a minimum required interoperable subset,
"supports it" is just meaningless blather.

Frankly, it seems like we're getting some knee-jerk responses.
This isn't a popularity contest. The results actually have to
work.

Regards,

Larry





More information about the Ipp mailing list