IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

harryl at us.ibm.com harryl at us.ibm.com
Fri Apr 23 15:01:48 EDT 1999 


This tack is blowing my mind.

I thought the WHOLE reason SSL was disallowed in our specification (of IPP)
was due to it's "encumbered" nature. And the IETF pointed us at TLS as the
answer. Now, we're suggesting that TLS is encumbered?

We need immediate clarification of this issue!

Harry Lewis
IBM Printing Systems
harryl at us.ibm.com



Michael Sweet <mike at easysw.com> on 04/23/99 12:32:06 PM

To:   Keith Moore <moore at cs.utk.edu>
cc:   Carl-Uno Manros <carl at manros.com>, Paul Moore <paulmo at microsoft.com>,
      IETF-IPP <ipp at pwg.org> (bcc: Harry Lewis/Boulder/IBM)
Subject:  Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication





Keith Moore wrote:
>
> > If you're in the US, you have to pay homage (literally) to RSA to
> > develop any implementation of TLS.

Hey, I found section 9 in the RFC...  Maybe this isn't true after
all... (why is this stuff always buried?)

> is this really true?  the default mandatory TLS ciphersuite is
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, which (AFAIK) doesn't use
> any RSA-controlled technology.

I really don't know; most public-key stuff seems to be controlled in
some way by RSA, and I don't know enough about the Diffie-Hellman
stuff to know if it falls under the RSA patents, or if it is even
secure enough to be considered as a replacement for RSA should it
*not* fall under the patents.  (Nor do I know if it is covered by
patents in other countries or falls under export/import restrictions.)

I think before any decision is made on issue 32 we need to determine
if requiring TLS in clients is feasible; i.e. are there existing TLS
products or tools for all/most platforms, what legal concerns are
there, etc.  If it turns out that a free, compliant IPP implementation
cannot be produced with TLS without export restrictions, then I think
we have no choice but to drop the TLS requirement and stick with
Digest, or have the optional TLS support in the client requirements.

--
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike at easysw.com
Printing Software for UNIX                       http://www.easysw.com

More information about the Ipp mailing list