IPP> 'mailto' Delivery Method for IPP Notifications

IPP> 'mailto' Delivery Method for IPP Notifications

McDonald, Ira imcdonald at sharplabs.com
Fri Jan 7 13:57:29 EST 2005


Hi Gail,

[Nice to hear from you!]

The admin assistant use case still requires an LDAP verification
of the target.  Deploying a printer without this (even one that
does NOT accept jobs from outside the enterprise) makes it a 
potential spam engine.

The IETF ADs were right to complain about this.  No printer
vendor wants to figure prominently in the next CERT alert for
security problems.

I also think the admin assistant use case is a corner case.  It's
not what existing LPR email notifications do in the UNIX space
(they reply to the job owner).

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

-----Original Message-----
From: Gail Giansiracusa [mailto:ggiansiracusa at peerless.com]
Sent: Friday, January 07, 2005 1:06 PM
To: McDonald, Ira; Michael Sweet; Bergman, Ron
Cc: ipp at pwg.org; Harry Lewis (E-mail)
Subject: RE: IPP> 'mailto' Delivery Method for IPP Notifications


Hi Ira,

I believe that one of the design points was to allow notifications to be
sent to a third party. The use case that was thrown around was the
ability of the notification to be sent to an administrative assistant to
be picked up.


Gail (Songer) Giansiracusa
Peerless Systems Corp
ggiansiracusa at peerless.com
 

-----Original Message-----
From: owner-ipp at pwg.org [mailto:owner-ipp at pwg.org] On Behalf Of
McDonald, Ira
Sent: Thursday, January 06, 2005 4:13 PM
To: 'Michael Sweet'; Bergman, Ron
Cc: ipp at pwg.org; Harry Lewis (E-mail)
Subject: RE: IPP> 'mailto' Delivery Method for IPP Notifications

Hi,

Note that our IETF ADs observed that there are serious security
flaws in the 'mailto' Delivery Method for IPP Notifications.
These will need to be addressed in any PWG-ISTO standard.

Simplified explanation:  An IPP Printer MUST NOT accept any
subscription for 'mailto' notifications from an anonymous
IPP Job submitter - otherwise, the IPP Printer is a spam 
engine.  An IPP Printer SHOULD use an LDAP directory (or 
other authoritative source) to ensure that the recipient
of IPP 'mailto' notifications is in fact the Job Owner.

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com

-----Original Message-----
From: owner-ipp at pwg.org [mailto:owner-ipp at pwg.org]On Behalf Of Michael
Sweet
Sent: Thursday, January 06, 2005 7:16 AM
To: Bergman, Ron
Cc: ipp at pwg.org; Harry Lewis (E-mail)
Subject: Re: IPP> 'mailto' Delivery Method for IPP Notifications


Bergman, Ron wrote:
> 
> 
> Is there any interest in completion of this document as a PWG-ISTO 
> standard?

Yes.

> I am willing to take on this task if there is even a moderate
> interest. At one time it appeared that several companies were
> planning to implement this feature so there should be some support
> for a proper sandard.

The CUPS implementation will be ready for testing very soon, based
on the last draft.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Publishing Software        http://www.easysw.com



More information about the Ipp mailing list