[IPP] "Get-User-Supported-Values" operation?

[IPP] "Get-User-Supported-Values" operation?

[IPP] "Get-User-Supported-Values" operation?

Ira McDonald blueroofmusic at gmail.com
Thu Jan 26 18:14:52 UTC 2017


Hi,

Smith plans to bring a whitepaper and/or slides on this new operation
(tentatively to be named Get-User-Printer-Attributes for clarity) to the
PWG F2F meeting in February.

On reflection, I suggest that perhaps we *should* add this operation
to IPP System Service to enhance IPP Client interworking with IPP
Printers (job services).

Mike has convinced me that the operation should look just like the
existing Get-Printer-Attributes operation (input/output attributes),
but allow the Printer (if so configured) to authenticate the Client's
requesting user identity and always require filtering of the response
based on the most authenticated requesting user identity.

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic at gmail.com
Jan-April: 579 Park Place  Saline, MI  48176  734-944-0094
May-Dec: PO Box 221  Grand Marais, MI 49839  906-494-2434


On Sun, Jan 15, 2017 at 10:49 PM, Michael Sweet <msweet at apple.com> wrote:

> Ira,
>
> > On Jan 15, 2017, at 8:45 PM, Ira McDonald <blueroofmusic at gmail.com>
> wrote:
> >
> > Hi Mike,
> >
> > You are suggesting this new Get-User-Printer-Attributes operation
> > does NOT require authentication and authorization of the Client?
>
> No, I am suggesting that this new operation *may* not require Client
> authentication, depending on the configuration of the Printer, just as
> Cancel-Job, Cancel-All-Jobs, Cancel-My-Jobs, Create-Job,
> Get-Job-Attributes, Get-Jobs, Print-Job, Print-URI, Send-Document,
> Send-URI, and Validate-Job do.
>
> FWIW, Get-Printer-Attributes is basically the only operation in IPP/1.1
> (RFC 2911/8011) that does not say anything about authentication, the most
> authenticated identity, authorization rights, or filtering of attributes or
> values based on the most authenticated identity.  And that makes it
> impossible to add authentication requirements without breaking a lot of
> (read: all) Clients.
>
> > If that's right, what value does this operation offer over the classic
> > Get-Printer-Attributes (with perhaps an "ipp-features-supported"
> > tag that says it supports User-based filtering)?
>
> It makes it consistent with the Job operations.
>
> > My reading of original RFC 2911 was that *any* operation could do
> > filtering based on the requesting user (i.e., Get-Jobs).
>
> No, there is discussion of authentication and the most authenticated
> user/identity, but specific requirements and filtering are discussed in the
> description of each operation.  In particular, Get-Jobs and
> Get-Job-Attributes talk about filtering based on security policy, while
> Get-Printer-Attributes only talks about filtering based on document format
> (and basically says everyone gets to see the same information).
>
> This is arguably a bug in the original IPP specs, but there is nothing we
> can do to fix Get-Printer-Attributes now.
> (but there are advantages to having a public/guest "get" operation for
> discovering what a Printer will require, e.g.,
> "uri-authentication-supported" values...)
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20170126/7338ab8e/attachment.html>


More information about the ipp mailing list