[IPP] IPP attribute for TLS version support, and status code to indicate TLS negotiation failure?

[IPP] IPP attribute for TLS version support, and status code to indicate TLS negotiation failure?

Kennedy, Smith (Wireless & Standards Architect) smith.kennedy at hp.com
Fri Jul 27 20:25:10 UTC 2018 

Greetings,

In my presentation to the Mopria Technical Working Group yesterday, a question arose about TLS version negotiation failures, and whether the Client would be notified of such failures at the IPP level. I responded that there might be a response at the IPP level but that Clients (and Printers) need to also be aware of the TLS and HTTP levels. But then I remembered that, in the latest draft of the IPP Authentication Methods white paper, Mike and I expanded and revised section 3.1.7 "The 'certificate' IPP Authentication Method" to include the following:
The Printer SHOULD return the IPP status code listed in Table 3.1 when the corresponding authentication exception occurs. The Client SHOULD respond to the reported status code with the corresponding response listed in Table 3.1.



Operation Status Code

Authentication Exception

Recommended Client Response

'client-error-not-authenticated'

Authentication required but no X.509 certificate supplied

Close the connection; select a certificate (with possible user interaction); retry connection with selected certificate

'client-error-not-authorized'

Access denied for the identity specified by the provided X.509 certificate; try again

Close the connection; select a different certificate (with possible user interaction); retry connection with selected certificate

'client-error-forbidden'

Access denied for the identity specified by the provided X.509 certificate; don't try again

Close the connection and present User with error dialog (“Access denied”)

Table 3.1 : IPP 'certificate' Authentication Method Error Condition Status Codes 

None of these seem to cover a lower-level protocol negotiation level failure. Do we need to add a new one for TLS version negotiation failure? The Client can learn the Printer's maximum TLS version via the "TLS" DNS-SD TXT record key (5100.14 section 4.2.3.4). The "uri-security-supported" attribute simply uses 'tls' but lists no version (which troubles me because DNS-SD shouldn't be more descriptive than IPP).

Thoughts?

Smith

/**
    Smith Kennedy
    Wireless & Standards Architect - IPG-PPS
    Standards - IEEE ISTO PWG / Bluetooth SIG / Wi-Fi Alliance / NFC Forum / USB-IF
    Chair, IEEE ISTO Printer Working Group
    HP Inc.
*/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20180727/ce5132bc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ipp/attachments/20180727/ce5132bc/attachment.p7s>

More information about the ipp mailing list