[IPP] WG Last Call: IPP Authentication Methods

[IPP] WG Last Call: IPP Authentication Methods

Kennedy, Smith (Wireless & Standards Architect) smith.kennedy at hp.com
Thu Feb 28 23:44:37 UTC 2019 


> On Feb 28, 2019, at 3:50 PM, wamwagner at comcast.net wrote:
> 
> Smith,
> 
> Sorry, my confusion continues. Your new Authorization example may be valid, but it seems odd to me that someone would have an account in a printer but not have authority to print at all. Conditional authority, restricting use to certain times or restricting color, or quantity, etc. would be more realistic, but that is at the IPP level and does not appear to be addressed in this specification.

I think it is insofar as the authentication and/or authorization failures are reported back via IPP or its HTTP or TLS transports. I have updated sequence diagrams that indicate this visually. But here's an updated use case that might satisfy your request for an exception use case that more accurately illustrates a real world circumstance.

Harry is an intern who works at Andy's office, and he wants to print some photos from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to color printing to only authorized users, and interns are not authorized to use this feature. His laptop is using an older client that doesn't support the IPP Get-User-Printer-Attributes operation, so features that he isn't allowed to use will be listed in the print dialog. Harry makes his choices in the print dialog, including selecting printing in color. Harry clicks "Print" to submit the job to the printer.

The printer challenges the laptop for authentication, and the laptop presents an authentication dialog to Harry. Harry enters his account's username and password. The printer accepts these credentials, but that account is not authorized to use the color printing feature. The printer rejects the job with the explanation that some features are not allowed, and lists the barred feature. Harry is a bit disappointed that the user experience is a bit awkward***, and is also disappointed that he cannot print in color. He abandons trying to print the photos because he doesn't want black-and-white prints.

***  (The user experience would be better with Get-User-Printer-Attributes because the color printing feature wouldn't even be shown to the user.)

Here's another one that uses Get-User-Printer-Attributes

Harry is an intern who works at Andy's office, and he wants to print some photos from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to color printing to only authorized users, and interns are not authorized to use this feature. His laptop has a modern IPP Client that supports the IPP Get-User-Printer-Attributes operation, so features that he isn't allowed to use will not be listed in the print dialog.

When he selects the printer, the laptop sends the Get-User-Printer-Attributes IPP operation to request the list of authorized features available to Harry's account. The printer responds to the laptop with an authentication challenge. The laptop has stored single sign-on credentials, so it uses those to avoid bothering its user with a distraction. The printer accepts these credentials, and provides the list of features his account is authorized to use. The laptop shows this set of features. Harry is disappointed that he cannot print in color, so he abandons trying to print the photos because he doesn't want black-and-white prints.

Does either of these clarify things?

> 
> The title is Authentication  Methods, and although I may have missed it, I do not think that it does much with authorization (at least not by the printer), which would occur after successful Authentication. Perhaps the Authorization  use case should  be put in the out of scope section?

I think authorization drives the demand for authentication. Hopefully the updated use cases above, combined with the new sequence diagrams, will help make that more clear. The original goal of this paper was to talk about how the various authentication methods corresponding to the keywords for "uri-authentication-supported" could integrate into a print workflow, which is an unconventional user experience if you only think of web authentication involving web browsers.

> Thanks, Bill W.
> 
> 
> 
> From: Rizzo, Christopher via ipp <mailto:ipp at pwg.org>
> Sent: Thursday, February 28, 2019 4:12 PM
> To: Kennedy, Smith (Wireless & Standards Architect) <mailto:smith.kennedy at hp.com>; Rick Yardumian <mailto:RYardumian at ciis.canon.com>
> Cc: PWG IPP WG Reflector <mailto:ipp at pwg.org>
> Subject: Re: [IPP] WG Last Call: IPP Authentication Methods
> 
> This update looks good to me.
> 
> Thanks,
> Chris
> 
> Christopher Rizzo
> Xerox Corporation
> GDG/Discovery/Advance Technology
> 26600 SW Parkway Ave.
> Wilsonville, OR 97070-9251
> Phone: (585) 314-6936
> Email: Christopher.Rizzo at xerox.com
> 
> "The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
> -Maurice Wilkes, Memoirs of a Computer Pioneer
> 
> From: "Kennedy, Smith (Wireless & Standards Architect)" <smith.kennedy at hp.com>
> Date: Thursday, February 28, 2019 at 12:36 PM
> To: Christopher Rizzo <Christopher.Rizzo at xerox.com>, Rick Yardumian <RYardumian at ciis.canon.com>
> Cc: PWG Workgroup <ipp at pwg.org>
> Subject: Re: [IPP] WG Last Call: IPP Authentication Methods
> 
> Thanks for the feedback Chris! I also received this feedback from Canon's Rick Yardumian (CC'ed). In my LCRC draft, I've resolved this issue by rewriting 3.3.2 to more meaningfully describe an authorization failure.
> 
> Here's the rewrite. Any objections or suggestions?
> 
> Harry is also visiting Andy's office and wants to print from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to only authorized users.
> 
> The printer challenges the laptop for authentication, and the laptop presents an authentication dialog to Harry. Harry has an account, and enters the account's username and password. The printer accepts these credentials, but that account is not authorized to access that printer. Harry's laptop shows a notification dialog expressing this to Harry. Harry clicks “OK” and looks for a pencil.
> 
> Smith
> 
> 
> 
> On Feb 28, 2019, at 12:33 PM, Rizzo, Christopher <Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>> wrote:
> 
> Just curious, but section 3.3 Exceptions of this document has sections 3.3.1 and 3.3.2 which are pretty much exact duplicates of each other, exception being Lisa vs. Harry. Was this intentional?
> 
> Thanks,
> Chris
> 
> 
> Christopher Rizzo
> Xerox Corporation
> 
> GDG/Discovery/Advance Technology
> 
> 26600 SW Parkway Ave.
> 
> Wilsonville, OR 97070-9251
> 
> Phone: (585) 314-6936
> 
> Email: Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>
> 
> "The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
> -Maurice Wilkes, Memoirs of a Computer Pioneer
> 
> On 1/17/19, 4:00 PM, "ipp on behalf of Kennedy, Smith (Wireless & Standards Architect)" <ipp-bounces at pwg.org <mailto:ipp-bounces at pwg.org> on behalf of smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>> wrote:
> 
> Greetings,
> 
> This message begins the IPP workgroup Last Call of the IPP Authentication Methods best practice draft, available at:
> 
> https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.odt <https://protect-us.mimecast.com/s/559fCqx5v5ujML5JsZvOVF?domain=ftp.pwg.org>
> https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.pdf <https://protect-us.mimecast.com/s/LvNfCrk5w5flBwv4CzbjMb?domain=ftp.pwg.org>
> https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117-rev.pdf <https://protect-us.mimecast.com/s/m9CcCv25A5hzkO6ruzCllx?domain=ftp.pwg.org>
> 
> Please respond with any feedback or comments by doing a "reply all" to this message.
> 
> This last call will end on January 31, 2019 at 10pm PT.
> 
> Cheers,
> Smith
> 
> /**
> Smith Kennedy
> HP Inc.
> */
> 
> _______________________________________________
> ipp mailing list
> ipp at pwg.org <mailto:ipp at pwg.org>
> https://www.pwg.org/mailman/listinfo/ipp <https://protect-us.mimecast.com/s/4nRoCwp5B5I3w01ghKeT4u?domain=pwg.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190228/ae9ab397/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190228/ae9ab397/attachment.sig>

More information about the ipp mailing list