Smith,
> On Mar 4, 2019, at 4:25 PM, Kennedy, Smith (Wireless & Standards Architect) via ipp <ipp at pwg.org> wrote:
>>>>> On Mar 4, 2019, at 2:10 PM, Michael Sweet <msweet at apple.com <mailto:msweet at apple.com>> wrote:
>>>>>> One addition I'd like to see to see for the "requesting-user-name" method is a note that some Clients use a constant identity as a privacy defense (e.g., "mobile" from iOS Clients) when sending requests, so from a Printer's perspective this method is basically useless. In the context of GDPR, this falls under a need for explicit consent - a password challenge or Client UI requesting permission to provide the real user name is required. At Apple we decided to always hide the requesting user on iOS for basic privacy reasons, relying on authentication where such information is genuinely needed.
>>>>>> Do you want this in section 4.2 "The 'requesting-user-name' IPP Authentication Method" (using numbering from the non-rev documents), or in 5.1.1. "General Recommendations" (for Clients), or 7.2. "Client Security Considerations"? There seems to be two different statements: what is done in the field, and what a Client or Printer ought to do.
>>>> I was thinking of this being in section 4.2. As far as the general recommendations for clients, I think we need to make a note of privacy concerns, .i.e., recommend that Clients don't just throw the current username in there without getting explicit permission from the User.
>> I am fine with that - how's this for an updated section 4.2:
>> 4.2. The 'requesting-user-name' IPP Authentication Method
>> The 'requesting-user-name' IPP Authentication Method [RFC8011] indicates that the Client is to provide the “requesting-user-name” operation attribute [RFC8011] in its IPP operation request. The Printer uses this unauthenticated name as the identity of the User operating the Client. This method is not recommended if job accounting or access authorization is important, since the Printer does not challenge the Client to prove the identity claimed in the “requesting-user-name”. Some Clients always send a fixed identity name (e.g. “mobile”) as a privacy defense when sending requests. As such, from a Printer's perspective, this method is increasingly undependable.
I would add "also" to the sentence, e.g., "Also, some Clients always send ..."
> I wonder if we need to call out the notion of authentication as a form of explicit consent to share information, especially within the context of privacy concerns such as GDPR compliance? Where might we put that? The start of Section 4 "Client Authentication Methods"? Or down in Security Considerations?
Right now I hesitate to put that wording in this document. If IDS is going to tackle the privacy/information gathering problem, I think we are probably better off deferring that discussion to their work since there isn't a lot we can say in a few sentences here.
But FWIW, I think an authentication challenge and the subsequent providing of credentials does constitute explicit consent WRT the username and password; there is still the issue of *informed consent* to deal with - how does the user know why they are being asked for a username and password?
(I also feel like we may end up with an update to my IPP Privacy Attributes document at some point...)
_________________________________________________________
Michael Sweet, Senior Printing System Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190304/8099f81e/attachment.html>