Hi Willem,
Thanks for the feedback! Replies below.
Smith
/**
Smith Kennedy
HP Inc.
*/
> On Jan 5, 2020, at 4:36 PM, Willem Groenewald <willem.groenewald at papercut.com> wrote:
>> Hi Smith
>> Apologies for the delay, just returned from leave.
>> Here are a few comments on the naming (probably more "thoughts" to spark some thinking):
>> 1) The use-cases and flows around "Password Protected Job" and "User Credential Protected Job" are very similar. The names should be related. e.g. both are "release" and path "protect" the job. It's the means of protection that are changing. Hence we'd recommend having very similar names. If you're keen to add the word "release", we'd suggest making sure this also exists on the password protected job too.
Mike Sweet earlier responded with a similar suggestion that I name them "Release Printing", so I'm going to go with that in the next revision, that I'm working on currently.
>> 2) We've taken a look at the draft of the Enterprise Printing Extensions v2.0 w.r.t these mentioned features, and would love an opportunity to dive a little deeper around security. Some immediate thoughts from a quick look, that may or may not have been considerer, are:
> The use of hashing methods that are no longer considered "secure". Would it make sense for a standard released in 2020 include these as options?
> Requiring these features to be available over TLS connections
> Have downgrade (or reply) attacks been considered?
These are all very good questions, but require some explanation. Let's see how I do here and if you have more questions, we can continue to discuss.
This IPP Enterprise Printing Extensions v2.0 is a v2.0 because it is a refactoring and renaming of the PWG 5100.11-2010 (IPP Job and Printing Extensions - Set 2 (JPS2)) specification that dates to 2010.
The "job-password" and "job-password-encryption" attributes originated in that spec. When I worked on adding the "job-password-repertoire" registration in 2015, that registration deprecated a number of the "job-password-encryption" methods and added newer ones. We deprecated MD2, MD4, MD5 and SHA1. In the PWG, "deprecated" means that Printers SHOULD NOT support them, and operators SHOULD NOT use them if they are supported by one of their printers. We have yet to obsolete them out of concern for backward compatibility, but it has now been 4 years. If you are suggesting that we obsolete these in IPP Enterprise Printing Extensions v2.0, I think we should consider it in the IPP WG. Are there others you think should be deprecated or added?
I don't think we can require TLS when "job-password" is used without breaking backward compatibility. I personally think TLS ought to be required by all Printers deployed in the field. Some of this comes down to a delta between conformance requirements and deployment policy.
When you ask about downgrade or replay attacks (you meant "replay", not "reply", right?), can you be more specific about your concerns?
> Cheers,
>> Chris & Bez in the PaperCut Dev Team (plus now Willem)
>>>> On Thu, 19 Dec 2019 at 04:12, Kennedy, Smith (Wireless & IPP Standards) via ipp <ipp at pwg.org <mailto:ipp at pwg.org>> wrote:
> Hi there,
>> I'm in the process of producing a new draft of IPP Enterprise Printing Extensions v2.0 (EPX) and I'm trying to nail down the "feature names" and "job types" for the several features defined therein.
>> What I have thus far is this:
>> Job Password
> • Feature: Password Job Protection
> • Job Type: Password Protected Job
> • Use Case: Protecting a Job with a Password
>> Job Storage
> • Feature: Job Storage
> • Job Type: Stored Job
> • Use Case: Storing a Job for Later Reprinting, Reprinting a Stored Job
>> Proof Print
> • Feature: Proof Print
> • Job Type: Proof Job
> • Use Case: Proof Printing
>> Authenticated Release
> • Feature: Authenticated Release? Credential Job Protection?
> • Job Type: User Credential Protected Job?
> • Use Case: Protecting a Job with User Authentication Credentials
>> Any feedback on any of these labels? Thanks for any help!
>> Smith
>> /**
> Smith Kennedy
> HP Inc.
> */
>> _______________________________________________
> ipp mailing list
>ipp at pwg.org <mailto:ipp at pwg.org>
>https://www.pwg.org/mailman/listinfo/ipp <https://www.pwg.org/mailman/listinfo/ipp>
>>> --
> Willem Groenewald
> Product Owner
> <http://www.papercut.com/>
> mob: +61 439 584 646
> web: www.papercut.com <http://www.papercut.com/>
>> <https://twitter.com/papercutdev> <https://facebook.com/papercutsoftware> <http://www.linkedin.com/company/papercut-software> <https://google.com/+PaperCutSoftware> <https://youtube.com/papercutsoftware>
>> Please consider the environment before printing this email... or install PaperCut and let it do the considering for you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20200106/a19b69a5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20200106/a19b69a5/attachment.sig>