In changing from MUST to SHOULD after the last IPP telecon of 1997,
we changed section 8.5 from MUST to SHOULD, but left section 5.4 with a MUST.
Section 5.4 is a good high level summary of the security requirments
with a reference to all of section 8. We just need to change section 5.4
agree with our intent which is SHOULD, as expressed in section 8.5.
2. There is a second possible contridiction with section 8.5 itself (but
I'm no security expert).
The sentence from section 8.5 seems to contradict itself:
A conforming IPP client SHOULD support TLS, and it MUST implement and
support the "Mandatory Cipher Suites" as specified in the TLS specification
and MAY support additional cipher suites.
If a client MUST implement and support the "Mandatory Cipher Suites" as
specified in TLS, isn't that saying that the client MUST support TLS,
rather than saying that a client SHOULD support TLS?
Here are the two sections from the 12/19/97 Model Internet-Drafts:
5.4 Security Conformance Requirements
Conforming IPP Printer objects MAY support Transport Layer Security (TLS)
access, support access without TLS or support both means of access.
Conforming IPP clients MUST support TLS access and non-TLS access. Note:
This client requirement to support both means that conforming IPP clients
will be able to inter-operate with any IPP Printer object.
For a detailed discussion of security considerations and the IPP
application security profile required for TLS support, see section 8.
Security Considerations.
8.5 IPP Security Application Profile for TLS
The IPP application profile for TLS follows the standard "Mandatory Cipher
Suites" requirement as documented in the TLS specification [TLS]. Client
implementations MUST NOT assume any other cipher suites are supported by an
IPP Printer object.
If a conforming IPP object supports TLS, it MUST implement and support the
"Mandatory Cipher Suites" as specified in the TLS specification and MAY
support additional cipher suites.
A conforming IPP client SHOULD support TLS, and it MUST implement and
support the "Mandatory Cipher Suites" as specified in the TLS specification
and MAY support additional cipher suites.
It is possible that due to certain government export restrictions some
non-compliant versions of this extension could be deployed.
Implementations wishing to inter-operate with such non-compliant versions
MAY offer the TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA mechanism. However,
since 40 bit ciphers are known to be vulnerable to attack by current
technology, any client which actives a 40 bit cipher MUST NOT indicate to
the user that the connection is completely secure from eavesdropping.