attachment
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Greetings again,<div class=""><br class=""></div><div class="">I posted this without overtly suggest a fix for this:<div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div class="WordSection1" style="page: WordSection1; font-family: LucidaGrande;"><div class=""><div class="" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">The Client can learn the Printer's maximum TLS version via the "TLS" DNS-SD TXT record key (5100.14 section 4.2.3.4). The "uri-security-supported" attribute simply uses 'tls' but lists no version (which troubles me because DNS-SD shouldn't be more descriptive than IPP).<o:p class=""></o:p></div></div><div class=""></div></div></blockquote></div><div class=""><br class=""></div><div class="">To bring IPP to parity with IPP + DNS-SD, I think we need to either add additional keywords for "uri-security-supported", like 'tls-1.2' and 'tls-1.3', or we create a new attribute. Even with this addition, I also think a new 'client-error-tls-negotiation-failure' status code should be defined.</div><div class=""><br class=""></div><div class="">Have a good weekend,</div><div class=""><br class=""></div><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Smith<br class=""><br class="">/**<br class=""> Smith Kennedy<br class=""> Wireless & Standards Architect - IPG-PPS<br class=""> Standards - IEEE ISTO PWG / Bluetooth SIG / Wi-Fi Alliance / NFC Forum / USB-IF<br class=""> Chair, IEEE ISTO Printer Working Group<br class=""> HP Inc.<br class="">*/<br class=""><br class=""><br class=""></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On Jul 27, 2018, at 2:25 PM, Kennedy, Smith (Wireless & Standards Architect) <<a href="mailto:smith.kennedy@hp.com" class="">smith.kennedy@hp.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Greetings,<div class=""><br class=""></div><div class="">In my presentation to the Mopria Technical Working Group yesterday, a question arose about TLS version negotiation failures, and whether the Client would be notified of such failures at the IPP level. I responded that there might be a response at the IPP level but that Clients (and Printers) need to also be aware of the TLS and HTTP levels. But then I remembered that, in the latest draft of the IPP Authentication Methods white paper, Mike and I expanded and revised section 3.1.7 "The 'certificate' IPP Authentication Method" to include the following:</div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class="">
<div class="page" title="Page 13">
<div class="layoutArea">
<div class="column">
<ol start="188" style="list-style-type: none" class="">
<li class=""><p class=""><span style="font-size: 12.000000pt; font-family: 'ArialMT'" class="">The Printer SHOULD </span><span style="font-family: ArialMT; font-size: 12pt;" class="">return the IPP status code listed in Table 3.1 when the corresponding authentication </span><span style="font-family: ArialMT; font-size: 12pt;" class="">exception occurs. The Client SHOULD respond to the reported status code with the </span><span style="font-family: ArialMT; font-size: 12pt;" class="">corresponding response listed in Table 3.1.</span></p></li>
</ol><p class=""><br class=""></p>
</div>
</div>
<table style="border-collapse: collapse" class=""><colgroup class=""><col style="width: 29.852911%" class=""><col style="width: 30.764450%" class=""><col style="width: 39.382639%" class="">
</colgroup><tbody class=""><tr class="">
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'Arial'; font-weight: 700" class="">Operation Status Code
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'Arial'; font-weight: 700" class="">Authentication Exception
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'Arial'; font-weight: 700" class="">Recommended Client Response
</span></p>
</div>
</div>
</td>
</tr>
<tr class="">
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">'client-error-not-authenticated'
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Authentication required but no
X.509 certificate supplied
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Close the connection; select a certificate
(with possible user interaction); retry
connection with selected certificate
</span></p>
</div>
</div>
</td>
</tr>
<tr class="">
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">'client-error-not-authorized'
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Access denied for the identity
specified by the provided X.509
certificate; try again
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Close the connection; select a different
certificate (with possible user interaction);
retry connection with selected certificate
</span></p>
</div>
</div>
</td>
</tr>
<tr class="">
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">'client-error-forbidden'
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Access denied for the identity
specified by the provided X.509
certificate; don't try again
</span></p>
</div>
</div>
</td>
<td style="border-style: solid; border-top-width: 0.050000pt; border-top-color: rgb(0.000000%, 0.000000%, 0.000000%); border-right-width: 0.050000pt; border-right-color: rgb(0.000000%, 0.000000%, 0.000000%); border-bottom-width: 0.050000pt; border-bottom-color: rgb(0.000000%, 0.000000%, 0.000000%); border-left-width: 0.050000pt; border-left-color: rgb(0.000000%, 0.000000%, 0.000000%)" class="">
<div class="layoutArea">
<div class="column"><p class=""><span style="font-size: 10.000000pt; font-family: 'ArialMT'" class="">Close the connection and present User
with error dialog (“Access denied”)
</span></p>
</div>
</div>
</td>
</tr>
</tbody></table>
<div class="layoutArea">
<div class="column"><p style="text-align: center;" class=""><span style="font-size: 11.000000pt; font-family: 'Arial'; font-weight: 700" class="">Table 3.1 : IPP 'certificate' Authentication Method Error Condition Status Codes </span></p>
</div>
</div>
</div></blockquote><div class="">None of these seem to cover a lower-level protocol negotiation level failure. Do we need to add a new one for TLS version negotiation failure? The Client can learn the Printer's maximum TLS version via the "TLS" DNS-SD TXT record key (5100.14 section 4.2.3.4). The "uri-security-supported" attribute simply uses 'tls' but lists no version (which troubles me because DNS-SD shouldn't be more descriptive than IPP).</div><div class=""><br class=""></div><div class="">Thoughts?</div><div class=""><br class=""><div class="">Smith<br class=""><br class="">/**<br class=""> Smith Kennedy<br class=""> Wireless & Standards Architect - IPG-PPS<br class=""> Standards - IEEE ISTO PWG / Bluetooth SIG / Wi-Fi Alliance / NFC Forum / USB-IF<br class=""> Chair, IEEE ISTO Printer Working Group<br class=""> HP Inc.<br class="">*/<br class=""><br class=""><br class=""></div><br class=""></div></div>_______________________________________________<br class="">ipp mailing list<br class=""><a href="mailto:ipp@pwg.org" class="">ipp@pwg.org</a><br class="">https://www.pwg.org/mailman/listinfo/ipp<br class=""></div></blockquote></div><br class=""></div></body></html>