attachment
<div dir="ltr"><div>Hi Smith,</div><div><br></div><div>Explicitly exposing TLS versions, Kerberos versions, HTTP versions, etc. at the application</div><div>IPP layer is exactly what IETF has actively avoided in SMTP and many other protocols.</div><div>It's a slippery slope, IMO. <br></div><div><br></div><div>In TLS/1.3 itself, the TLS WG only made RECOMMENDED the return of specific Alert <br></div><div>codes in handshake or data transfer phase failures and made the Alert message entirely <br></div><div>optional, *not* localized (or language-tagged), and not necessarily mapped one-to-one <br></div><div>to the Alert code.</div><div><br></div><div>Exposing lower-layer failures (and configuration) in IPP attributes sounds wrong to me.</div><div><br></div><div>Cheers,</div><div>- Ira</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">Ira McDonald (Musician / Software Architect)<br>Co-Chair - TCG Trusted Mobility Solutions WG<br>Chair - Linux Foundation Open Printing WG<br>Secretary - IEEE-ISTO Printer Working Group<br>Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG<br>IETF Designated Expert - IPP & Printer MIB<br>Blue Roof Music / High North Inc<br><a style="color:rgb(51,51,255)" href="http://sites.google.com/site/blueroofmusic" target="_blank">http://sites.google.com/site/blueroofmusic</a><br><a style="color:rgb(102,0,204)" href="http://sites.google.com/site/highnorthinc" target="_blank">http://sites.google.com/site/highnorthinc</a><br>mailto: <a href="mailto:blueroofmusic@gmail.com" target="_blank">blueroofmusic@gmail.com</a><br>Jan-April: 579 Park Place Saline, MI 48176 734-944-0094<br>May-Dec: PO Box 221 Grand Marais, MI 49839 906-494-2434<br><br><div style="display:inline"></div><div style="display:inline"></div><div style="display:inline"></div><div></div><div></div><div></div><div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jul 27, 2018 at 9:56 PM, Kennedy, Smith (Wireless & Standards Architect) <span dir="ltr"><<a href="mailto:smith.kennedy@hp.com" target="_blank">smith.kennedy@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space">Greetings again,<div><br></div><div>I posted this without overtly suggest a fix for this:<span class=""><div><br></div><div><blockquote type="cite"><div class="m_3210152247814537708WordSection1" style="font-family:LucidaGrande"><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">The Client can learn the Printer's maximum TLS version via the "TLS" DNS-SD TXT record key (5100.14 section 4.2.3.4). The "uri-security-supported" attribute simply uses 'tls' but lists no version (which troubles me because DNS-SD shouldn't be more descriptive than IPP).<u></u><u></u></div></div><div></div></div></blockquote></div><div><br></div></span><div>To bring IPP to parity with IPP + DNS-SD, I think we need to either add additional keywords for "uri-security-supported", like 'tls-1.2' and 'tls-1.3', or we create a new attribute. Even with this addition, I also think a new 'client-error-tls-negotiation-<wbr>failure' status code should be defined.</div><div><br></div><div>Have a good weekend,</div><span class=""><div><br></div><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word;line-break:after-white-space"><div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word;line-break:after-white-space">Smith<br><br>/**<br> Smith Kennedy<br> Wireless & Standards Architect - IPG-PPS<br> Standards - IEEE ISTO PWG / Bluetooth SIG / Wi-Fi Alliance / NFC Forum / USB-IF<br> Chair, IEEE ISTO Printer Working Group<br> HP Inc.<br>*/<br><br><br></div></div>
</div>
</span><div><br><blockquote type="cite"><div><div class="h5"><div>On Jul 27, 2018, at 2:25 PM, Kennedy, Smith (Wireless & Standards Architect) <<a href="mailto:smith.kennedy@hp.com" target="_blank">smith.kennedy@hp.com</a>> wrote:</div><br class="m_3210152247814537708Apple-interchange-newline"></div></div><div><div><div class="h5"><div style="word-wrap:break-word;line-break:after-white-space">Greetings,<div><br></div><div>In my presentation to the Mopria Technical Working Group yesterday, a question arose about TLS version negotiation failures, and whether the Client would be notified of such failures at the IPP level. I responded that there might be a response at the IPP level but that Clients (and Printers) need to also be aware of the TLS and HTTP levels. But then I remembered that, in the latest draft of the IPP Authentication Methods white paper, Mike and I expanded and revised section 3.1.7 "The 'certificate' IPP Authentication Method" to include the following:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div class="m_3210152247814537708page" title="Page 13">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column">
<ol start="188" style="list-style-type:none">
<li><p><span style="font-size:12.000000pt;font-family:'ArialMT'">The Printer SHOULD </span><span style="font-family:ArialMT;font-size:12pt">return the IPP status code listed in Table 3.1 when the corresponding authentication </span><span style="font-family:ArialMT;font-size:12pt">exception occurs. The Client SHOULD respond to the reported status code with the </span><span style="font-family:ArialMT;font-size:12pt">corresponding response listed in Table 3.1.</span></p></li>
</ol><p><br></p>
</div>
</div>
<table style="border-collapse:collapse"><colgroup><col style="width:29.852911%"><col style="width:30.764450%"><col style="width:39.382639%">
</colgroup><tbody><tr>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'Arial';font-weight:700">Operation Status Code
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'Arial';font-weight:700">Authentication Exception
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'Arial';font-weight:700">Recommended Client Response
</span></p>
</div>
</div>
</td>
</tr>
<tr>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">'client-error-not-<wbr>authenticated'
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Authentication required but no
X.509 certificate supplied
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Close the connection; select a certificate
(with possible user interaction); retry
connection with selected certificate
</span></p>
</div>
</div>
</td>
</tr>
<tr>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">'client-error-not-authorized'
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Access denied for the identity
specified by the provided X.509
certificate; try again
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Close the connection; select a different
certificate (with possible user interaction);
retry connection with selected certificate
</span></p>
</div>
</div>
</td>
</tr>
<tr>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">'client-error-forbidden'
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Access denied for the identity
specified by the provided X.509
certificate; don't try again
</span></p>
</div>
</div>
</td>
<td style="border-style:solid;border-top-width:0.050000pt;border-top-color:rgb(0.000000%,0.000000%,0.000000%);border-right-width:0.050000pt;border-right-color:rgb(0.000000%,0.000000%,0.000000%);border-bottom-width:0.050000pt;border-bottom-color:rgb(0.000000%,0.000000%,0.000000%);border-left-width:0.050000pt;border-left-color:rgb(0.000000%,0.000000%,0.000000%)">
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p><span style="font-size:10.000000pt;font-family:'ArialMT'">Close the connection and present User
with error dialog (“Access denied”)
</span></p>
</div>
</div>
</td>
</tr>
</tbody></table>
<div class="m_3210152247814537708layoutArea">
<div class="m_3210152247814537708column"><p style="text-align:center"><span style="font-size:11.000000pt;font-family:'Arial';font-weight:700">Table 3.1 : IPP 'certificate' Authentication Method Error Condition Status Codes </span></p>
</div>
</div>
</div></blockquote><div>None of these seem to cover a lower-level protocol negotiation level failure. Do we need to add a new one for TLS version negotiation failure? The Client can learn the Printer's maximum TLS version via the "TLS" DNS-SD TXT record key (5100.14 section 4.2.3.4). The "uri-security-supported" attribute simply uses 'tls' but lists no version (which troubles me because DNS-SD shouldn't be more descriptive than IPP).</div><div><br></div><div>Thoughts?</div><div><br><div>Smith<br><br>/**<br> Smith Kennedy<br> Wireless & Standards Architect - IPG-PPS<br> Standards - IEEE ISTO PWG / Bluetooth SIG / Wi-Fi Alliance / NFC Forum / USB-IF<br> Chair, IEEE ISTO Printer Working Group<br> HP Inc.<br>*/<br><br><br></div><br></div></div></div></div>______________________________<wbr>_________________<br>ipp mailing list<br><a href="mailto:ipp@pwg.org" target="_blank">ipp@pwg.org</a><br><a href="https://www.pwg.org/mailman/listinfo/ipp" target="_blank">https://www.pwg.org/mailman/<wbr>listinfo/ipp</a><br></div></blockquote></div><br></div></div><br>______________________________<wbr>_________________<br>
ipp mailing list<br>
<a href="mailto:ipp@pwg.org">ipp@pwg.org</a><br>
<a href="https://www.pwg.org/mailman/listinfo/ipp" rel="noreferrer" target="_blank">https://www.pwg.org/mailman/<wbr>listinfo/ipp</a><br>
<br></blockquote></div><br></div>