attachment
<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Mike,<br class="">
<div><br class=""><blockquote type="cite" class=""><div class="">On Nov 8, 2022, at 4:27 AM, Michael Sweet <<a href="mailto:msweet@msweet.org" class="">msweet@msweet.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">CAUTION: External Email<br class=""><br class=""><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">From: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Michael Sweet <<a href="mailto:msweet@msweet.org" class="">msweet@msweet.org</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Re: [IPP] Add "oauth-authorization-resource" attribute?</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">November 8, 2022 at 4:27:43 AM MST<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">"Kennedy, Smith (Wireless & IPP Standards)" <<a href="mailto:smith.kennedy@hp.com" class="">smith.kennedy@hp.com</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Cc: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">PWG IPP Workgroup <<a href="mailto:ipp@pwg.org" class="">ipp@pwg.org</a>><br class=""></span></div><br class=""><br class="">Smith,<br class=""><br class="">I still need to finish updating the wiki for the last meeting's minutes... Anywsyd...<br class=""><br class=""><blockquote type="cite" class="">On Nov 7, 2022, at 9:46 PM, Kennedy, Smith (Wireless & IPP Standards) <<a href="mailto:smith.kennedy@hp.com" class="">smith.kennedy@hp.com</a>> wrote:<br class=""><br class="">That sounds right - I couldn't remember how this played out and it doesn't seem to be covered in the wiki page.<br class=""><br class="">However, I'm worried about that conclusion. If we advise that the Client supplies the "printer-uri" value as the resource identifier, wouldn't this mean that the Authentication Service needs to know the printer's current URI? That could be in the .local domain which isn't really any more useful or verifiable than a printer-uuid value. (Obviously how the printer and Authentication Service talk to one another is outside our scope of concern but that would affect whether the printer could register its URI with the Authentication Service.)<br class=""><br class="">It seems like we could define the attribute but then provide guidance for how best to use it?<br class=""></blockquote><br class="">OK, so the subject of a "canonical" printer URI was something I've brought up as well.<br class=""><br class="">From a standards-perspective the printer advertises its supported URIs, security mechanisms, and authentication methods, so the printer-uri-supported/uri-authentication-supported/uri-security-supported trio and printer/system-xri-supported collection attributes will indicate which URIs to use and which URIs support OAuth.<br class=""><br class="">From a security standpoint, the same authentication and security (encryption) methods should be used/supported for all URIs, otherwise you are just creating "back doors". For interoperability you don't want to create a situation where a Client is confused about the URI, authentication, or security that it should use.<br class=""><br class="">All that said, I don't think we can design or recommend a configuration where a Client can discover a Printer via mDNS, use a .local hostname, *and* use a cloud/remote OAuth authorization server with token exchange since there is no way to ensure that the printer-uri is globally unique.<br class=""></div></blockquote><div><br class=""></div></div>If an Authentication Service supports a certificate or some other more trustable artifact as a resource identifier, perhaps one provisioned to the printer at the time the printer is registered, that could improve the situation, right? I thought we discussed that at the August F2F.<div class=""><br class=""></div><div class="">Regardless, I think that it would be better for the client to use the value provided by a purpose-defined but abstract attribute like "oauth-authorization-resource-id" instead of instructing or guiding clients to use "printer-uuid" or "printer-uri". The value held by "oauth-authorization-resource-id" could be a URI or a UUID (printer-uuid or some other UUID).<br class=""><div class=""><br class=""></div><div class=""><br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div></div></div></body></html>