attachment
<html aria-label="message body">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
Thanks Ira! I'll download those first 2. I don't have access to the third, and since it is paywalled I don't know if we can be adding it as an informative reference. If there are concise recommendations that you or others can provide from that document, that
would be helpful, and I will try to integrate them into my next draft.
<div><br id="lineBreakAtBeginningOfMessage">
<div>Smith<br>
<br>
/**<br>
Smith Kennedy<br>
HP Inc.<br>
*/ </div>
<div><br>
<blockquote type="cite">
<div>On May 24, 2026, at 1:12 PM, Ira McDonald via ipp <ipp@pwg.org> wrote:</div>
<br class="Apple-interchange-newline">
<div><font face="" calibri??="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;"><b><span style="font-size: 11pt; line-height: 15.693334px; color: red;">CAUTION:
External Email</span></b></font><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;"></span>
<div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<div dir="ltr">
<div>Hi Smith,</div>
<div><br>
</div>
<div>I'd also suggest adding as Informative references to Security Considerations:</div>
<div><br>
</div>
<div>NIST SP800-193 Platform Firmware Resiliency Guidelines (May 2018)</div>
<div><a href="https://csrc.nist.gov/pubs/sp/800/193/final">https://csrc.nist.gov/pubs/sp/800/193/final</a></div>
<div><br>
</div>
<div>
<div>ITU-T X.1373 Secure Software Update Capability for ITS (March 2024)</div>
<div><a href="https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15664">https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15664</a></div>
<br>
</div>
<div>ISO 24089:2023 Road vehicles — Software Update Engineering (February 2023)</div>
<div><a href="https://www.iso.org/standard/77796.html">https://www.iso.org/standard/77796.html</a></div>
<div><br>
</div>
<div><br>
</div>
<div>All three are worth a look for security requirements </div>
<div>- first two are FREE </div>
<div>- third is behind a paywall (135 Swiss Francs), but it's a concise spec (I was co-editor)</div>
<div></div>
<div><br>
</div>
<div>Cheers,</div>
<div>- Ira</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><i><font size="1">Ira McDonald (Musician / Software Architect)</font></i></div>
<div><i><font size="1"></font></i></div>
<div dir="ltr"><i><font size="1">Co-Chair - TCG Mobile Platform WG</font></i></div>
<div><i><font size="1">Co-Chair - TCG Metadata Access Protocol SG<br>
</font></i></div>
<div dir="ltr"><i><font size="1">Chair - Linux Foundation Open Printing WG<br>
Secretary - ISTO Printer Working Group<br>
Co-Chair - ISTO PWG Internet Printing Protocol WG<br>
IETF Designated Expert - IPP & Printer MIB<br>
Blue Roof Music / High North Inc<br>
<a href="http://sites.google.com/site/blueroofmusic" target="_blank" style="color: rgb(51, 51, 255);">http://sites.google.com/site/blueroofmusic</a><br>
<a href="http://sites.google.com/site/highnorthinc" target="_blank" style="color: rgb(102, 0, 204);">http://sites.google.com/site/highnorthinc</a><br>
mailto:<span class="Apple-converted-space"> </span><a href="mailto:blueroofmusic@gmail.com" target="_blank">blueroofmusic@gmail.com</a><br>
(permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434</font></i></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Fri, May 22, 2026 at 12:53 PM Michael Sweet via ipp <<a href="mailto:ipp@pwg.org">ipp@pwg.org</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Smith,<br>
<br>
Some thoughts on security/privacy:<br>
<br>
1. Firmware should be cryptographically signed<br>
2. Firmware downloads should be protected in transit (i.e. HTTPS/TLS)<br>
3. Any identifiers used to authorize access to and/or track downloads and installations of new firmware should be limited to the Printer and not the Printer's owner, organization, etc. IOW, "this is a valid Example Corp Laser Printer 2000 with SN 12345 that
is entitled to receive firmware v2.0" - this allows the vendor to broadly know what version(s) of firmware are in use, whether there have been issues installing new firmware, etc. but not to know that Alice hasn't updated the firmware in her Printer for the
last 18 months.<br>
4. Firmware Repositories can potentially combine Printer identity information with IP addresses, routing info, etc. to determine the identity of owners (privacy consideration for using OTA updates...)<br>
<br>
I know we don't want to dig too deep with this, and I certainly don't want to provide a roadmap for abusing OTA updates, but it seems appropriate to outline some of the risks and highlight best practices...<br>
<br>
<br>
> On May 21, 2026, at 4:32 PM, Kennedy, Smith (Wireless & IPP Standards) via ipp <<a href="mailto:ipp@pwg.org" target="_blank">ipp@pwg.org</a>> wrote:<br>
><span class="Apple-converted-space"> </span><br>
> Hi there,<span class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> For IPP Firmware Update Extensions v1.0, does anybody have any recommendations for items to list in the "Security and Privacy" and "Implementation Considerations" sections? I'd like to get that before I produce my next draft, which will be ready for our IPP
WG meeting June 18.<br>
><span class="Apple-converted-space"> </span><br>
> Cheers,<span class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> Smith<br>
><span class="Apple-converted-space"> </span><br>
> /**<br>
> Smith Kennedy<br>
> HP Inc.<br>
> */<span class="Apple-converted-space"> </span><br>
><span class="Apple-converted-space"> </span><br>
> _______________________________________________<br>
> ipp mailing list<br>
><span class="Apple-converted-space"> </span><a href="mailto:ipp@pwg.org" target="_blank">ipp@pwg.org</a><br>
><span class="Apple-converted-space"> </span><a href="https://www.pwg.org/mailman/listinfo/ipp" rel="noreferrer" target="_blank">https://www.pwg.org/mailman/listinfo/ipp</a><br>
<br>
________________________<br>
Michael Sweet<br>
<br>
_______________________________________________<br>
ipp mailing list<br>
<a href="mailto:ipp@pwg.org" target="_blank">ipp@pwg.org</a><br>
<a href="https://www.pwg.org/mailman/listinfo/ipp" rel="noreferrer" target="_blank">https://www.pwg.org/mailman/listinfo/ipp</a><br>
</blockquote>
</div>
</div>
<span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">_______________________________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">ipp
mailing list</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<a href="mailto:ipp@pwg.org" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;">ipp@pwg.org</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<a href="https://www.pwg.org/mailman/listinfo/ipp" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;">https://www.pwg.org/mailman/listinfo/ipp</a></div>
</blockquote>
</div>
<br>
</div>
</body>
</html>