attachment
<html aria-label="message body">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">
Thanks Mike! I've tried to incorporate these into section 10 of the next draft, which should be posted in time to review it in 2 weeks.
<div><br>
</div>
<div>Cheers,</div>
<div><br>
<div>
<div>
<div>Smith<br>
<br>
/**<br>
Smith Kennedy<br>
HP Inc.<br>
*/ </div>
<div><br>
<blockquote type="cite">
<div>On May 22, 2026, at 7:54 AM, Michael Sweet <msweet@msweet.org> wrote:</div>
<br class="Apple-interchange-newline">
<div><span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">CAUTION:
External Email</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Smith,</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Some
thoughts on security/privacy:</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">1.
Firmware should be cryptographically signed</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">2.
Firmware downloads should be protected in transit (i.e. HTTPS/TLS)</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">3.
Any identifiers used to authorize access to and/or track downloads and installations of new firmware should be limited to the Printer and not the Printer's owner, organization, etc. IOW, "this is a valid Example Corp Laser Printer 2000 with SN 12345 that is
entitled to receive firmware v2.0" - this allows the vendor to broadly know what version(s) of firmware are in use, whether there have been issues installing new firmware, etc. but not to know that Alice hasn't updated the firmware in her Printer for the last
18 months.</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">4.
Firmware Repositories can potentially combine Printer identity information with IP addresses, routing info, etc. to determine the identity of owners (privacy consideration for using OTA updates...)</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">I
know we don't want to dig too deep with this, and I certainly don't want to provide a roadmap for abusing OTA updates, but it seems appropriate to outline some of the risks and highlight best practices...</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<blockquote type="cite" style="font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
On May 21, 2026, at 4:32 PM, Kennedy, Smith (Wireless & IPP Standards) via ipp <<a href="mailto:ipp@pwg.org">ipp@pwg.org</a>> wrote:<br>
<br>
Hi there,<br>
<br>
For IPP Firmware Update Extensions v1.0, does anybody have any recommendations for items to list in the "Security and Privacy" and "Implementation Considerations" sections? I'd like to get that before I produce my next draft, which will be ready for our IPP
WG meeting June 18.<br>
<br>
Cheers,<br>
<br>
Smith<br>
<br>
/**<br>
Smith Kennedy<br>
HP Inc.<br>
*/<br>
<br>
_______________________________________________<br>
ipp mailing list<br>
ipp@pwg.org<br>
https://www.pwg.org/mailman/listinfo/ipp<br>
</blockquote>
<br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">________________________</span><br style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-line: none; text-decoration-thickness: auto; text-decoration-style: solid;">
<span style="caret-color: rgb(0, 0, 0); font-family: Courier; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;">Michael
Sweet</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</body>
</html>