IPP> Re: New protocol document & Security issues

IPP> Re: New protocol document & Security issues

Scott Lawrence lawrence at agranat.com
Wed May 28 17:05:28 EDT 1997


>>>>> "RT" == Randy Turner <rturner at sharplabs.com> writes:


RT> We talked about basic authentication in Memphis and we decided
RT> that low-end IPP servers could use this because it is simple.  We
RT> really only need two levels of security, simple and advanced, for
RT> interoperability's sake. The simple case would be basic auth.,
RT> which alot of vendors are already supporting (username and
RT> password) in their products.


>>>>> "CM" == Carl-Uno Manros <cmanros at cp10.es.xerox.com> writes:


CM> You can certainly use the basic stuff that is in your document,
CM> but if used, that will fall into the category "no security" as seen by the
CM> SEC subgroup.


  Seconding Carl-Uno;


  The HTTP Basic Authentication scheme is no authentication at all,
  and I suspect will be treated as such by IESG reviewers.  To quote
  from the report on a recent meeting of the IAB
  <http://www.iab.org/iab/secrets.html>, in a section titled "To be
  Killed: Plaintext Passwords":


    "Any protocol that relies on the transmission of unencrypted
     passwords is terminally broken."


  If the IPP security mapping document mentions the Basic
  authentication scheme it at all, it should be to explicitly disallow
  it as a means of providing a security service.



--
Scott Lawrence           EmWeb Embedded Server       <lawrence at agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/




More information about the Ipp mailing list