IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Moore paulmo at microsoft.com
Fri Apr 9 20:01:29 EDT 1999


Basic and SSL work fine for me. It has the fiollowing benefits
1. Its works
2. Its secure
3. Any reasonable client supports it
4. Any reasonable server supports it.


-----Original Message-----
From: Larry Masinter [mailto:masinter at parc.xerox.com]
Sent: Friday, April 09, 1999 4:13 PM
To: Paul Moore
Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
Authentication


> I dont think that I said anything about not paying attention to security.
> I'll will remind you that I was the only one with working SSL3
> implementations on client and server at the recent bake-off. I am very
> concerned about it.
> 
> I was commenting that carl-uno's flowchart did not analyse the pros and
cons
> of the various security choices it merely said (and I paraphrase somewhat)
> "We better do this becasue we wont get an RFC if we dont". I.e "even if it
> sucks we'll do it anyway". BTW I'm not suggesting that anything does suck
> either merely that being asked to turn my brain off to all logic other
than
> getting an RFC seemed too much.

But we've heard repeatedly that the requirement for "getting an RFC"
is to come up with a plan for securing printers that makes sense.
Keith wrote:

"The bottom line is that IPP will not get a standard out of IETF
unless it provides a minimum level of security."

To continue to characterize this simple and sensible requirement
as "turn my brain off" is, well, turning off your brain.

If the proposal for "a minimum level of security" via Digest
authentication doesn't work for you, then propose something else
that provides a minimum level of security. Saying "well, only
implementing Basic Authentication is OK" doesn't provide a minimum
level of security, so it's not OK. I don't know why this is
so hard.

Larry



More information about the Ipp mailing list