IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Manros, Carl-Uno B cmanros at cp10.es.xerox.com
Thu Apr 22 20:51:50 EDT 1999


Paul,

Sometimes you seem to get carried away and forget what the first "I" in IPP
stands for....

Carl-Uno

> -----Original Message-----
> From: Paul Moore [mailto:paulmo at microsoft.com]
> Sent: Thursday, April 22, 1999 4:42 PM
> To: 'Keith Moore'
> Cc: Herriot, Robert; IETF-IPP
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
> 
> 
> Who said anything about hooking this printer up to the 
> Internet. I would
> never do that - I would buy a printer that supports 
> authentication if I was
> planning to do that. IPP works fine in an office with 5 
> people using one
> printer on a simple in-house LAN.
> 
> -----Original Message-----
> From: Keith Moore [mailto:moore at cs.utk.edu]
> Sent: Thursday, April 22, 1999 4:38 PM
> To: Paul Moore
> Cc: 'Keith Moore'; Herriot, Robert; IETF-IPP
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication 
> 
> 
> > I have a printer in my office that
> > 
> > a) doesnt support PS
> > b) gets its IP stuff via DHCP
> > c) allows anybody to do firmware updates
> > d) allows anybody to install fonts
> > e) allows anybody to print
> > 
> > You are telling me that this device CANNOT support IPP no 
> matter how much
> I
> > want it for its non security related features.
> 
> I'm not telling you any such thing.  I'm merely saying that for it to
> support IPP, it has to be able to refuse attempts to perform IPP
> operations that are not authenticated.  
> 
> If whoever makes your printer sees fit to build the printer so that
> it loads its username/passwords from DHCP, along with the other IP
> stuff, that's fine.  Heck, for a soho printer I would probably 
> consider it acceptable for the printer to accept a single 
> username/password (unique to that printer), which was burned in 
> firmware, and printed on a label on the inside of the printer.
> That will at least prevent attacks, and people who want to support
> large numbers of users at their soho printer can just spool through
> a proxy that knows the password.
> 
> And though it would be really silly to hook a printer up to 
> the Internet 
> that allowed so much potential for abuse we're only insisting that it 
> be possible for IPP to be authenticated.
> 
> (though I would strongly recommend that while you're at it, 
> you provide
> the ability to require authentication for *all* of b-e above. 
>  Face it,
> if you leave the door wide open, sooner or later your products 
> will be subject to attack.  It doesn't cost much to protect your 
> customers now.)
> 
> Keith
> 



More information about the Ipp mailing list