IPP> IPP Bake Off 3 Issue 2

IPP> IPP Bake Off 3 Issue 2

IPP> IPP Bake Off 3 Issue 2

Zehler, Peter Peter.Zehler at usa.xerox.com
Thu Oct 26 14:41:37 EDT 2000

BO3-2: Some IPP Clients issues a zero length HTTP Post.  The Client assumed
that this would force a challenge if security is enabled on the Printer.
The Client would have a problem if a subsequent print operation were
		Proposed Resolution: The Client should use the IPP operation
"validate-job" to check if a job will be accepted.  This operation will
cause the Printer to issue a challenge and check the print request before
sending the data.  The IPP Client should also be able to handle a challenge
when issuing an IPP operation since there is no guarantee the connection has
not been torn down.
		Furthermore, a Printer should accept an empty HTTP post and
issue a challenge based on the URL of the post.
		Action Item: Bob Herriot: Some clients determined if a
Printer requires authentication by sending an
		empty HTTP request. Some Printers treated this as an error.
The resolution
		was for clients to send a ValidateJob operation and by
inference to allow
		Printers to reject empty HTTP requests.
		I raised the issue about whether a Printer should perform
the authentication
		challenge based solely on the URL or whether it could react
differently to
		an empty request than to a Validate-Job request.

		I asked an HTTP expert and received the following

		   1) An HTTP server can have any policy. 
		      This means that our decision is allowable.

		   2) It is best for a client if it can associate the URL
tree with 
		      the authentication space. 

		      This means that our decision could be better. That is,
we should 
		      require an IPP Printer to decide whether to issue an
		      challenge by examining the URL and nothing else, e.g.
a Printer
		      receiving a request for a particular URL, gives the
		      challenge to an empty request as to a Validate-Job

		This solution allows a client to use Validate-Job to request
a challenge as
		we decided to allow. It also allows a client to use the
empty request. 

		The important difference between our decision and what I am
proposing is
		that the Printer must perform an authentication challenge
consistently for a
		URL regardless of the contents of the message body. This
rule make IPP
		behavior consistent with good HTTP policy.

				Peter Zehler
				Xerox Architecture Center
				Email: Peter.Zehler at usa.xerox.com
				Voice:    (716) 265-8755
				FAX:      (716) 265-8792 
				US Mail: Peter Zehler
				        Xerox Corp.
				        800 Phillips Rd.
				        M/S 139-05A
				        Webster NY, 14580-9701

More information about the Ipp mailing list