[IPP] Proposed errata for rfc3998

[IPP] Proposed errata for rfc3998

Michael Sweet msweet at apple.com
Wed Nov 16 17:55:23 UTC 2011


Pete,

My point about forwarding is that the mechanism for authenticating the original-requesting-user-name and job-originating-user-name values over IPP is undefined. How/why do the child printers implicitly trust everything that is sent to them from the parent printer?

But again, the current wording makes original-requesting-user-name and job-originating-user-name distinctly different: original-requesting-user-name is the value that was supplied by the client while job-originating-user-name is the most authenticated name. Your proposed change would effectively make them the same, in which case we should:

1. Remove forwarding of job-originating-user-name entirely,
2. Delete original-requesting-user-name entirely, or
3. Make original-requesting-user-name exclusively an operation attribute and use it to pass the forwarded job-originating-user-name value in the fan-out case (this would, IMHO, be the sanest approach).

On Nov 16, 2011, at 9:23 AM, Zehler, Peter wrote:
> Mike,
>  
> The semantics are limited to Job forwarding systems of printers (i.e. IPP Fan out and fan in).  On the first system the Job’s “original-job-requesting-user-name” and “job-originating-user-name” are populated with the same value.  Per rfc2911 that value is the most authenticated printable name that it can obtain from the authentication service over which the IPP operation was received.  Only if such is not available, does the Printer object use the value supplied by the client in the "requesting-user-name".  On the next hop is where things diverge.  The upstream printer uses its own identity  in  the “requesting-user-name” operational attribute.  It also passes along the “original-requesting-user-name” as an operational attribute.  The downstream printer uses the “requesting-user-name”, or the identity obtained from a trusted protocol layer, to insure the request is from a configured upstream printer.  The downstream printer then copies over the “original-job-requesting-user-name” operational attribute to the job object AND to the job object’s “job-originating-user-name”.  In other words the child job is owned by the initial submitting user throughout the chain and not by the immediate parent (i.e. IPP Printers).
>  
> Pete
>  
>  
> Peter Zehler
> 
> Xerox Research Center Webster
> Email: Peter.Zehler at Xerox.com
> Voice: (585) 265-8755
> FAX: (585) 265-7441
> US Mail: Peter Zehler
> Xerox Corp.
> 800 Phillips Rd.
> M/S 128-25E
> Webster NY, 14580-9701
>  
> From: Michael Sweet [mailto:msweet at apple.com] 
> Sent: Wednesday, November 16, 2011 10:47 AM
> To: Zehler, Peter
> Cc: ipp at pwg.org
> Subject: Re: [IPP] Proposed errata for rfc3998
>  
> Pete,
>  
> If we make this change, then what is the difference between original-requesting-user-name and job-originating-user-name?
>  
> Section 10.8.4 (re)defines job-originating-user-name as the authenticated original user and whose value is supposed to be forwarded by each client unchanged... (something I am not 100% happy with since there is no provision for it in an IPP job submission)
>  
> Seems like the original intent was for original-requesting-user-name to be the unauthenticated value.
>  
> (and now I go off to add some text for this to JPS3 for job-originating-user-uri...)
>  
> On Nov 16, 2011, at 3:17 AM, Zehler, Peter wrote:
> 
> 
> Please substitute “section 10.8.3 of rfc3998” for “section 10.8.8 of rfc3998” below.
>  
>  
>  
> Peter Zehler
> 
> Xerox Research Center Webster
> Email: Peter.Zehler at Xerox.com
> Voice: (585) 265-8755
> FAX: (585) 265-7441
> US Mail: Peter Zehler
> Xerox Corp.
> 800 Phillips Rd.
> M/S 128-25E
> Webster NY, 14580-9701
>  
> From: ipp-bounces at pwg.org [mailto:ipp-bounces at pwg.org] On Behalf Of Zehler, Peter
> Sent: Wednesday, November 16, 2011 6:13 AM
> To: IPP at pwg.org
> Subject: [IPP] Proposed errata for rfc3998
>  
> All,
>  
> Section 10.8.2 covering “original-requesting-user-name” is a bit misleading.  The issue is that the Job owner is not always the same as the  “requesting-user-name”.   When forwarding jobs from one printer to another the “original-requesting-user-name” is the most authenticated printable name that can be obtained.  As stated in section 10.8.8 of rfc3998:  “The "job-originating-user-name" Job Description attribute (see [RFC2911], section 4.3.6) remains as the authenticated original user”.  This is inconsistent with section 10.8.2 as currently written.  Below is my proposed change to section 10.8.2.
>  
> Original:
> 10.8.2.  original-requesting-user-name (name(MAX)) Operation and Job
>         Description Attribute
>  
>    The operation attribute containing the user name of the original
>    user; i.e., corresponding to the "requesting-user-name" operation
>    attribute (see [RFC2911], section 3.2.1.1) that the original client
>    supplied to the first Printer object.  The Printer copies the
>    "original-requesting-user-name" operation attribute to the
>    corresponding Job Description attribute.
>  
> Corrected:
> 10.8.2.  original-requesting-user-name (name(MAX)) Operation and Job
>         Description Attribute
>  
>    The operation attribute containing the user name of the original
>    user; i.e., corresponding to the "job-originating-user-name" Job
>    attribute (see [RFC2911], section 4.3.6) that identifies the Job
>    owner on the first Printer object.  The Printer copies the
>    "original-requesting-user-name" operation attribute to the
>    corresponding Job Description attribute.
>  
>  
> Peter Zehler
> 
> Xerox Research Center Webster
> Email: Peter.Zehler at Xerox.com
> Voice: (585) 265-8755
> FAX: (585) 265-7441
> US Mail: Peter Zehler
> Xerox Corp.
> 800 Phillips Rd.
> M/S 128-25E
> Webster NY, 14580-9701
>  
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. _______________________________________________
> ipp mailing list
> ipp at pwg.org
> https://www.pwg.org/mailman/listinfo/ipp
>  
> ________________________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>  
>  
> 
> 
>  

________________________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20111116/a2d46f46/attachment-0001.html>


More information about the ipp mailing list