Mike,
Maybe our System Engineering (Mirelsa) can provide more customer usage information on accounting security and how customers use accounting than I, as I have no direct contact with customer usage/paradigm.
I believe our perception of what an account id is may be different. When you refer to authentication, a user has a username and password. They don't share their password, it is used for authenticating themselves (2FA aside for now).
My perception of job-accounting-user-id is similar to a password, it is not something that is public information. The difference however may be that that value may be assigned by an accounting system administrator, and if it is not modifiable by the user, then more than one person can know their user-id, so there is a security hole there.
Similarly, I'm not thinking of job-account-id as being something that is public information about the customer/client that appears on invoices. It is only provided to those users that need to bill the account. Again however, multiple people may have access to that value if more than one person is working an account. But the requirement that both job-accounting-user-id and job-account-id be required to submit/bill jobs identifies who submitted the job and who is/should be being charged. But I agree with you there is much less security than what is provided via an authentication that requires a private password and possibly even 2FA.
If you add on top of this the possibility that, for example, I logged in (authenticated to) my Mac, and when I submit a job, my Mac uses my authenticated user name for my job-accounting-user-id value (and maybe won't allow me to change it). An SA would then configure the accounting system - add my authenticated username as a valid job-accounting-user-id. That would tie me to any job submitted thru the accounting system. But still, the accounting system admin has to know my authenticated username and therefore my job-accounting-user-id in order to configure accounting, AND usernames are specifically more public than passwords, so there is obviously an issue there...
I guess it all comes down to what type of security customers who use accounting are expecting from it. It is optionally enabled by customers who use it, but I can't speak to what they expect from it security wise, and what advances may existing in accounting systems for security purposes.
Maybe Mirelsa can...
Thanks,
Chris
Christopher Rizzo
Xerox Corporation
GDG/Discovery/Advance Technology
26600 SW Parkway Ave.
Wilsonville, OR 97070-9251
Phone: (585) 314-6936
Email: Christopher.Rizzo at xerox.com
"The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
-Maurice Wilkes, Memoirs of a Computer Pioneer
From: Michael Sweet <msweet at msweet.org>
Date: Thursday, January 30, 2020 at 7:50 AM
To: Christopher Rizzo <Christopher.Rizzo at xerox.com>
Cc: PWG Workgroup <ipp at pwg.org>
Subject: Re: [IPP] MOPRIA Alliance Print Specification Accounting Support requirement 4.18.2.d is incompatible with Apple AirPrint
Chris,
Responses inline below...
On Jan 29, 2020, at 3:11 AM, Rizzo, Christopher <Christopher.Rizzo at xerox.com<mailto:Christopher.Rizzo at xerox.com>> wrote:
Mike,
This email is an attempt to answer the questions you posed in your previous email. In trying to get my head around the issue, I noticed I did not address any of your questions. The meeting time for the PWG has been typically a difficult time for me to attend due to other commitments, so my participation has not been as stellar as I would like. The same is going to be true for this week as I have an important doctor's appt. this Thursday. Apologies for the length of this email... Hope I don't put everyone to sleep.
1. What are the use cases that need job-accounting-user-id but not job-account-id?
[crizzo] I can only speak from my experience of course, so I'm sure I'm going to miss use cases. But here goes:
...
I wondering if we can provide a little more specific example for these - like a lawyer's office where associates have both a job-accounting-user-id that identifies the partner they are doing work for (?) and a job-account-id that identifies the client they are doing work for? We need to talk about why an unauthenticated value is useful/acceptable here as opposed to simply using the "most authenticated user identity" for job-accounting-user-id...
I only stick on this point because there are obvious business and legal issues with accounting systems that accept unauthenticated/unvalidated information - it's not enough to say you are John Smith working on contract/account number 123456. At some point you have to define a level of trust, which can be improved through authentication and validation, e.g. authenticate John Smith using a shared secret (password, whatever) and validate that John Smith is allowed to charge against account number 123456.
Remember we are defining the Best Practices for job accounting systems in this document, which may not match existing accounting systems precisely but definitely needs to address the use cases and requirements of existing accounting systems.
2. Do we need a way for a Printer to report that it would like the Client to show UI for and send certain Job Template attributes, above and beyond the current "printer-requested-job-attributes"?
[crizzo] I am having trouble finding the specs where printer-mandatory-job-attributes and printer-requested-job-attributes are defined. PWG 5100.7 contains job-mandatory-attributes Job Attribute, but does not mention printer-mandatory-job-attributes or printer-requested-job-attributes Printer Description attributes that I can find. I know they are in a spec somewhere, just can't find it right now.
Currently printer-requested-job-attributes is defined in the Job Accounting document, although the plan is to move it to another spec (EPX has been suggested, TRANS is another possibility and is just getting a quick errata update and might be a better fit?)
I suggest the following Printer Description matrix for the above accounting systems:
SYSTEM-A: printer-mandatory-job-attributes = job-accounting-user-id, job-account-id; printer-requested-job-attributes empty
SYSTEM-B: printer-mandatory-job-attributes = job-accounting-user-id; printer-requested-job-attributes = job-account-id
But a more general solutions suggests a printer should simply include job-accounting-user-id and job-account-id in printer-mandatory-job-attributes when they are required for a job to print, and if they are optional for a job, move the optional ones to printer-requested-job-attributes.
I think that's the guidance we should be giving for any of the attributes...
3. What additional Client UI recommendations do we want to add to the Job Accounting best practice document? For example, what is the recommended UI for "job-account-id"?
[crizzo] (Going forward) Supporting implementations: As I went thru this it was getting pretty robust, so I created a spreadsheet (attached) to try to capture my ideas. Hope it is understandable and not too complex (implementation wise). I think the spreadsheet could possibly cover all conceivable implementations though.
Well, the focus of the spreadsheet is clearly on job-account-id and job-accounting-user-id, but we also have document-format-details and many other attributes that were identified previously to consider.
4. How can a Printer best support a (legacy/not updated) Client whose Job Creation request is missing required or requested information?
[crizzo] Printers that support the new accounting requirements MAY wish to implement accounting exceptions configurable at the printer (for legacy client support it would absolutely be highly recommended, or maybe go so far as making this a MUST, so that legacy clients aren't totally locked out when accounting is enabled). Jobs received over IPP for example, can be charged to a generic IPP job-accounting-user-id and job-account-id. Not ideal for locking down accounting on the printer, but if a customer wants to use legacy clients with a supporting printer, this may be the only way.
Agreed, and we probably need to talk about what the specific recommendations should be...
(I'm adding slides to the F2F deck now, we can expand as needed...)
________________________
Michael Sweet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20200130/270e152d/attachment.html>