IPP Mail Archive: Re: IPP> possible compromise?

IPP Mail Archive: Re: IPP> possible compromise?

Re: IPP> possible compromise?

Harry Lewis (harryl@us.ibm.com)
Wed, 15 Jul 1998 16:04:24 -0400

I like the tune (different words) ... LPR was already out there... the =
wants to encourage a more interoperable standard... IPP isn't any worse=
security wise than LPR. I hope we can forgo the carrot and stick and
concentrate on the lettuce... as in let us do it ;-)

Harry Lewis - IBM Printing Systems

moore@cs.utk.edu on 07/15/98 01:38:27 PM
Please respond to moore@cs.utk.edu
To: imcdonal@eso.mc.xerox.com
cc: moore@cs.utk.edu, ipp@pwg.org, moore@cs.utk.edu, Harry
Subject: Re: IPP> possible compromise?

> I think it's useful to note that even LDAPv3 has recently been
> permitted to publish standards track RFCs WITHOUT any security
> mechanism (and a rather naive note that suggests read-only
> implementations).

The LDAPv3 case was a little odd. LDAPv2 was already out there
without any useful security. For various reasons, we wanted
to encourage people to move to LDAPv3, and LDAPv3 wasn't any
worse security-wise than LDAPv2. The IESG note was the
carrot part of the compromise that was worked out. The stick
was that the LDAP folks were supposed to do security before
anything else. It didn't work very well; they drug their
feet about security.

> I maintain that even a read-only implementation of LDAPv3 without
> any security (for read) is a good deal more dangerous in the
> business liability and exposure sense that an implementation
> of IPP without any security in some printers is.

Obviously it depends on what information you're making available
through LDAPv3, and whether you're just doing so within your
enterprise vs. exporting it to the rest of the world.