IPP Mail Archive: IPP> Security and the progress of IPP

IPP> Security and the progress of IPP

Harry Lewis (harryl@us.ibm.com)
Mon, 5 Oct 1998 11:46:32 -0400

Keith, I apologize that I was unable to attend the IETF meeting in Chic=
ago
where IPP was reviewed. I was (and remain) very confident to have Carl-=
Uno as
our representative for IPP. As dedicated and articulate as Carl-Uno is,=
he
cannot always speak for the entire IPP WG body so I am taking this oppo=
rtunity
to express my individual concerns.

Since June, I would characterize the specification of IPP as relatively=
stable
and complete. The group of interested printer and software product vend=
ors
have successfully developed (and are willing to adopt as standard) a p=
rotocol
for query, submission and monitoring of print jobs via HTTP. As our Are=
a
Director, you have further recommended a specific port and URL scheme f=
or
hooking up to "the web" in a manageable form.

Security, however, remains an open switch for the Internet, at large. T=
he
existing predominant scheme for security with HTTP cannot be considered=
an IETF
standard because of intellectual property rights. Alternatives are emer=
ging but
have not matured to the point of acceptance. It is disheartening that t=
he
progression of IPP has been linked to this (temporarily) intractable se=
curity
standards situation. In contrast to the concrete recommendations regard=
ing port
and URL scheme (topics which might have been debated but which, at leas=
t, are
feasible to understand and accommodate), the IETF's position on securit=
y simply
presents a problem with no reasonable solution.

It is ineffective for the IETF to organize it's resources in such a way=
as to
require all areas of expertise to provide ad-hoc solutions to related p=
roblems
- especially when they are as fundamental and global as security. As a =
printer
working group, our responsibility should be to identify describe and ar=
ticulate
any unique or un-intuitive security issues and cooperate on their resol=
ution.
Instead, we find ourselves defining general URL and registry schemes fo=
r
security which, ultimately, will result in niche implementations, not
ubiquitous Internet standards.

Security is a very important issue and I expect the state of the art to=
improve
rapidly throughout the Internet. The goal of IPP is to enhance the stat=
e of
printing. We should do so in harmony with evolving Internet security sc=
hemes,
not by inventing new ones. The fact that the primary form of security f=
or HTTP
is not a recognized standard begs for progress in the Security area, no=
t
Printing.

I commend the IETF for it's role in orchestrating and arbitrating the o=
therwise
chaotic integration of elements that make up the Internet. A great bene=
fit has
been demonstrated from this - witness the "the web" in our lives, our
workplace, our commerce. If I felt security was being overlooked by the=
IETF,
then I would insist on "special casing" it for IPP. To the contrary, th=
e urgent
emphasis I sense in the IETF is exactly why I am confident that the IPP=
group
should not delay, but should be prepared to revise our specifications, =
as
appropriate, when there is clear evidence of a chosen standard for secu=
rity in
the IETF.

Harry Lewis - IBM Printing Systems
=