IPP Mail Archive: Re: IPP> MOD - Issue 2 - Challenge

IPP Mail Archive: Re: IPP> MOD - Issue 2 - Challenge

Re: IPP> MOD - Issue 2 - Challenge

Michael Sweet (mike@easysw.com)
Tue, 30 Mar 1999 17:08:44 -0500

"Manros, Carl-Uno B" wrote:
> ...
> - ALL IPP/1.0 and 1.1 clients AND printers MUST support Basic and
> Digest Authentication (see the IPP Encoding & Transport drafts).
> - the Basic Authentication is being deprecated in the new HTTP/1.1
> Draft Standard, and might disappear from future HTTP products.

The 1.0 E&T document I have (Nov 16, 1998) doesn't REQUIRE Digest,
it merely references the RFCs. RFC 2068 doesn't mandate Digest,
although the current draft might (I'll have to look).

That said, CUPS (our IPP-based printing system for UNIX) does *not*
support Digest authentication in the current release. The main reason
is that Digest authentication makes it impossible to use the UNIX
user accounts, passwords, and groups for authentication. This in
turn would make administration more difficult, etc.

We also felt that Digest authentication didn't offer much security
benefit over Basic, and the customers we have asking for better
security are going to use transport-level encryption anyways...

> Why don't we mandate in IPP/1.1 that IPP printers ALWAYS send a
> challenge for Digest Authentication?

Even if no authorization is needed?

> This would make it unnecessary for the IPP client to ever need to
> request a challenge.
> ...

I still think that clients can just request the printer status prior
to submitting a job (this would be normal for many clients anyways,
right? You want to know if the printer is accepting jobs...) The
IPP server can send the challenge back to the client (if needed), and
everyone is happy...

Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com