IPP Mail Archive: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP Mail Archive: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Michael Sweet (mike@easysw.com)
Thu, 08 Apr 1999 07:49:45 -0400

Keith Moore wrote:
> ...
> neither does it cost much to implement, and requiring every
> conforming client and server to implement digest will at least
> provide one way for users to authenticate to printers without
> compromising their passwords. This certainly seems better than

It costs a *lot* to implement it! Consider that you need to provide
not only the MD5 code in the client and server (which is trivial),
but you also may need to update the HTTP server to handle the digest
information *after* the request data has been received, and you have
to provide user and administrator tools for managing accounts and

> requiring everyone to implement basic - which would not only require
> users to expose their passwords to eavesdroppers, it would
> *encourage* use of the same passwords for HTTP (and hence IPP) as
> for other services!

We should require no type of authentication in the servers. Certainly
there will be a large number of printers that (because of limited
resources) are unable to maintain a list of users and their passwords.

IPP clients must be able to handle Basic or Digest authentication as
needed. IPP servers should handle Digest and/or Basic (with the
emphasis on Digest), but should not be forced into a specific type
of authorization.

> To put it another way: To make basic authentication "safe" you need
> to protect the entire network over which such credentials might
> be transmitted. To make digest authentication "safe" you need
> only to protect the server that stores the credentials. It's
> usually easier to protect a single server machine, than the network
> that supports the same number of users.

True, however to eavesdrop on network traffic that is confined to a
LAN you need to be on that LAN, which means that if there is a breach
of security you can usually track down the offender.

(To all of you spooks out there, yea yea you can monitor RF from a
distance to eavesdrop, too... If you have that kind of equipment
Digest ain't gonna drop ya...)

> However, a bit of clarification may be in order: although support
> for digest authentication is required for HTTP/1.1, nothing says
> that digest authentication must be available for all principals
> under all conditions. A server may support both basic and digest

If the spec says something is required (MUST) for compliance, then you
have to implement it to be compliant.

Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com