TLS is certainly an option.
You are correct in saying we've come full circle, and this is
probably due to a lot of confusion over what level of authentication/
security is required for IPP to be approved? After all, if IETF is
giving HTTP its blessings with OPTIONAL authentication support, then
why are we pushing for MANDATORY authentication support in IPP?
I agree wholeheartedly that we need to support Digest authentication,
but as a server/application developer I also need IPP to support
Basic authentication (with whatever encoding/encryption) for customers
that have specifically requested that functionality (or rather, that
they need to be able to use their existing accounts, which prevents
the use of Digest). While I can certainly warn our customers about
the risks of using existing accounts and Basic authentication, it's
not my place to tell our customers how they should use our software and
I'm sure we'd lose a lot of business if I did.
I don't really care what words are used to describe the type of
authentication support that is included with IPP. The key for me
(as a developer) is that I know that 1) all IPP clients will
support some minimum set of authentication methods, and 2) I have
some freedom in determining the appropriate type of authentication to
use for an IPP resource. Some of the proposals floating around here
have given me the impression that I'd be forced into a specific mode
of operation or release a non-compliant product.
-- ______________________________________________________________________ Michael Sweet, Easy Software Products firstname.lastname@example.org Printing Software for UNIX http://www.easysw.com