From: Larry Masinter [mailto:firstname.lastname@example.org]
Sent: Friday, April 09, 1999 4:13 PM
To: Paul Moore
Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> I dont think that I said anything about not paying attention to security.
> I'll will remind you that I was the only one with working SSL3
> implementations on client and server at the recent bake-off. I am very
> concerned about it.
> I was commenting that carl-uno's flowchart did not analyse the pros and
> of the various security choices it merely said (and I paraphrase somewhat)
> "We better do this becasue we wont get an RFC if we dont". I.e "even if it
> sucks we'll do it anyway". BTW I'm not suggesting that anything does suck
> either merely that being asked to turn my brain off to all logic other
> getting an RFC seemed too much.
But we've heard repeatedly that the requirement for "getting an RFC"
is to come up with a plan for securing printers that makes sense.
"The bottom line is that IPP will not get a standard out of IETF
unless it provides a minimum level of security."
To continue to characterize this simple and sensible requirement
as "turn my brain off" is, well, turning off your brain.
If the proposal for "a minimum level of security" via Digest
authentication doesn't work for you, then propose something else
that provides a minimum level of security. Saying "well, only
implementing Basic Authentication is OK" doesn't provide a minimum
level of security, so it's not OK. I don't know why this is