"the IPP spec must require that all combinations of conforming client
and server implementations be able to provide authentication which
does not expose a password to eavesdroppers, and which protects the
printer resource against unauthorized use."
This is going too far (nothing to do with TLS vs SSL vs digest, etc.). It is
simply not practical nor desirable to REQUIRE all printers to support
authentication. (Note that I have no axe to grind here in terms of my
product, I support authentication and encryption in both client and server).
I do agree that we must say what security mechanisms are used IF a client or
server want to be protected. But we should not REQUIRE that protection is
supported (a client may simply choose not to print to that device).
Saying that it only takes a small amount of code is missing the point - how
do I enter valid user names and passwords into the network card of a
printer?