IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Manros, Carl-Uno B (cmanros@cp10.es.xerox.com)
Thu, 22 Apr 1999 17:51:50 -0700

Paul,

Sometimes you seem to get carried away and forget what the first "I" in IPP
stands for....

Carl-Uno

> -----Original Message-----
> From: Paul Moore [mailto:paulmo@microsoft.com]
> Sent: Thursday, April 22, 1999 4:42 PM
> To: 'Keith Moore'
> Cc: Herriot, Robert; IETF-IPP
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Who said anything about hooking this printer up to the
> Internet. I would
> never do that - I would buy a printer that supports
> authentication if I was
> planning to do that. IPP works fine in an office with 5
> people using one
> printer on a simple in-house LAN.
>
> -----Original Message-----
> From: Keith Moore [mailto:moore@cs.utk.edu]
> Sent: Thursday, April 22, 1999 4:38 PM
> To: Paul Moore
> Cc: 'Keith Moore'; Herriot, Robert; IETF-IPP
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> > I have a printer in my office that
> >
> > a) doesnt support PS
> > b) gets its IP stuff via DHCP
> > c) allows anybody to do firmware updates
> > d) allows anybody to install fonts
> > e) allows anybody to print
> >
> > You are telling me that this device CANNOT support IPP no
> matter how much
> I
> > want it for its non security related features.
>
> I'm not telling you any such thing. I'm merely saying that for it to
> support IPP, it has to be able to refuse attempts to perform IPP
> operations that are not authenticated.
>
> If whoever makes your printer sees fit to build the printer so that
> it loads its username/passwords from DHCP, along with the other IP
> stuff, that's fine. Heck, for a soho printer I would probably
> consider it acceptable for the printer to accept a single
> username/password (unique to that printer), which was burned in
> firmware, and printed on a label on the inside of the printer.
> That will at least prevent attacks, and people who want to support
> large numbers of users at their soho printer can just spool through
> a proxy that knows the password.
>
> And though it would be really silly to hook a printer up to
> the Internet
> that allowed so much potential for abuse we're only insisting that it
> be possible for IPP to be authenticated.
>
> (though I would strongly recommend that while you're at it,
> you provide
> the ability to require authentication for *all* of b-e above.
> Face it,
> if you leave the door wide open, sooner or later your products
> will be subject to attack. It doesn't cost much to protect your
> customers now.)
>
> Keith
>