IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Paul Moore (paulmo@microsoft.com)
Thu, 22 Apr 1999 18:03:22 -0700

The 'I' protocols are used as much in non_Internet connected scenarios as
they are used in Internet connected scenarios. The IP (note the 'I') network
the machine I am typing on now is not connected to the Internet at all - I
have a completely invalid IP address (in the sense of being unregistered)
and I have no routers between it and the Internet.

TCP/IP is used in many places for many purposes.

Note I do not object to people specifying strong security - I am totally in
favour of it and was the only person to deliver it at bake-off 2. I object
to the MANDATORY requirement that all printers support it whether it makes
sense or not.

But as keith has pointed out, this whole conversation regarding whether or
not it makes market sense to build products with certain capabilities as
driven by customer need carries no weight and we should just shut up and
build what the IETF says. Doesnt make any difference to me - I dont build
printer hardware.

-----Original Message-----
From: Manros, Carl-Uno B [mailto:cmanros@cp10.es.xerox.com]
Sent: Thursday, April 22, 1999 5:52 PM
To: Paul Moore; 'Keith Moore'
Cc: IETF-IPP
Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
Authentication

Paul,

Sometimes you seem to get carried away and forget what the first "I" in IPP
stands for....

Carl-Uno

> -----Original Message-----
> From: Paul Moore [mailto:paulmo@microsoft.com]
> Sent: Thursday, April 22, 1999 4:42 PM
> To: 'Keith Moore'
> Cc: Herriot, Robert; IETF-IPP
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Who said anything about hooking this printer up to the
> Internet. I would
> never do that - I would buy a printer that supports
> authentication if I was
> planning to do that. IPP works fine in an office with 5
> people using one
> printer on a simple in-house LAN.
>
> -----Original Message-----
> From: Keith Moore [mailto:moore@cs.utk.edu]
> Sent: Thursday, April 22, 1999 4:38 PM
> To: Paul Moore
> Cc: 'Keith Moore'; Herriot, Robert; IETF-IPP
> Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> > I have a printer in my office that
> >
> > a) doesnt support PS
> > b) gets its IP stuff via DHCP
> > c) allows anybody to do firmware updates
> > d) allows anybody to install fonts
> > e) allows anybody to print
> >
> > You are telling me that this device CANNOT support IPP no
> matter how much
> I
> > want it for its non security related features.
>
> I'm not telling you any such thing. I'm merely saying that for it to
> support IPP, it has to be able to refuse attempts to perform IPP
> operations that are not authenticated.
>
> If whoever makes your printer sees fit to build the printer so that
> it loads its username/passwords from DHCP, along with the other IP
> stuff, that's fine. Heck, for a soho printer I would probably
> consider it acceptable for the printer to accept a single
> username/password (unique to that printer), which was burned in
> firmware, and printed on a label on the inside of the printer.
> That will at least prevent attacks, and people who want to support
> large numbers of users at their soho printer can just spool through
> a proxy that knows the password.
>
> And though it would be really silly to hook a printer up to
> the Internet
> that allowed so much potential for abuse we're only insisting that it
> be possible for IPP to be authenticated.
>
> (though I would strongly recommend that while you're at it,
> you provide
> the ability to require authentication for *all* of b-e above.
> Face it,
> if you leave the door wide open, sooner or later your products
> will be subject to attack. It doesn't cost much to protect your
> customers now.)
>
> Keith
>