IPP Mail Archive: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP Mail Archive: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Michael Sweet (mike@easysw.com)
Fri, 23 Apr 1999 12:20:02 -0400

Carl-Uno Manros wrote:
> Michael,
> I don't agree that the security solution proposed in our New Orleans
> meeting is either:
> 1) can't be met by most vendors
> or:
> 2) are cost-prohibitive to implement.

If you're in the US, you have to pay homage (literally) to RSA to
develop any implementation of TLS. For some vendors and products
this cost will be prohibitive.

Digest doesn't pose this particular problem, but it will take time
for the HTTP server software out there to catch up with the current
HTTP draft. [If you don't implement the message-body authentication
you can use an existing server, but the security of Digest without it
is severely reduced.]

> As you observe yourself, it might take vendors a bit of time to
> implement IPP/1.1, but in the meantime it looks like most people are
> rolling out IPP/1.0 versions. That doesn't mean that we shouldn't
> finish up the IPP/1.1 version NOW, otherwise it will just take even
> longer for the IESG favored IPP solution to reach the market. I want
> to reemphazise that the IPP WG was set up with task of creating in
> IETF standard. We haven't delivered on that yet, but I hope that we
> will soon. A couple of people are just now trying to write up the
> details about the New Orleans solution (see the minutes just
> distributed) and I would welcome your input on that text as soon as
> we have it ready.

My only concern with the latest meeting notes is that the language
seems to indicate the TLS support is required in all clients:

After hearing Keith's response, Hugo Parra made a new proposal:
Clients must support TLS + Basic AND Digest; Printers must support
TLS + Basic OR Digest. The group acknowledged that this is a
modification to the previous agreement, but consensus was reached
to adopt Hugo's new proposal. A more formal proposal describing
the details will be distributed for review.

Clearly this would severely limit the number of IPP clients that could
hope to claim IPP/1.1 compliance. I would suggest the following
wording instead:

Servers are REQUIRED to implement "TLS + Basic" OR Digest.

Clients are REQUIRED to implement Digest. If the client supports
TLS then it is also REQUIRED to support "TLS + Basic".

I can appreciate the IETF's desire to promote security in all of the
standards it endorses, but we also need to balance that against
practicality. Digest support is currently available with most server
products (in most cases using the less secure RFC 2069 draft) and
doesn't involve licensing or other restrictions on its use. Because
of the nature of TLS, vendors (and customers!) face licensing fees and
government-imposed restrictions/regulations of varying degrees.

The main thing that I don't want to see is fragmentation in the IPP
"community". IMHO, requiring TLS support in clients is one way to
ensure fragmentation.

Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com