IPP Mail Archive: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP Mail Archive: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

harryl@us.ibm.com
Fri, 23 Apr 1999 13:01:48 -0600

This tack is blowing my mind.

I thought the WHOLE reason SSL was disallowed in our specification (of IPP)
was due to it's "encumbered" nature. And the IETF pointed us at TLS as the
answer. Now, we're suggesting that TLS is encumbered?

We need immediate clarification of this issue!

Harry Lewis
IBM Printing Systems
harryl@us.ibm.com

Michael Sweet <mike@easysw.com> on 04/23/99 12:32:06 PM

To: Keith Moore <moore@cs.utk.edu>
cc: Carl-Uno Manros <carl@manros.com>, Paul Moore <paulmo@microsoft.com>,
IETF-IPP <ipp@pwg.org> (bcc: Harry Lewis/Boulder/IBM)
Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Keith Moore wrote:
>
> > If you're in the US, you have to pay homage (literally) to RSA to
> > develop any implementation of TLS.

Hey, I found section 9 in the RFC... Maybe this isn't true after
all... (why is this stuff always buried?)

> is this really true? the default mandatory TLS ciphersuite is
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, which (AFAIK) doesn't use
> any RSA-controlled technology.

I really don't know; most public-key stuff seems to be controlled in
some way by RSA, and I don't know enough about the Diffie-Hellman
stuff to know if it falls under the RSA patents, or if it is even
secure enough to be considered as a replacement for RSA should it
*not* fall under the patents. (Nor do I know if it is covered by
patents in other countries or falls under export/import restrictions.)

I think before any decision is made on issue 32 we need to determine
if requiring TLS in clients is feasible; i.e. are there existing TLS
products or tools for all/most platforms, what legal concerns are
there, etc. If it turns out that a free, compliant IPP implementation
cannot be produced with TLS without export restrictions, then I think
we have no choice but to drop the TLS requirement and stick with
Digest, or have the optional TLS support in the client requirements.

--
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com