IPP Mail Archive: IPP> SEC - IPP Security and Safety Belts

IPP Mail Archive: IPP> SEC - IPP Security and Safety Belts

IPP> SEC - IPP Security and Safety Belts

Carl-Uno Manros (carl@manros.com)
Wed, 28 Apr 1999 07:55:28 -0700


It seems that there are still some people who have not quite understood the
IETF security requirements.

Let me make a short comparison with cars and seat belts to make this crystal
clear to everybody.

In the same way that the governments worldwide now require all new cars to
have seat belts for the security of the driver and passagers, the IETF
requires a basic set of security to be present in all conforming IPP
printers and clients.

In a car you can have additional security features like airbags, which are
mandated in some countries, but not in all. The IETF has not mandated extra
security features beyond the authentication of clients, but would like to
see strong recommendations to also support printer authentication and
content integrity.

Some of the arguments that we have had against the IETF requirements are
equivalent to saying:

"I will only drive my car on my own private property, and there the
government cannot decide if I have to use the seat belts or not."

"My customers don't like seat belts so they are not going to use them."

"My custemers are so against seat belts that they are going to disinstall
them, even if they are in the car when delivered."

The IETF has actually not objected to the latter two statements, you can let
your customer inactiviate the security features at set-up time, or you can
let clients use your printer without requiring client authentication, if
they so choose.

What the IETF DOES insist on though is that every car has the safety belts
in place in every delivered IETF IPP car.

If you want to sell motorized golf cars without seat belts for use only on
private property, you can obviously do that too, but then it is not an IETF
IPP car any more.