Re: IPP> Minutes of IPP Working Group Meeting [about Validate-Jobsecurity challenges]

• Previous message: McDonald, Ira: "RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]"
• In reply to: McDonald, Ira: "RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"McDonald, Ira" wrote:
> ...
> I think we want to strongly recommend that IPP Clients use (and
> IPP Printers expect to see used) the 'cnonce' option for better
> authentication, in the IIG.
> ...

IMHO, putting any restriction on the type of digest authentication
to use is outside the scope of IPP - that's a HTTP issue, and the
spec is fairly clear and would allow specific implementation or
sites to require cnonce or other security features of digest.

Also, cnonce does not eliminate man-in-the-middle attacks - you
need to use the MD5-sess algorithm to prevent changing of the
contents of the message body - cnonce only provides another bunch
of data to be added to the password sum and is of limited valid
if the server already provides random nonce values for each
challenge.

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products                  mike@easysw.com
Printing Software for UNIX                       http://www.easysw.com

• Next message: Carl Kugler: "RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]"
• Previous message: McDonald, Ira: "RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]"
• In reply to: McDonald, Ira: "RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Mar 16 2001 - 17:19:17 EST