attachment-0001
<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Aug 30, 2010, at 2:41 PM, Ira McDonald wrote:</div><blockquote type="cite">Hi,<br><br>I agree with Mike. If you support "ipps:" on an IPP Printer object<br>and also support "ipp:", then you MUST support HTTP Upgrade.<br><br>About encryption:<br><br>For many printing situations (emails, service messages, etc.) it's<br>
fine to send the data in cleartext over the enterprise network, VPN,<br>or even public Internet - but you still want Data Integrity (i.e., secure <br>hashes of application PDUs in the TLS Record layer) - "print what<br>
you sent" - right?<br></blockquote><div><br></div><div>In general, data injection/replacement isn't a real problem - aside from pranks, there is little to be gained at great cost, especially when most jobs are one-offs.</div></div><div><br></div><div>The real issues for secure printing environments are privacy/disclosure of print data and authentication and authorization of clients, servers, and services. For example, when you print something on the MFD down the hall, are you actually talking to the MFD down the hall when you send the print job? TLS provides a way to provide both privacy and authentication/authorization, but for environments where the network is already secured something as simple as Digest authentication with the MD5-session stuff may be sufficient to prevent man-in-the-middle attacks.</div><div><br></div><div><blockquote type="cite"><br>Cheers,<br>- Ira<br><br clear="all">Ira McDonald (Musician / Software Architect)<br>Chair - Linux Foundation Open Printing WG<br>Co-Chair - TCG Hardcopy WG<br>IETF Designated Expert - IPP & Printer MIB<br>
Blue Roof Music/High North Inc<br><a href="http://sites.google.com/site/blueroofmusic">http://sites.google.com/site/blueroofmusic</a><br><a href="http://sites.google.com/site/highnorthinc">http://sites.google.com/site/highnorthinc</a><br>
mailto:<a href="mailto:blueroofmusic@gmail.com">blueroofmusic@gmail.com</a><br>winter:<br> 579 Park Place Saline, MI 48176<br> 734-944-0094<br>summer:<br> PO Box 221 Grand Marais, MI 49839<br> 906-494-2434<br>
<br><br><div class="gmail_quote">On Mon, Aug 30, 2010 at 5:34 PM, Michael Sweet <span dir="ltr"><<a href="mailto:msweet@apple.com">msweet@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div><div>On Aug 30, 2010, at 8:20 AM, Ira McDonald wrote:</div><blockquote type="cite"><font color="#000000">...<br></font><div class="im">
I do think we should RECOMMEND against the practice,<br>because it supplies ambiguous security to the IPP Printer<br>object.<br></div></blockquote><div><br></div><div>FWIW, while it is certainly possible I think it would be better to simply require that printers supporting both ipp and ipps report the appropriate keywords for uri-security-supported (ssl3 and/or tls) along with mandatory support for HTTP Upgrade. That would be consistent with our "message" since IPP/1.1 and gives us what we want on the standards side of things.</div>
<div><br></div><div>Whether a Printer allows clear-text connections when configured with SSL/TLS support is, IMHO, a site-specific policy outside the scope of IPP, and in particular HTTP Upgrade allows both the Client and Printer to enforce a particular policy dynamically. Moreover, some communications channels may already be secured, making any transport-level encryption optional over those channels.</div>
</div><br><div>
<span style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><div style="word-wrap: break-word;">
<div>________________________________________________________________________</div><div>Michael Sweet, Senior Printing System Engineer, PWG Chair</div><div><br></div></div></span><br></span><br>
</div>
<br></div></blockquote></div><br><div style="visibility: hidden; display: inline;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup { position:absolute; z-index:9999; padding: 0px 0px; margin-left: 0px; margin-top: 0px; width: 240px; overflow: hidden; word-wrap: break-word; color: black; font-size: 10px; text-align: left; line-height: 13px;}</style>
</blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Monaco; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>________________________________________________________________________</div><div>Michael Sweet, Senior Printing System Engineer, PWG Chair</div><div><br></div></div></span><br class="Apple-interchange-newline"></span><br class="Apple-interchange-newline">
</div>
<br><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</body></html>