attachment
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Lucida Console";
        panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:200559180;
        mso-list-type:hybrid;
        mso-list-template-ids:970244916 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:1053963583;
        mso-list-type:hybrid;
        mso-list-template-ids:-2014280724 -1833652308 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.5in;
        mso-ascii-font-family:Verdana;
        mso-fareast-font-family:Calibri;
        mso-hansi-font-family:Verdana;
        mso-bidi-font-family:"Times New Roman";}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:1697459415;
        mso-list-type:hybrid;
        mso-list-template-ids:1067772804 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-start-at:4;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3
        {mso-list-id:1976374682;
        mso-list-type:hybrid;
        mso-list-template-ids:894483610 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-start-at:5;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Hi Pete et al,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Please find our comments/suggestions below.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Comments</span></u></b><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Page 22: “<b>P</b>rinter-current-time” should be “<b>p</b>rinter-current-time”<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l1 level2 lfo3;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Some comments about how a ‘IPP over USB’ only scanner that does not have an RTC chip should consider implementing this and other ‘date-time’ values
(which are mandatory now) will be useful.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> <o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Line 883/884 [Page 50]: The values for ‘uuid’. Is the USB serial number truly globally unique? Isn’t its uniqueness scope typically limited to devices
using the same PID & same VID? Typically, it is the host operating system that generates a UUID for the device to identify the device internally. IMO, it’ll be better to say “This value should be the same value as ‘printer-uuid’ attribute in the scan service
itself (which is also the value that ‘IPP over USB’ will use)”. This will help us have a consistent (printer generated) UUID value across IPP devices.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="margin-left:.75in;text-indent:-.5in;mso-list:l1 level1 lfo3;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Section 4.1.7: ‘file’ URIs that could point to local hard-drives/thumb-drives/memory cards in the printer as the destination are one class of storage
that have been left out. Of course, ‘destination-uri-schemes-supported’ (Section 8.4.2) seems to be open ended about the URI schemes. Are both of these intentional?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> <o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">4. This could be a topic for the implementer’s guide; but can be addressed in the specification too: While
we are mostly not concerned about products that choose the most secure channel for communicating with the device, we may want to briefly touch vulnerability as the stakes are higher with new operation attributes related to credentials to access third party
services have been introduced in IPP Scan. Further since these may not be sufficiently covered by the security considerations of RFC2911, it may be safer to discuss the vulnerability aspect of these, just in case it is not obvious to the implementers. We could
do one of the three below. Only 4.a is a secure method. 4.b is sufficiently addresses security of credentials if the client is properly implemented and if certification processes ensure that. 4.c is purely a warning to the developer.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;background:white">
<span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">a. By specification, make encryption (IPPS) mandatory for Scan (either always or at least, if credentials are required): I know that this is a little heavy handed and may not be
well liked; but ‘IPP Scan’ does not have any legacy support to worry about.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;background:white">
<span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">b. Advertise those destination-uri that REQUIREs credentials only if the request came in through a secure channel (https or USB) and not if the request came through an unsecure channel
(http and not USB). One implementation concern here is some web-servers may not convey information about the secureness of the channel to the application layer; but not something insurmountable. This also means that unsecure IPP will be a reduced function
set compared to the secure IPPS. While this duality may make some uncomfortable, this is a very pragmatic way to keep user information safe.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;background:white">
<span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">c. Make comments about the vulnerability in exposing credentials through IPP (instead of IPPS)<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l3 level1 lfo4;background:white">
<![if !supportLists]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Comments regarding access-oauth-token: OAuth2 tokens are closely associated with an authorisation service (a.k.a. auth server) and one or more authorisation
scopes (a.k.a auth_scope). The specification does not make either of those information explicit. When using the current specification, the ‘IPP Scan client’ and the ‘applications hosted through IPP Scan server’ need to be developed closely together as both
the auth server and the auth scope are implicit. The destination-uri itself may not be sufficient to decide which OAuth2 server needs to be contacted and which auth_scope needs to be used when getting the user’s authorization to access a service on the user’s
behalf. Of course, for some well-known web-services, this information may be well known; but still, there could be applications in the IPP Scan server that make use of more than one auth scope to complete their workflow and the server does not seem to have
a way to specify the required auth scopes even when working with a well-known web-service. So, I would like to propose the following new attributes that can be used by the IPP Scan server as a part of Scan2 destination discovery using ‘destination-uri-ready’.
Please find the proposal below.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><b><u><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Proposal for new attributes to destination-uri-ready
<o:p></o:p></span></u></b></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">If destination-uri-ready can take additional member attributes to allow the system to specify the OAuth URL that the scan client needs to contact and the
auth scope that the authorisation should be requested for, the scan client may be able to try to start the OAuth2 flow by connecting to the OAuth URL (and specifying the auth scope in the process), finish the OAuth2 process and get the OAuth2 access token
for accessing the service that the device wants the access token for. For that, I would like to propose an optional attribute that is part of a destination-uri-ready.<o:p></o:p></span></p>
<p style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-uri-ready<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-uri<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> . . .<o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> [destination-oauth-descriptor (collection)]<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> [destination-oauth-uri (uri)]<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-oauth-scope (1setOf text(MAX))<o:p></o:p></span></i></p>
<p style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p style="background:white"><i><span style="font-size:10.0pt;font-family:"Lucida Console";color:black">destination-oauth-uri,</span></i><span style="font-size:10.0pt;font-family:"Lucida Console";color:black"> for example,</span><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">
can specify </span><span style="font-size:10.5pt;font-family:"Courier New";color:#007000;background:white"><a href="https://accounts.google.com/o/oauth2/auth">https://accounts.google.com/o/oauth2/auth</a></span><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">
to indicate that Google’s OAuth server is the server that is expected to issue the OAuth2 access tokens for this destination. This can still be optional if the destination is considered to be a well-known server and/or if the MFD/Scanner does not want to specify
this for a destination that only the OEM’s clients/servers should support. However, having this option will be useful as the scan client does not have to try to interpret “destination-uri”. This also allows “destination-uri” to have a shortened URL or the
destination-uri may point to a service that makes use of an external service for authorization/authentication like Google for authorization (imagine something like OpenID or even simply OAuth2).<o:p></o:p></span></p>
<p style="background:white"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p style="background:white"><i><span style="font-size:10.0pt;font-family:"Lucida Console";color:black">destination-oauth-scope</span></i><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"> will specify one or more auth scopes that
the MFD needs access to in order for it to complete the workflow. Since not all auth scopes look like URIs. So, this is a text type.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Thanks and Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black">Somasundaram.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Verdana","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>