attachment
<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Soma,<div><br><div><div>On Jul 13, 2014, at 11:10 PM, Soma Meiyappan <<a href="mailto:Soma.Meiyappan@conexant.com">Soma.Meiyappan@conexant.com</a>> wrote:</div><blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"Lucida Console";
        panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:200559180;
        mso-list-type:hybrid;
        mso-list-template-ids:970244916 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:1053963583;
        mso-list-type:hybrid;
        mso-list-template-ids:-2014280724 -1833652308 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        margin-left:.75in;
        text-indent:-.5in;
        mso-ascii-font-family:Verdana;
        mso-fareast-font-family:Calibri;
        mso-hansi-font-family:Verdana;
        mso-bidi-font-family:"Times New Roman";}
@list l1:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l1:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2
        {mso-list-id:1697459415;
        mso-list-type:hybrid;
        mso-list-template-ids:1067772804 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
        {mso-level-start-at:4;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l2:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l2:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3
        {mso-list-id:1976374682;
        mso-list-type:hybrid;
        mso-list-template-ids:894483610 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-start-at:5;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1"><p class="MsoListParagraph" style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><span style="font-size: 10pt; font-family: Verdana, sans-serif;">... <o:p></o:p></span></p><p class="MsoListParagraph" style="text-indent: -0.25in; background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><span style="font-size: 10pt; font-family: Verdana, sans-serif;">4. This could be a topic for the implementer’s guide; but can be addressed in the specification too: While
we are mostly not concerned about products that choose the most secure channel for communicating with the device, we may want to briefly touch vulnerability as the stakes are higher with new operation attributes related to credentials to access third party
services have been introduced in IPP Scan. Further since these may not be sufficiently covered by the security considerations of RFC2911, it may be safer to discuss the vulnerability aspect of these, just in case it is not obvious to the implementers. We could
do one of the three below. Only 4.a is a secure method. 4.b is sufficiently addresses security of credentials if the client is properly implemented and if certification processes ensure that. 4.c is purely a warning to the developer.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left: 1in; text-indent: -0.25in; background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;">
<span style="font-size: 10pt; font-family: Verdana, sans-serif;">a. By specification, make encryption (IPPS) mandatory for Scan (either always or at least, if credentials are required): I know that this is a little heavy handed and may not be
well liked; but ‘IPP Scan’ does not have any legacy support to worry about.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left: 1in; text-indent: -0.25in; background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;">
<span style="font-size: 10pt; font-family: Verdana, sans-serif;">b. Advertise those destination-uri that REQUIREs credentials only if the request came in through a secure channel (https or USB) and not if the request came through an unsecure channel
(http and not USB). One implementation concern here is some web-servers may not convey information about the secureness of the channel to the application layer; but not something insurmountable. This also means that unsecure IPP will be a reduced function
set compared to the secure IPPS. While this duality may make some uncomfortable, this is a very pragmatic way to keep user information safe.<o:p></o:p></span></p><p class="MsoListParagraph" style="margin-left: 1in; text-indent: -0.25in; background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;">
<span style="font-size: 10pt; font-family: Verdana, sans-serif;">c. Make comments about the vulnerability in exposing credentials through IPP (instead of IPPS)<o:p></o:p></span></p><p class="MsoNormal" style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"></p></div></div></blockquote><div><br></div>We definitely need to say something about this in the security considerations; requiring the use of TLS (IPPS or IPP with HTTP Upgrade) is probably the way to go.</div><div><br><blockquote type="cite"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="WordSection1"><p class="MsoNormal" style="background-color: white; position: static; z-index: auto;"></p><p class="MsoNormal" style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><b><u><span style="font-size: 10pt; font-family: Verdana, sans-serif;">...</span></u></b></p></div></div></blockquote><blockquote type="cite"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="WordSection1"><p class="MsoNormal" style="background-color: white; position: relative; z-index: 0; background-position: initial initial; background-repeat: initial initial;"><b><u><span style="font-size: 10pt; font-family: Verdana, sans-serif;">Proposal for new attributes to destination-uri-ready
<o:p></o:p></span></u></b></p><p class="MsoNormal" style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><span style="font-size: 10pt; font-family: Verdana, sans-serif;"> </span></p><p style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><span style="font-size: 10pt; font-family: Verdana, sans-serif;">If destination-uri-ready can take additional member attributes to allow the system to specify the OAuth URL that the scan client needs to contact and the
auth scope that the authorisation should be requested for, the scan client may be able to try to start the OAuth2 flow by connecting to the OAuth URL (and specifying the auth scope in the process), finish the OAuth2 process and get the OAuth2 access token
for accessing the service that the device wants the access token for. For that, I would like to propose an optional attribute that is part of a destination-uri-ready.<o:p></o:p></span></p><p style="background-color: white; position: static; z-index: auto; background-position: initial initial; background-repeat: initial initial;"><span style="font-size: 10pt; font-family: Verdana, sans-serif;"> </span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-uri-ready<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-uri<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Lucida Console""> . . .<o:p></o:p></span></p><p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> [destination-oauth-descriptor (collection)]<o:p></o:p></span></i></p><p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> [destination-oauth-uri (uri)]<o:p></o:p></span></i></p><p class="MsoNormal"><i><span style="font-size:10.0pt;font-family:"Lucida Console""> destination-oauth-scope (1setOf text(MAX))</span></i></p></div></div></blockquote><div><br></div><div>I think I'd rather make these optional top-level member attributes - drop the destination-oauth-descriptor collection, put them directly under the destination-uri-ready collection. As for the scope, you probably want "1setOf octetString(MAX)" since text implies a localized string value.</div><div><br></div></div>We'll also need something similar for the System Control Service spec, since that will be expanding our support for OAuth and delegated access control/credentials.</div><div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; font-family: 'Andale Mono'; border-spacing: 0px;"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: 'Andale Mono'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">_________________________________________________________<br>Michael Sweet, Senior Printing System Engineer, PWG Chair</div></span></span>
</div>
<br></div></body></html>