attachment
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class="">
<div><br class=""><blockquote type="cite" class=""><div class="">On Feb 28, 2019, at 3:50 PM, <a href="mailto:wamwagner@comcast.net" class="">wamwagner@comcast.net</a> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Smith,</div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Sorry, my confusion continues. Your new Authorization example may be valid, but it seems odd to me that someone would have an account in a printer but not have authority to print at all. Conditional authority, restricting use to certain times or restricting color, or quantity, etc. would be more realistic, but that is at the IPP level and does not appear to be addressed in this specification.</div></div></div></blockquote><div><br class=""></div>I think it is insofar as the authentication and/or authorization failures are reported back via IPP or its HTTP or TLS transports. I have updated sequence diagrams that indicate this visually. But here's an updated use case that might satisfy your request for an exception use case that more accurately illustrates a real world circumstance.</div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div><div>Harry is an intern who works at Andy's office, and he wants to print some photos from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to color printing to only authorized users, and interns are not authorized to use this feature. His laptop is using an older client that doesn't support the IPP Get-User-Printer-Attributes operation, so features that he isn't allowed to use will be listed in the print dialog. Harry makes his choices in the print dialog, including selecting printing in color. Harry clicks "Print" to submit the job to the printer.</div><div><br class=""></div><div>The printer challenges the laptop for authentication, and the laptop presents an authentication dialog to Harry. Harry enters his account's username and password. The printer accepts these credentials, but that account is not authorized to use the color printing feature. The printer rejects the job with the explanation that some features are not allowed, and lists the barred feature. Harry is a bit disappointed that the user experience is a bit awkward***, and is also disappointed that he cannot print in color. He abandons trying to print the photos because he doesn't want black-and-white prints.</div><div><br class=""></div><div>*** (The user experience would be better with Get-User-Printer-Attributes because the color printing feature wouldn't even be shown to the user.)</div></div></blockquote><div><br class=""></div><div>Here's another one that uses Get-User-Printer-Attributes</div><div><br class=""></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class=""><div><div>Harry is an intern who works at Andy's office, and he wants to print some photos from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to color printing to only authorized users, and interns are not authorized to use this feature. His laptop has a modern IPP Client that supports the IPP Get-User-Printer-Attributes operation, so features that he isn't allowed to use will not be listed in the print dialog. </div><div><br class=""></div><div>When he selects the printer, the laptop sends the Get-User-Printer-Attributes IPP operation to request the list of authorized features available to Harry's account. The printer responds to the laptop with an authentication challenge. The laptop has stored single sign-on credentials, so it uses those to avoid bothering its user with a distraction. The printer accepts these credentials, and provides the list of features his account is authorized to use. The laptop shows this set of features. Harry is disappointed that he cannot print in color, so he abandons trying to print the photos because he doesn't want black-and-white prints.</div></div></blockquote><div><div><br class=""></div><div>Does either of these clarify things?</div></div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The title is Authentication Methods, and although I may have missed it, I do not think that it does much with authorization (at least not by the printer), which would occur after successful Authentication. Perhaps the Authorization use case should be put in the out of scope section?</div></div></div></blockquote><div><br class=""></div><div>I think authorization drives the demand for authentication. Hopefully the updated use cases above, combined with the new sequence diagrams, will help make that more clear. The original goal of this paper was to talk about how the various authentication methods corresponding to the keywords for "uri-authentication-supported" could integrate into a print workflow, which is an unconventional user experience if you only think of web authentication involving web browsers.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks, Bill W.</div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; border: none; padding: 0in;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b><a href="mailto:ipp@pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Rizzo, Christopher via ipp</a><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Thursday, February 28, 2019 4:12 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b><a href="mailto:smith.kennedy@hp.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Kennedy, Smith (Wireless & Standards Architect)</a>;<span class="Apple-converted-space"> </span><a href="mailto:RYardumian@ciis.canon.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Rick Yardumian</a><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b><a href="mailto:ipp@pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">PWG IPP WG Reflector</a><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [IPP] WG Last Call: IPP Authentication Methods</div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">This update looks good to me.<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks,<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Chris<o:p class=""></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">Christopher Rizzo<o:p class=""></o:p></span></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">Xerox Corporation<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">GDG/Discovery/Advance Technology<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">26600 SW Parkway Ave.<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">Wilsonville, OR 97070-9251<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">Phone: (585) 314-6936<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class=""><a href="mailto:Christopher.Rizzo@xerox.com" class="">Email: Christopher.Rizzo@xerox.com</a><o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">"The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span style="font-size: 10.5pt;" class="">-Maurice Wilkes,<span class="Apple-converted-space"> </span><i class="">Memoirs of a Computer Pioneer</i></span><o:p class=""></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-size: 12pt;" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-size: 12pt;" class="">"Kennedy, Smith (Wireless & Standards Architect)" <<a href="mailto:smith.kennedy@hp.com" class="">smith.kennedy@hp.com</a>><br class=""><b class="">Date:<span class="Apple-converted-space"> </span></b>Thursday, February 28, 2019 at 12:36 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>Christopher Rizzo <<a href="mailto:Christopher.Rizzo@xerox.com" class="">Christopher.Rizzo@xerox.com</a>>, Rick Yardumian <<a href="mailto:RYardumian@ciis.canon.com" class="">RYardumian@ciis.canon.com</a>><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b>PWG Workgroup <<a href="mailto:ipp@pwg.org" class="">ipp@pwg.org</a>><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [IPP] WG Last Call: IPP Authentication Methods<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Thanks for the feedback Chris! I also received this feedback from Canon's Rick Yardumian (CC'ed). In my LCRC draft, I've resolved this issue by rewriting 3.3.2 to more meaningfully describe an authorization failure. <o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Here's the rewrite. Any objections or suggestions?<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><blockquote style="margin: 5pt 0in 5pt 30pt;" class=""><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Harry is also visiting Andy's office and wants to print from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to only authorized users. <o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The printer challenges the laptop for authentication, and the laptop presents an authentication dialog to Harry. Harry has an account, and enters the account's username and password. The printer accepts these credentials, but that account is not authorized to access that printer. Harry's laptop shows a notification dialog expressing this to Harry. Harry clicks “OK” and looks for a pencil.<o:p class=""></o:p></div></div></div></blockquote><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div class=""><div class=""><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">Smith<o:p class=""></o:p></p></div><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p class=""> </o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On Feb 28, 2019, at 12:33 PM, Rizzo, Christopher <<a href="mailto:Christopher.Rizzo@xerox.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Christopher.Rizzo@xerox.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">Just curious, but section 3.3 Exceptions of this document has sections 3.3.1 and 3.3.2 which are pretty much exact duplicates of each other, exception being Lisa vs. Harry. Was this intentional?<br class=""><br class="">Thanks,<br class="">Chris<br class=""><br class=""><br class="">Christopher Rizzo<br class="">Xerox Corporation<br class=""><br class="">GDG/Discovery/Advance Technology<br class=""><br class="">26600 SW Parkway Ave.<br class=""><br class="">Wilsonville, OR 97070-9251<br class=""><br class="">Phone: (585) 314-6936<br class=""><br class=""><a href="mailto:Christopher.Rizzo@xerox.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">Email: Christopher.Rizzo@xerox.com</a><br class=""><br class="">"The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."<br class="">-Maurice Wilkes, Memoirs of a Computer Pioneer<br class=""><br class="">On 1/17/19, 4:00 PM, "ipp on behalf of Kennedy, Smith (Wireless & Standards Architect)" <<a href="mailto:ipp-bounces@pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">ipp-bounces@pwg.org</a><span class="Apple-converted-space"> </span>on behalf of<span class="Apple-converted-space"> </span><a href="mailto:smith.kennedy@hp.com" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">smith.kennedy@hp.com</a>> wrote:<br class=""><br class="">Greetings,<br class=""><br class="">This message begins the IPP workgroup Last Call of the IPP Authentication Methods best practice draft, available at:<br class=""><br class=""><a href="https://protect-us.mimecast.com/s/559fCqx5v5ujML5JsZvOVF?domain=ftp.pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.odt</a><br class=""><a href="https://protect-us.mimecast.com/s/LvNfCrk5w5flBwv4CzbjMb?domain=ftp.pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.pdf</a><br class=""><a href="https://protect-us.mimecast.com/s/m9CcCv25A5hzkO6ruzCllx?domain=ftp.pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117-rev.pdf</a><br class=""><br class="">Please respond with any feedback or comments by doing a "reply all" to this message.<br class=""><br class="">This last call will end on January 31, 2019 at 10pm PT.<br class=""><br class="">Cheers,<br class="">Smith<br class=""><br class="">/**<br class="">Smith Kennedy<br class="">HP Inc.<br class="">*/<br class=""><br class="">_______________________________________________<br class="">ipp mailing list<br class=""><a href="mailto:ipp@pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">ipp@pwg.org</a><br class=""><a href="https://protect-us.mimecast.com/s/4nRoCwp5B5I3w01ghKeT4u?domain=pwg.org" style="color: rgb(149, 79, 114); text-decoration: underline;" class="">https://www.pwg.org/mailman/listinfo/ipp</a></p></div></div></blockquote></div></div></div></div></div></div></blockquote></div><br class=""></body></html>