SEC subgroup - Minutes of phone call 2/13/97
on call were:
Roger deBry (notetaker)
Carl-Uno Manros
Xavier Riley
Steve Okamoto
Daniel Manchala
Jerry Hadsell
Notes on e-mail:
Larry Masinter has suggested that we should look at the case where we retrieve
something based on reference. We swept this under the rug in previous
discussion because we were not sure that pulling would be part of IPP. Larry
wanted to see some type of credentials to use in this case. He also suggested
that we use similar credentials for subsequent print operations such as
looking
at print queues. Another example would be sending notification to a third
party.
Requirements
We discussed how to get to a succinct statement of requirements. Jerry
Hadsell
will be talking about IPP at IBM's security architecture board next week and
wanted a clear set of requirements to talk about. We will assume the picture
that was produced last week in El Segundo describes all of the combinations we
need to consider for inside and outside of firewalls. Roger deBry will post
the latest scenarios to the ftp site, they contain updates which reflect many
of the security discussion we talked about last week.
Jerry asked several clarification questions which were discussed.
Is Printer admin part of current activity? Answer - in IPP phase two.
Can we distribute to multiple printers? . Answer - no
Can we pass additional attributes not defined in IPP? Answer - yes, but
protocol
will define how
What about charging for printing - is it in current scope? Answer - maybe,
have
yet to define, many aspects
Would be possible to use X.509 certificates to handle many payment schemes.
Is control of content outside scope of work, e.g. copyright and integrity
issues? Answer - need integrity
Does SSL provide integrity - yes but at message level not content level.
If a client can get to a printer, can he print anything he wants? Answer -
yes at
this point.
Where is a good source of information on SET? Carl-Uno referred to an article
on smart cards and SET (PC Week February 10). It contains references.
Quite a bit of this is being discussed in W3C. Xavier will mail out
further pointers to SET. Jerry said that the industry is headed toward a
framework that handles many different payment
types, including e-cash, e-cheque, etc.
Don't want to be dependent upon browsers, so if there is technology that we
need, e.g. SSL v3, that we can only find in browsers, then we ought to be
cautious about using them right away. Same applies to payment schemes. May
want to consider the ability to carry along some credentials in IPP that is
independent of the outer security or payment protocol. Xavier will mail out
information about available SSL v3 software.
Next call will be Thursday February the 20th. Xerox will arrange. Jerry will
try to have feedback from Security architecture board by then.
Need to think about what security stuff will be available on the platforms we
implement IPP on, since implementations will want to use existing security
frameworks. Don't want to have to write security from scratch. Need
especially to identify what's available for prototyping.
Homework assignments:
Identify tools we think we need? What platforms are they on? HTTP 1.1 might
provide what we need for a first version. Xerox will look at RFCs 2068 and
2069 and draft a white paper on what security HTTP 1.1 will provide. Would it
meet initial needs?
Jerry will report back on results of IBM security architecture board meeting.
Carl-Uno will try to get Asad from Netscape involved in this discussion.
---
Carl-Uno Manros
Principal Engineer - Advanced Printing Standards - Xerox Corporation
701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231
Phone +1-310-333 8273, Fax +1-310-333 5514
Email: manros at cp10.es.xerox.com