IPP> New protocol document & Security issues

IPP> New protocol document & Security issues

John Wenn jwenn at cp10.es.xerox.com
Wed May 28 08:15:34 EDT 1997


There are a couple of security issues involved in the latest protocol 
document.  They cover sections 5.5, 5.7, 6.x, 6.y & 7.


The issues are basically in two areas.


(1) You should be using HTTP Digest Authentication (rfc2069), not HTTP Basic 
Authentication.  Basic authentication provides zero security (unencrypted 
username and passwords are sent over the wire).  Digest authentication 
provides moderate security.  So reference Digest authentication is section 
5.5.  The headers used for Digest authentication are the same (Authorization, 
Proxy-Authorization, WWW-Authenticate, Proxy-Authenticate), but they have 
different values.  Since the paper doesn't go into details, the other sections 
should be fine as they are.


(2) Not all authentication / authorization is done via HTTP.  For example, the 
connection may be made using SSL.  In that case, SSL provides the 
authentication needed.  While the sections are generally good about saying 
HTTP authentication is used when needed, somewhere the fact that other 
security mechanisms are used should be made explicit.


And, of course, section 7 (security considerations) needs to be rewritten, but 
the security group should do that.


/John



More information about the Ipp mailing list