Keith,
I recognize that there are many situations where a printer must be able to
authenticate users and there is good reason to require authentication in
those cases.
I have discovered two scenarios which make me wonder whether authentication
should be required in all situations.
I would appreciate your comments on the authentication requirements for the
following two scenarios:
a) printers that act like a fax
b) printers that are on a family network with a firewall protecting the LAN
from intruders.
In the fax-like scenario, a printer vendor may intend that the printer
(presumably low end) be on the internet and can receive documents from
anyone. A customer who installs such a printer takes the same risk as a fax
owner, or perhaps more because it is cheaper to send lots of documents.
Having authentication is this case seems to contradict the intended public
access. What is the authentication solution in this case? Do we simply say
that no one can put a fax-like printer on the internet, or do we say that
this scenarios is an exception to required authentication for IPP
implementations?
In the family network scenario, a printer vendor may be selling low-end
printers for use in a family network where everyone within the LAN is
trusted. There is a firewall installed to keep bad-guys out of the
family-LAN and thus out of the printer. This scenario implies to me that the
security may be required at a more global level (i.e. the firewall for the
family LAN) rather than at an individual appliance (e.g. printer) level. As
an analogy with existing practice, I require authentication (i.e. a key) to
unlock the door to my house, but I don't lock down every valuable inside the
house. However, hotels, which are more public, do sometimes lock down TV
sets. What are your thoughts on this scenario?
Bob Herriot