IPP> SEC: IPP 1.1 security [saving security info]

IPP> SEC: IPP 1.1 security [saving security info]

Ira McDonald imcdonal at sdsp.mc.xerox.com
Wed Feb 3 20:46:45 EST 1999


Hi John,                                     Wednesday (3 February 1999)

Good question: Does the client and server have to remember (and enforce)
the security level that was used on job creation?

Yes, if the system claims to be secure AT ALL, then it must save some
SPI (security protocol info) from object creation throughout the life
of that object (in this case a print job).  Just labelling a URL as
'ipps:' (for instance), to indicate that TLS was used is NOT meaningful.
The exact cipher suites, the length of keys, the sources of those keys,
etc, must be saved by both client and server for the life of the print
job or there is no consistent security.

Separately, Job URI are of dubious utility.  To interwork they must be
synonyms for Printer URI + Job ID.

Cheers,
- Ira McDonald (outside consultant at Xerox
  High North Inc

> ----------------------------------------------------------------------
> From: "Wenn, John C" <jwenn at cp10.es.xerox.com>
> To: Ira McDonald <imcdonal at sdsp.mc.xerox.com>, ipp at pwg.org
> Subject: RE: IPP> SEC: IPP 1.1 security (phone conference)
> Date: Wed, 3 Feb 1999 09:57:45 -0800 
> 
> One problem I have with keeping security information in some external data
> (directory, SLP, etc.) is what to do about job URI's.  The job creation has
> some security, and the generated job URI should have the same security
> level.  If it's not directly discoverable in the URI, does the client and/or
> server have to remember (and enforce) the security level that was used on
> job creation?
> 
> /John
> 




More information about the Ipp mailing list