Paul & Hugo,
Voting for use of SSL3 rather than TLS is not politically correct in the
IETF.
Hence, voting for SSL3 means that you don't want to have an IETF standard.
The IPP WG is tasked to produce an IETF standard.
Carl-Uno
> -----Original Message-----
> From: Hugo Parra [mailto:HPARRA at novell.com]
> Sent: Monday, April 12, 1999 8:33 AM
> To: paulmo at microsoft.com; masinter at parc.xerox.com> Cc: cmanros at cp10.es.xerox.com; mike at easysw.com; ipp at pwg.org> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>>> I second this.
> -Hugo
>> >>> Paul Moore <paulmo at microsoft.com> 04/09/99 06:01PM >>>
> Basic and SSL work fine for me. It has the fiollowing benefits
> 1. Its works
> 2. Its secure
> 3. Any reasonable client supports it
> 4. Any reasonable server supports it.
>>> -----Original Message-----
> From: Larry Masinter [mailto:masinter at parc.xerox.com]
> Sent: Friday, April 09, 1999 4:13 PM
> To: Paul Moore
> Cc: IETF-IPP; 'Manros, Carl-Uno B'; Michael Sweet
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>>> > I dont think that I said anything about not paying
> attention to security.
> > I'll will remind you that I was the only one with working SSL3
> > implementations on client and server at the recent
> bake-off. I am very
> > concerned about it.
> >
> > I was commenting that carl-uno's flowchart did not analyse
> the pros and
> cons
> > of the various security choices it merely said (and I
> paraphrase somewhat)
> > "We better do this becasue we wont get an RFC if we dont".
> I.e "even if it
> > sucks we'll do it anyway". BTW I'm not suggesting that
> anything does suck
> > either merely that being asked to turn my brain off to all
> logic other
> than
> > getting an RFC seemed too much.
>> But we've heard repeatedly that the requirement for "getting an RFC"
> is to come up with a plan for securing printers that makes sense.
> Keith wrote:
>> "The bottom line is that IPP will not get a standard out of IETF
> unless it provides a minimum level of security."
>> To continue to characterize this simple and sensible requirement
> as "turn my brain off" is, well, turning off your brain.
>> If the proposal for "a minimum level of security" via Digest
> authentication doesn't work for you, then propose something else
> that provides a minimum level of security. Saying "well, only
> implementing Basic Authentication is OK" doesn't provide a minimum
> level of security, so it's not OK. I don't know why this is
> so hard.
>> Larry
>