At the April 14-15 meeting, we agreed to alternative 2 for Issue 2 raised at
Bake Off2. Issue 2 was how can a client force the IPP Printer to issue a
challenge when the printer supports both unauthenticated and authenticated
operation.
Here is the complete text for the new REQUIRED
"printer-authentication-supported" attribute for IPP/1.1. There are some
updates to "printer-uri-supported" and "uri-security-supported" included as
well.
Send any comments to the DL. Silence will be interpreted as agreement.
Thanks,
Bob and Tom
4.4.1 printer-uri-supported (1setOf uri)
This REQUIRED Printer attribute contains at least one URI for the Printer
object. It OPTIONALLY contains more than one URI for the Printer object.
An administrator determines a Printer object's URI(s) and configures this
attribute to contain those URIs by some means outside the scope of this
IPP/1.1 document. The precise format of this URI is implementation
dependent and depends on the protocol. See the next two sections for a
description of the "uri-security-supported" and
"uri-authentication-supported" attributes, both of which are the REQUIRED
companion attributes to this "printer-uri-supported" attribute. See section
2.4 on Printer object identity and section 8.2 on security and URIs for more
information.
4.4.2 uri-authentication-supported (1setOf type2 keyword)
This REQUIRED Printer attribute MUST have the same cardinality (contain the
same number of values) as the "printer-uri-supported" attribute. This
attribute identifies the authentication mechanism associated with each URI
listed in the "printer-uri-supported" attribute. The Printer object uses the
specified mechanism to identify the authenticated user. The "i th" value in
"uri-authentication-supported" corresponds to the "i th" value in
"printer-uri-supported" and it describes the authentication mechanisms used
by the Printer when accessed via that URI. The following standard values are
defined:
'none': There is no authentication mechanism associated with the
URI. The Printer object assumes that the authenticated user is 'anonymous'.
'requesting-user-name': When a client performs an operation whose
target is the associated URI, the Printer object assumes that the
authenticated user is specified by the "requesting-user-name" Operation
attribute (see section 8.3). If the "requesting-user-name" attribute is
absent in a request, the Printer object assumes that the authenticated user
is "anonymous".
'basic': When a client performs an operation whose target is the
associated URI, the Printer object challenges the client with HTTP basic
authentication. The Printer object assumes that the authenticated user is
the name received via the basic authentication mechanism. This
authentication mechanism SHOULD be used with a secure channel, that is, the
corresponding value of "uri-security-supported" SHOULD NOT be 'none'.
'digest': When a client performs an operation whose target is the
associated URI, the Printer object challenges the client with HTTP digest
authentication. The Printer object assumes that the authenticated user is
the name received via the digest authentication mechanism.
'certificate': When a client performs an operation whose target is
the associated URI, the Printer object expects the client to provide a
certificate. The Printer object assumes that the authenticated user is the
textual name contained within the certificate.
4.4.3 uri-security-supported (1setOf type2 keyword)
This REQUIRED Printer attribute MUST have the same cardinality (contain the
same number of values) as the "printer-uri-supported" attribute. This
attribute identifies the security mechanisms used for each URI listed in the
"printer-uri-supported" attribute. The "i th" value in
"uri-security-supported" corresponds to the "i th" value in
"printer-uri-supported" and it describes the security mechanisms used for
accessing the Printer object via that URI. The following standard values are
defined:
'none': There are no secure communication channel protocols in use
for the given URI.
'ssl3': SSL3 [SSL] is the secure communications channel protocol in
use for the given URI. For use in IPP/1.0.
'tls': TLS [RFC2246] is the secure communications channel protocol
in use for the given URI. For use in IPP/1.1.
This attribute is orthogonal to the specification of a client authentication
mechanism. Specifically, 'none' does not exclude client authentication. See
section 4.4.2. Issue 21.
Consider the following example. For a single Printer object, an
administrator configures the "printer-uri-supported",
"uri-authentication-supported" and "uri-security-supported" attributes as
follows:
"printer-uri-supported": 'xxx://acme.com/open-use-printer',
'xxx://acme.com/restricted-use-printer', 'xxx://acme.com/private-printer'
"uri-authentication-supported": 'none', 'digest', 'basic'
"uri-security-supported": 'none', 'none', 'tls'
Note: 'xxx' is not a valid scheme. See the IPP/1.1 "Transport and
Encoding" specification [ipp-pro] for the actual URI schemes to be used in
object target attributes.
In this case, one Printer object has three URIs.
- For the first URI, 'xxx://acme.com/open-use-printer', the value
'none' in "uri-security-supported" indicates that there is no secure channel
protocol configured to run under HTTP. The value of 'none' in
"uri-authentication-supported" indicates that all users are 'anonymous'.
There will be no challenge and the Printer will ignore
"requesting-user-name".
- For the second URI, 'xxx://acme.com/restricted-use-printer', the
value 'none' in "uri-security-supported" indicates that there is no secure
channel protocol configured to run under HTTP. The value of 'digest' in
"uri-authentication-supported" indicates that the Printer will issue a
challenge and that the Printer will use the name supplied by the digest
mechanism to determine the authenticated user.
- For the third URI, 'xxx://acme.com/private-printer', the value
'tls' in "uri-security-supported" indicates that TLS is being used to secure
the channel. The client SHOULD be prepared to use TLS framing to negotiate
an acceptable ciphersuite to use while communicating with the Printer
object. In this case, the name implies the use of a secure communications
channel, but the fact is made explicit by the presence of the 'tls' value in
"uri-security-supported". The client does not need to resort to
understanding which security it must use by following naming conventions or
by parsing the URI to determine which security mechanisms are implied. The
value of 'basic' in "uri-authentication-supported" indicates that the
Printer will issue a challenge and that the Printer will use the name
supplied by the digest mechanism to determine the authenticated user.
Because this challenge occurs in a tls session, the channel is secure.
It is expected that many IPP Printer objects will be configured to support
only one channel (either configured to use TLS access or not) and only one
authentication mechanism. Such Printer objects only have one URI listed in
the "printer-uri-supported" attribute. No matter the configuration of the
Printer object (whether it has only one URI or more than one URI), a client
MUST supply only one URI in the target "printer-uri" operation attribute.