IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Keith Moore moore at cs.utk.edu
Thu Apr 22 19:38:03 EDT 1999


> I have a printer in my office that
> 
> a) doesnt support PS
> b) gets its IP stuff via DHCP
> c) allows anybody to do firmware updates
> d) allows anybody to install fonts
> e) allows anybody to print
> 
> You are telling me that this device CANNOT support IPP no matter how much I
> want it for its non security related features.

I'm not telling you any such thing.  I'm merely saying that for it to
support IPP, it has to be able to refuse attempts to perform IPP
operations that are not authenticated.  

If whoever makes your printer sees fit to build the printer so that
it loads its username/passwords from DHCP, along with the other IP
stuff, that's fine.  Heck, for a soho printer I would probably 
consider it acceptable for the printer to accept a single 
username/password (unique to that printer), which was burned in 
firmware, and printed on a label on the inside of the printer.
That will at least prevent attacks, and people who want to support
large numbers of users at their soho printer can just spool through
a proxy that knows the password.

And though it would be really silly to hook a printer up to the Internet 
that allowed so much potential for abuse we're only insisting that it 
be possible for IPP to be authenticated.

(though I would strongly recommend that while you're at it, you provide
the ability to require authentication for *all* of b-e above.  Face it,
if you leave the door wide open, sooner or later your products 
will be subject to attack.  It doesn't cost much to protect your 
customers now.)

Keith



More information about the Ipp mailing list