Chris,
FWIW, since "job-accounting-user-id" is a Job Template attribute is isn't (from an IPP perspective) a security value - all attributes of that nature MUST be supplied as operation attributes and kept separate from the Job attributes that are returned by the Get-Job-Attributes operation (and so private...)
Anyways, I definitely want to have this discussion because "job-accounting-user-id" has long been a point of contention WRT accounting, and it is important to resolve things so we have a common workable solution going forward...
On Jan 30, 2020, at 11:56 AM, Rizzo, Christopher <Christopher.Rizzo at xerox.com> wrote:
>> Mike,
>> Maybe our System Engineering (Mirelsa) can provide more customer usage information on accounting security and how customers use accounting than I, as I have no direct contact with customer usage/paradigm.
>> I believe our perception of what an account id is may be different. When you refer to authentication, a user has a username and password. They don't share their password, it is used for authenticating themselves (2FA aside for now).
>> My perception of job-accounting-user-id is similar to a password, it is not something that is public information. The difference however may be that that value may be assigned by an accounting system administrator, and if it is not modifiable by the user, then more than one person can know their user-id, so there is a security hole there.
>> Similarly, I'm not thinking of job-account-id as being something that is public information about the customer/client that appears on invoices. It is only provided to those users that need to bill the account. Again however, multiple people may have access to that value if more than one person is working an account. But the requirement that both job-accounting-user-id and job-account-id be required to submit/bill jobs identifies who submitted the job and who is/should be being charged. But I agree with you there is much less security than what is provided via an authentication that requires a private password and possibly even 2FA.
>> If you add on top of this the possibility that, for example, I logged in (authenticated to) my Mac, and when I submit a job, my Mac uses my authenticated user name for my job-accounting-user-id value (and maybe won't allow me to change it). An SA would then configure the accounting system - add my authenticated username as a valid job-accounting-user-id. That would tie me to any job submitted thru the accounting system. But still, the accounting system admin has to know my authenticated username and therefore my job-accounting-user-id in order to configure accounting, AND usernames are specifically more public than passwords, so there is obviously an issue there...
>> I guess it all comes down to what type of security customers who use accounting are expecting from it. It is optionally enabled by customers who use it, but I can't speak to what they expect from it security wise, and what advances may existing in accounting systems for security purposes.
>> Maybe Mirelsa can...
>> Thanks,
> Chris
>> Christopher Rizzo
> Xerox Corporation
> GDG/Discovery/Advance Technology
> 26600 SW Parkway Ave.
> Wilsonville, OR 97070-9251
> Phone: (585) 314-6936
> Email: Christopher.Rizzo at xerox.com>> "The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
> -Maurice Wilkes, Memoirs of a Computer Pioneer
>> From: Michael Sweet <msweet at msweet.org>
> Date: Thursday, January 30, 2020 at 7:50 AM
> To: Christopher Rizzo <Christopher.Rizzo at xerox.com>
> Cc: PWG Workgroup <ipp at pwg.org>
> Subject: Re: [IPP] MOPRIA Alliance Print Specification Accounting Support requirement 4.18.2.d is incompatible with Apple AirPrint
>> Chris,
>> Responses inline below...
>>> On Jan 29, 2020, at 3:11 AM, Rizzo, Christopher <Christopher.Rizzo at xerox.com> wrote:
>> Mike,
>>>> This email is an attempt to answer the questions you posed in your previous email. In trying to get my head around the issue, I noticed I did not address any of your questions. The meeting time for the PWG has been typically a difficult time for me to attend due to other commitments, so my participation has not been as stellar as I would like. The same is going to be true for this week as I have an important doctor's appt. this Thursday. Apologies for the length of this email... Hope I don't put everyone to sleep.
>>>> 1. What are the use cases that need job-accounting-user-id but not job-account-id?
>>>> [crizzo] I can only speak from my experience of course, so I'm sure I'm going to miss use cases. But here goes:
>> ...
>> I wondering if we can provide a little more specific example for these - like a lawyer's office where associates have both a job-accounting-user-id that identifies the partner they are doing work for (?) and a job-account-id that identifies the client they are doing work for? We need to talk about why an unauthenticated value is useful/acceptable here as opposed to simply using the "most authenticated user identity" for job-accounting-user-id...
>> I only stick on this point because there are obvious business and legal issues with accounting systems that accept unauthenticated/unvalidated information - it's not enough to say you are John Smith working on contract/account number 123456. At some point you have to define a level of trust, which can be improved through authentication and validation, e.g. authenticate John Smith using a shared secret (password, whatever) and validate that John Smith is allowed to charge against account number 123456.
>> Remember we are defining the Best Practices for job accounting systems in this document, which may not match existing accounting systems precisely but definitely needs to address the use cases and requirements of existing accounting systems.
>>> 2. Do we need a way for a Printer to report that it would like the Client to show UI for and send certain Job Template attributes, above and beyond the current "printer-requested-job-attributes"?
>>>> [crizzo] I am having trouble finding the specs where printer-mandatory-job-attributes and printer-requested-job-attributes are defined. PWG 5100.7 contains job-mandatory-attributes Job Attribute, but does not mention printer-mandatory-job-attributes or printer-requested-job-attributes Printer Description attributes that I can find. I know they are in a spec somewhere, just can't find it right now.
>> Currently printer-requested-job-attributes is defined in the Job Accounting document, although the plan is to move it to another spec (EPX has been suggested, TRANS is another possibility and is just getting a quick errata update and might be a better fit?)
>>> I suggest the following Printer Description matrix for the above accounting systems:
>>>> SYSTEM-A: printer-mandatory-job-attributes = job-accounting-user-id, job-account-id; printer-requested-job-attributes empty
>> SYSTEM-B: printer-mandatory-job-attributes = job-accounting-user-id; printer-requested-job-attributes = job-account-id
>>>> But a more general solutions suggests a printer should simply include job-accounting-user-id and job-account-id in printer-mandatory-job-attributes when they are required for a job to print, and if they are optional for a job, move the optional ones to printer-requested-job-attributes.
>> I think that's the guidance we should be giving for any of the attributes...
>> 3. What additional Client UI recommendations do we want to add to the Job Accounting best practice document? For example, what is the recommended UI for "job-account-id"?
>>>> [crizzo] (Going forward) Supporting implementations: As I went thru this it was getting pretty robust, so I created a spreadsheet (attached) to try to capture my ideas. Hope it is understandable and not too complex (implementation wise). I think the spreadsheet could possibly cover all conceivable implementations though.
>> Well, the focus of the spreadsheet is clearly on job-account-id and job-accounting-user-id, but we also have document-format-details and many other attributes that were identified previously to consider.
>> 4. How can a Printer best support a (legacy/not updated) Client whose Job Creation request is missing required or requested information?
>>>> [crizzo] Printers that support the new accounting requirements MAY wish to implement accounting exceptions configurable at the printer (for legacy client support it would absolutely be highly recommended, or maybe go so far as making this a MUST, so that legacy clients aren't totally locked out when accounting is enabled). Jobs received over IPP for example, can be charged to a generic IPP job-accounting-user-id and job-account-id. Not ideal for locking down accounting on the printer, but if a customer wants to use legacy clients with a supporting printer, this may be the only way.
>> Agreed, and we probably need to talk about what the specific recommendations should be...
>> (I'm adding slides to the F2F deck now, we can expand as needed...)
>> ________________________
> Michael Sweet
________________________
Michael Sweet