Smith,
> On Dec 6, 2022, at 1:37 AM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>> Hi Piotr and Mike,
>> Sorry for the slow response.
>> I don't think it is right to intermingle how the Client establishes trust in the Printer with how the Printer identifies itself to the Authentication Service.
For better or worse, that *is* part of the OAuth model...
> ...
> That doesn't work for the "local printer" case, as we have already discussed. A Client may depend on a TOFU / certificate pinning model to establish some level of trust in the Printer in this scenario, since ".local." domain hostnames aren't registered in the global DNS. That works reasonably well for purely local printing where the trust expectations are arguably lower. The owner / operator may implement DNS and provision the printer with a certificate issued by a trusted CA, but then it is supported by infrastructure DNS and so falls under the model previously described.
I believe we already have identified this as an issue: TOFU and pinning are insufficient when using OAuth - the X.509 cert needs to use a trusted root, either using IoT-ACME or something similar. Self-signed certs are not supportable.
________________________
Michael Sweet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221206/7a8c5d58/attachment.sig>