Smith,
> On Dec 14, 2022, at 10:18 PM, Kennedy, Smith (Wireless & IPP Standards) via ipp <ipp at pwg.org> wrote:
>> Signed PGP part
> Waking this up again, and bringing it back to the IPP reflector.
>> I didn't think about the print server case, where one host is hosting multiple printers. That brings us all the way back to submitting the URI, which provides both the host name and the resource path of the printer.
>> I still suspect that, even for the "standard" printer, it is necessary for the Client to supply the Printer's certificate fingerprint so that the Authentication Service can confirm that the Client is interacting with a particular Printer hosted on a system that is using a TLS certificate that has a particular fingerprint. If it doesn't want to use it, it can ignore it. But it should know the current certificate fingerprint, right?
OK, so this gets us back to the subject of X.509 certificate validation. Current IPP usage allows for TOFU with self-signed certificates, but we have identified this as a weak point when using OAuth. The normal way of dealing with this involves using CA-signed certificates, where the CA for a printer will typically be:
1. A local enterprise certificate server that provides signed certificates; the root (CA) certificate is bound to the domain (ActiveDirectory or similar)
2. A remote certificate server that provides signed certificates; the root (CA) certificate is either globally trusted or bound to the domain (Azure Universal Print Service or similar)
3. An Internet public certificate authority that provides signed certificates; this can be provisioned manually or via ACME if the printer is accessible globally (yeck), and the root (CA) certificate is well-known
4. (New, not yet standardized) A local ACME server that provides signed certificates; the root (CA) certificate is bound to the network via DHCP or DNS-SD.
Only the last one supports mDNS (.local) hostnames, the rest force you to use an actual domain name for the printer.
You can't send a fingerprint from the Client to the Authorization Server (AS) because a) there isn't a protocol for that and b) even if you did there is no way for the AS to authenticate the fingerprint (i.e. the resource URI is the only information it has about the printer that is the same as what the Client sees, the AS may never see the Printer's X.509 certificate...)
________________________
Michael Sweet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221215/be002ab6/attachment.sig>