[IPP] IPP Firmware Update Extensions v1.0 - recommendations for "Security and Privacy" and "Implementation Considerations" sections

[IPP] IPP Firmware Update Extensions v1.0 - recommendations for "Security and Privacy" and "Implementation Considerations" sections

Ira McDonald blueroofmusic at gmail.com
Sun May 24 19:12:07 UTC 2026 

Hi Smith,

I'd also suggest adding as Informative references to Security
Considerations:

NIST SP800-193 Platform Firmware Resiliency Guidelines (May 2018)
https://csrc.nist.gov/pubs/sp/800/193/final

ITU-T X.1373 Secure Software Update Capability for ITS (March 2024)
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15664

ISO 24089:2023 Road vehicles — Software Update Engineering (February 2023)
https://www.iso.org/standard/77796.html


All three are worth a look for security requirements
- first two are FREE
- third is behind a paywall (135 Swiss Francs), but it's a concise spec (I
was co-editor)

Cheers,
- Ira


*Ira McDonald (Musician / Software Architect)*
*Co-Chair - TCG Mobile Platform WG*

*Co-Chair - TCG Metadata Access Protocol SG*








*Chair - Linux Foundation Open Printing WGSecretary - ISTO Printer Working
GroupCo-Chair - ISTO PWG Internet Printing Protocol WGIETF Designated
Expert - IPP & Printer MIBBlue Roof Music / High North
Inchttp://sites.google.com/site/blueroofmusic
<http://sites.google.com/site/blueroofmusic>http://sites.google.com/site/highnorthinc
<http://sites.google.com/site/highnorthinc>mailto: blueroofmusic at gmail.com
<blueroofmusic at gmail.com>(permanent) PO Box 221  Grand Marais, MI 49839
906-494-2434*


On Fri, May 22, 2026 at 12:53 PM Michael Sweet via ipp <ipp at pwg.org> wrote:

> Smith,
>
> Some thoughts on security/privacy:
>
> 1. Firmware should be cryptographically signed
> 2. Firmware downloads should be protected in transit (i.e. HTTPS/TLS)
> 3. Any identifiers used to authorize access to and/or track downloads and
> installations of new firmware should be limited to the Printer and not the
> Printer's owner, organization, etc. IOW, "this is a valid Example Corp
> Laser Printer 2000 with SN 12345 that is entitled to receive firmware v2.0"
> - this allows the vendor to broadly know what version(s) of firmware are in
> use, whether there have been issues installing new firmware, etc. but not
> to know that Alice hasn't updated the firmware in her Printer for the last
> 18 months.
> 4. Firmware Repositories can potentially combine Printer identity
> information with IP addresses, routing info, etc. to determine the identity
> of owners (privacy consideration for using OTA updates...)
>
> I know we don't want to dig too deep with this, and I certainly don't want
> to provide a roadmap for abusing OTA updates, but it seems appropriate to
> outline some of the risks and highlight best practices...
>
>
> > On May 21, 2026, at 4:32 PM, Kennedy, Smith (Wireless & IPP Standards)
> via ipp <ipp at pwg.org> wrote:
> >
> > Hi there,
> >
> > For IPP Firmware Update Extensions v1.0, does anybody have any
> recommendations for items to list in the "Security and Privacy" and
> "Implementation Considerations" sections? I'd like to get that before I
> produce my next draft, which will be ready for our IPP WG meeting June 18.
> >
> > Cheers,
> >
> > Smith
> >
> > /**
> >     Smith Kennedy
> >     HP Inc.
> > */
> >
> > _______________________________________________
> > ipp mailing list
> > ipp at pwg.org
> > https://www.pwg.org/mailman/listinfo/ipp
>
> ________________________
> Michael Sweet
>
> _______________________________________________
> ipp mailing list
> ipp at pwg.org
> https://www.pwg.org/mailman/listinfo/ipp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20260524/327a45de/attachment.html>

More information about the ipp mailing list