IPP Mail Archive: IPP> SEC

IPP> SEC

Scott Lawrence (lawrence@agranat.com)
Mon, 12 May 1997 16:31:15 -0400

SEC> RFC 2069: This provides some limited security services, mainly
SEC> only client side authentication. Security specialists frown upon
SEC> this solution because it uses unencrypted user names and
SEC> passwords. However, this solution could be used in combination
SEC> with a protocol that provides for secure transport.

RFC 2069 does not transmit user names or passwords in any form - put
simply, it transmits a cryptographic digest derived from the
username, password, and a server generated challenge. The
authentication derives from the fact that the client cannot generate
it correctly without knowing the user credentials.

SEC> SHTTP - Secure HTTP: Although on the IETF standards track, this
SEC> seems to lack some important features and does not seem to go
SEC> anywhere in the market place.

Actually, I believe that it provides everything IPP would need
(including non-repudiation - a service that has received too little
attention), but it is true that it may not be getting enough support
from the marketplace and doesn't seem to enjoy support in the IESG
(I don't know why not).

--
Scott Lawrence           EmWeb Embedded Server       <lawrence@agranat.com>
Agranat Systems, Inc.        Engineering            http://www.agranat.com/