IPP Mail Archive: Re: IPP> Use of SSL3 Framing????

Re: IPP> Use of SSL3 Framing????

Randy Turner (rturner@sharplabs.com)
Thu, 06 Nov 1997 06:56:08 -0800

Bob Van Andel wrote:
>
> Randy,
>
> >The fact that scenarios exist where security is not
> >necessary, do not obviate the need for the standard
> >to specify security as a requirement. Its possible
> >that one of the machines in one of these scenarios
> >might be moved or requested to communicate outside
> >of the scenario-specific domain and we don't want
> >to have to modify the configuration or install new
> >software in order to interoperate.
> >
> <snip>
>
> Existing Web browsers and servers make the transition from insecure
> (non-SSL3) to secure (SSL3) modes and back all the time. Why can't IPP
> clients dynamically negotiate those transitions for those environments
> where the site configuration warrants it.

SSL3 allows security parameters to be negotiated dynamically. All thats
required is the support for SSL3 framing and session initialization. We're
not absolutely requiring all of the cipher suites and authentication
mechanisms the SSL3 spec includes.
>
> I would expect that a number of site configuration issues will be necessary
> that don't require software changes to interoperate, but do require
> administrative attention. Why is this different than the administrator
> configuring which bin has letterhead? I'm assuming that the IPP spec
> allows a printer with a single paper source to ignore multi-tray attributes.s

Thats true, but security requirements for a particular
printer will not change as often as media in a tray, or other
printing-specific attributes. An administrator will decide if
a device should be secured and it will probably stay that way.
Security requirements for a printing server will be somewhat
static.

Also, I might point out, for a lot of cases, it will be client
that decides security is necessary for a particular session
because the client knows the sensitivity of the content that
will be transmitted to the server.

In any of these scenarios, publishing a single URL for the
printer and using SSL3/TLS to negotiate security will come
closer to making sure client and server can interoperate,
at least as far as security is concerned.

Randy

>
> Bob
>
> ----------------------------------------
> Bob Van Andel
> Allegro Software Development Corporation
> 43 Waite Road
> Boxborough, MA 01719
> (978) 266-1375
> (978) 266-2839 fax
>
> Information on the RomPager embedded web server toolkit is at
> <http://www.allegrosoft.com/>