Randy,
Randy,
Thanks for taking the time to put your ideas on paper.
I looked over your proposal and would like you to comment on the following
things.
I expect to get back with more detailed comments after having spoken to my
security guys on Monday.
1) I was disappointed that you did not spell out what is now the minimum
"extra stuff" that every implementation would have to include if we
mandated TLS negotiation for all IPP clients and servers. My latest
impression is that it is a lot more than we anticipated when the subject
was discussed in the Boulder PWG meeting.
2) Earlier today Keith Moore came up with a proposal to take a new look at
SASL, which might eliviate some of the extra burden that 1) above might
incur. Do you or anybody else knows if "the world" is really going to
implement SASL in the foreseeable future (or are we up against yet another
road block here)? Judging from the comments on the DL recently, a number of
people have asked for a very light weight mechanism to do the initial
security negotiation, with the option to say "NO I do not want any
security", and I am still not convinced that TLS will deliver that.
---If I have interpreted the feelings of the WG on this subject correctly, I would like to draw a comparison with safe sex:
If you tend to mix with new or potentially unreliable partners, you are quite likely to want to have some form of protection and would welcome the subject to be brought up before you get too intimate. However, if you only practise it with a steady and wellknown partner, you would probably be upset to have to go through a forced negotitation about different types of preventive tools and methods every time. If you trust your partner, you should be allowed to practise unsafe sex at your own risk, without any lengthy negotiation beforehand!
Regards,
Carl-Uno Carl-Uno Manros Principal Engineer - Advanced Printing Standards - Xerox Corporation 701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231 Phone +1-310-333 8273, Fax +1-310-333 5514 Email: manros@cp10.es.xerox.com