IPP Mail Archive: RE: IPP> SEC: IPP 1.1 security (phone conference)

RE: IPP> SEC: IPP 1.1 security (phone conference)

Carl-Uno Manros (carl@manros.com)
Wed, 3 Feb 1999 07:12:01 -0800

Ira,

Could you give a little more concrete examples of cases where xxxs schemes
have been shot down?
John's impression is that the main reason for not accepting xxxs, has been
the requirement to use an extra port, but the ipps scheme would default to
port 631 like the ipp scheme, using the Upgrade header in the HTTP start-up
phase.

FYI, there are still security people in the IETF that seem to favor the xxxs
approach. The problem, as I see it, is that there are no other clear
alternatives, which the Area Directors DO like. We have discussed using
SASL, but unfortunately people always seem find problems with that too...

It is fine that we can detect security over SLP and directory solutions, but
wouldn't it also be nice to be able to have an actually working IPP or IPPS
URL on your business card, which John's proposal would offer?

Carl-Uno

-----Original Message-----
From: owner-ipp@pwg.org [mailto:owner-ipp@pwg.org]On Behalf Of Ira
McDonald
Sent: Wednesday, February 03, 1999 6:10 AM
To: ipp@pwg.org; jwenn@cp10.es.xerox.com
Subject: Re: IPP> SEC: IPP 1.1 security (phone conference)

Hi John,

The IESG has firmly rejected specifying security by alternate
scheme names (e.g., 'https:'). The working agreement within
the IPP WG is that the security is NOT discoverable by direct
examination of the URI, but is found through a directory service
(such as LDAP) or service location protocol (such as SLP)
by examining the attribute 'uri-security-supported' which is
an ordered attribute parallel to the 'printer-uri-supported'
attribute.

Several IETF-chartered working groups have already been shot
down trying to use either 'xxxs:' scheme names or mandatory
parameters appended to URI.

Embedding security info in URI has gone completely out of
favor with the IESG.

Also IPP/1.1 systems MUST use 'ipp:' for their URI, per
our Area Directors and other IESG members.

The SLP 'printer:' template (and its future translation
into an LDAP 'printer:' schema) already supports advertising
these two IPP Printer object attributes and makes such
advertisement MANDATORY.

Cheers,
- Ira McDonald (outside consultant at Xerox)
(editor of SLP 'printer:' template)