IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & DigestAuthentication

Larry Masinter (masinter@parc.xerox.com)
Mon, 12 Apr 1999 09:38:30 PDT

> >>> Paul Moore <paulmo@microsoft.com> 04/09/99 06:01PM >>>
> Basic and SSL work fine for me. It has the fiollowing benefits
> 1. Its works

Actually, it doesn't work very well.

> 2. Its secure

No, it has serious security problems in the context of a printing
protocol. Maybe "its secure" for web browsing, but requiring the
printer to hold passwords in the clear leads to several vulnerabilities
that can be exploited. And if we're still in an export-sensitive
world, the security of "basic and SSL" creates an attractive nuisance.

> 3. Any reasonable client supports it
> 4. Any reasonable server supports it.

Depending on "reasonable": you're adding overhead to accomplish
privacy when all that's wanted is authentication. And without
further definition of a minimum required interoperable subset,
"supports it" is just meaningless blather.

Frankly, it seems like we're getting some knee-jerk responses.
This isn't a popularity contest. The results actually have to
work.

Regards,

Larry