Who says the printer or print server has to store passwords in the clear? =
Novell's implementation can validate a password it receives on the wire =
(hopefully encrypted) without having to store any original passwords in =
the clear. I agree with you that this approach requires encryption when =
only authentication is needed, but it is a working solution, not "just =
meaningless blather". In practice, this solution is likely to be more =
secure than Digest Authentication in that administrators of large sites =
are more likely to disable security all-together if they're faced with the =
daunting task of client certificate management.
Just two cents,
-Hugo
>>> "Larry Masinter" <masinter@parc.xerox.com> 04/12/99 10:38AM >>>
> >>> Paul Moore <paulmo@microsoft.com> 04/09/99 06:01PM >>>
> Basic and SSL work fine for me. It has the fiollowing benefits
> 1. Its works
Actually, it doesn't work very well.
> 2. Its secure
No, it has serious security problems in the context of a printing
protocol. Maybe "its secure" for web browsing, but requiring the
printer to hold passwords in the clear leads to several vulnerabilities
that can be exploited. And if we're still in an export-sensitive
world, the security of "basic and SSL" creates an attractive nuisance.
> 3. Any reasonable client supports it
> 4. Any reasonable server supports it.
Depending on "reasonable": you're adding overhead to accomplish
privacy when all that's wanted is authentication. And without
further definition of a minimum required interoperable subset,
"supports it" is just meaningless blather.
Frankly, it seems like we're getting some knee-jerk responses.
This isn't a popularity contest. The results actually have to
work.
Regards,
Larry