IPP Mail Archive: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest Authentication

Manros, Carl-Uno B (cmanros@cp10.es.xerox.com)
Thu, 22 Apr 1999 18:31:58 -0700

Paul,

You seem to mix up cause and effect in this discussion.

The fact that the IETF defined protocols have turned out to function well in
more restricted environments such as LANs and intranets, does not mean that
the reverse is true. There are many LAN products out today, based on IETF
standards, but which do not need and don't claim to be fully compatible with
the respective "full" IETF standard.

So why does every little $200-300 IPP LAN print server box have to be fully
compatible with the "full" IPP standard, as long as you declare that it not?

Carl-Uno

> -----Original Message-----
> From: Paul Moore [mailto:paulmo@microsoft.com]
> Sent: Thursday, April 22, 1999 6:03 PM
> To: 'Manros, Carl-Uno B'; 'Keith Moore'
> Cc: IETF-IPP
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> The 'I' protocols are used as much in non_Internet connected
> scenarios as
> they are used in Internet connected scenarios. The IP (note
> the 'I') network
> the machine I am typing on now is not connected to the
> Internet at all - I
> have a completely invalid IP address (in the sense of being
> unregistered)
> and I have no routers between it and the Internet.
>
> TCP/IP is used in many places for many purposes.
>
> Note I do not object to people specifying strong security - I
> am totally in
> favour of it and was the only person to deliver it at
> bake-off 2. I object
> to the MANDATORY requirement that all printers support it
> whether it makes
> sense or not.
>
> But as keith has pointed out, this whole conversation
> regarding whether or
> not it makes market sense to build products with certain
> capabilities as
> driven by customer need carries no weight and we should just
> shut up and
> build what the IETF says. Doesnt make any difference to me -
> I dont build
> printer hardware.
>
> -----Original Message-----
> From: Manros, Carl-Uno B [mailto:cmanros@cp10.es.xerox.com]
> Sent: Thursday, April 22, 1999 5:52 PM
> To: Paul Moore; 'Keith Moore'
> Cc: IETF-IPP
> Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> Authentication
>
>
> Paul,
>
> Sometimes you seem to get carried away and forget what the
> first "I" in IPP
> stands for....
>
> Carl-Uno
>
> > -----Original Message-----
> > From: Paul Moore [mailto:paulmo@microsoft.com]
> > Sent: Thursday, April 22, 1999 4:42 PM
> > To: 'Keith Moore'
> > Cc: Herriot, Robert; IETF-IPP
> > Subject: RE: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> > Authentication
> >
> >
> > Who said anything about hooking this printer up to the
> > Internet. I would
> > never do that - I would buy a printer that supports
> > authentication if I was
> > planning to do that. IPP works fine in an office with 5
> > people using one
> > printer on a simple in-house LAN.
> >
> > -----Original Message-----
> > From: Keith Moore [mailto:moore@cs.utk.edu]
> > Sent: Thursday, April 22, 1999 4:38 PM
> > To: Paul Moore
> > Cc: 'Keith Moore'; Herriot, Robert; IETF-IPP
> > Subject: Re: IPP> Re: PRO - Issue 32: Use of Basic & Digest
> > Authentication
> >
> >
> > > I have a printer in my office that
> > >
> > > a) doesnt support PS
> > > b) gets its IP stuff via DHCP
> > > c) allows anybody to do firmware updates
> > > d) allows anybody to install fonts
> > > e) allows anybody to print
> > >
> > > You are telling me that this device CANNOT support IPP no
> > matter how much
> > I
> > > want it for its non security related features.
> >
> > I'm not telling you any such thing. I'm merely saying that
> for it to
> > support IPP, it has to be able to refuse attempts to perform IPP
> > operations that are not authenticated.
> >
> > If whoever makes your printer sees fit to build the printer so that
> > it loads its username/passwords from DHCP, along with the other IP
> > stuff, that's fine. Heck, for a soho printer I would probably
> > consider it acceptable for the printer to accept a single
> > username/password (unique to that printer), which was burned in
> > firmware, and printed on a label on the inside of the printer.
> > That will at least prevent attacks, and people who want to support
> > large numbers of users at their soho printer can just spool through
> > a proxy that knows the password.
> >
> > And though it would be really silly to hook a printer up to
> > the Internet
> > that allowed so much potential for abuse we're only
> insisting that it
> > be possible for IPP to be authenticated.
> >
> > (though I would strongly recommend that while you're at it,
> > you provide
> > the ability to require authentication for *all* of b-e above.
> > Face it,
> > if you leave the door wide open, sooner or later your products
> > will be subject to attack. It doesn't cost much to protect your
> > customers now.)
> >
> > Keith
> >
>