IPP Mail Archive: RE: IPP> Minutes of IPP Working Group Meet

RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Jo bsecurity challenges]

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Sun Mar 18 2001 - 17:09:44 EST

  • Next message: Michael Sweet: "Re: IPP> Minutes of IPP Working Group Meeting [about Validate-Jobsecurity challenges]"

    Hi Michael,

    Note that my recommendation on best practice (straight out of
    RFC 2617) use of 'cnonce' was for the IPP Implementors Guide,
    not for the Protocol (RFC 2910). We have lots of recommendations
    and advice about HTTP usage already in the IIG.

    Also, RFC 2617 makes clear that protecting the content with
    Digest (over the content and not just the headers) is still
    WEAK security, at best. If you need real security, you need
    a TLS session. Ain't no other way to get there.

    Cheers,
    - Ira McDonald, consulting architect at Sharp and Xerox
      High North Inc

    -----Original Message-----
    From: Michael Sweet [mailto:mike@easysw.com]
    Sent: Friday, March 16, 2001 2:17 PM
    To: McDonald, Ira
    Cc: 'Carl Kugler'; Hastings, Tom N; ipp@pwg.org
    Subject: Re: IPP> Minutes of IPP Working Group Meeting [about
    Validate-Jobsecurity challenges]

    "McDonald, Ira" wrote:
    > ...
    > I think we want to strongly recommend that IPP Clients use (and
    > IPP Printers expect to see used) the 'cnonce' option for better
    > authentication, in the IIG.
    > ...

    IMHO, putting any restriction on the type of digest authentication
    to use is outside the scope of IPP - that's a HTTP issue, and the
    spec is fairly clear and would allow specific implementation or
    sites to require cnonce or other security features of digest.

    Also, cnonce does not eliminate man-in-the-middle attacks - you
    need to use the MD5-sess algorithm to prevent changing of the
    contents of the message body - cnonce only provides another bunch
    of data to be added to the password sum and is of limited valid
    if the server already provides random nonce values for each
    challenge.

    -- 
    ______________________________________________________________________
    Michael Sweet, Easy Software Products                  mike@easysw.com
    Printing Software for UNIX                       http://www.easysw.com
    



    This archive was generated by hypermail 2b29 : Sun Mar 18 2001 - 17:17:20 EST