INterop is possible - between a printer and the MS IPP client. Everything they
are doing follows well defined standards - all you need to know is the name of
the authentication scheme (Negotiate) and that it does SPNEGO.
"McDonald, Ira" <imcdonald at sharplabs.com> on 08/15/2000 07:03:13 PM
To: "'Carl Kugler/Boulder/IBM'" <kugler at us.ibm.com>, pmoore at peerless.com
cc: Peter.Zehler at usa.xerox.com, ipp at pwg.org (bcc: Paul Moore/AUCO/US)
Subject: RE: IPP> TES - Bake-Off Phone conference
Hi Carl,
Right - your reference below (and I-D) is the best I
can find in a search - a '-00' level proposal.
The IETF CAT (Common Authentication Technology) WG
has done other work with Kerberos and PKI. They'll
probably wind up the home for Smith's work if it's
found favorable.
Interop testing is not possible, I agree.
Cheers,
- Ira McDonald, consulting architect at Xerox and Sharp
High North Inc
-----Original Message-----
From: Carl Kugler/Boulder/IBM [mailto:kugler at us.ibm.com]
Sent: Tuesday, August 15, 2000 2:23 PM
To: pmoore at peerless.com
Cc: Peter.Zehler at usa.xerox.com; ipp at pwg.org
Subject: Re: IPP> TES - Bake-Off Phone conference
Without a standard, I guess we can't do interop testing, anyway, though
there is a proposal at
http://hex.tamu.edu/drafts/draft-smith-http-third-party-authentication-00.tx
t
Is there a "de facto" standard documented somewhere?
-Carl
pmoore at peerless.com on 08/15/2000 12:26:45 PM
To: Carl Kugler/Boulder/IBM at IBMUS
cc: pmoore at peerless.com, Peter.Zehler at usa.xerox.com, ipp at pwg.org
Subject: Re: IPP> TES - Bake-Off Phone conference
Correct - there is no standard for Kerberizing HTTP. MS have added a new
authentiation scheme that triggers a GSSAPI/SPNEGO interaction. This does
either
Kerberos or NTLM depending on whether or not the client is capable of
Kerberos.
Throw in a bit of Base64 encoding and you're done.
"Carl Kugler/Boulder/IBM" <kugler at us.ibm.com> on 08/15/2000 11:13:10 AM
To: pmoore at peerless.com
cc: Peter.Zehler at usa.xerox.com, ipp at pwg.org (bcc: Paul Moore/AUCO/US)
Subject: Re: IPP> TES - Bake-Off Phone conference
Hmm... I wasn't aware of a standard for Kerberos HTTP authentication,
either, although there has been some recent discussion on the http-wg list
about "ticket based authentication" (see
http://www.ics.uci.edu/pub/ietf/http/hypermail/2000/0165.html). How does
W2K implement this?
-Carl
pmoore at peerless.com on 08/15/2000 11:41:16 AM
To: Carl Kugler/Boulder/IBM at IBMUS
cc: Peter.Zehler at usa.xerox.com, ipp at pwg.org
Subject: Re: IPP> TES - Bake-Off Phone conference
IE5 on Windows 2000, and hence the MS IPP client on Windows 2000, does
Kerberos
authentication. IPP just rides on the back of whatever HTTP authentication
happens to be available.
"Carl Kugler/Boulder/IBM" <kugler at us.ibm.com> on 08/15/2000 09:27:36 AM
To: Peter.Zehler at usa.xerox.com
cc: ipp at pwg.org (bcc: Paul Moore/AUCO/US)
Subject: Re: IPP> TES - Bake-Off Phone conference
> 1) A quick walk through the Bake-Off testing outline. The objective is to
> get some input on specific areas of testing.
> The document is located at
> "ftp://www.pwg.org/pub/pwg/ipp/new_TES/IPP-Test-Plan-000814.pdf".
Peter-
I see Kerberos listed under Authentication and Security. I didn't know IPP
had Kerberos authentication. I'm interested in finding out more about
this. Kerberos has a lot of advantages in a distributed environment, e.g.,
single sign on and centralized administration.
-Carl