--- Tom wrote:
> At the IPP WG meeting, we agreed to resolution 2 for Issue 3.2. However,
on
> the IPP telecon today, Ira pointed out that HTTP security is
> connection-based, not transaction-based.
> There is a new experimental RFC
> 2660 for SHTTP (August 1999), which has transaction-based security, but
we
> don't want IPP to have to use that.
>> So resolution 2 won't work; the challenge has to be issued for the
> connection, not on an operation-by-operation basis. Therefore, each
> different security regime that a Printer supports MUST have a distinct
URL.
> What about authentication?
>
This seems overly general to me. By "HTTP security" are you refering to
Digest authentication, TLS, Kerberos, or what?
You seem to be implying that each operation requires a separate connection.
That is not the normal case for HTTP/1.1: all connections in HTTP/1.1 are
persistent by default. Also, Basic and Digest authentication can work over
non-persistent connections (they worked for HTTP/1.0, didn't they?).
AFAIK, a transaction is a series of operations that succeeds or fails as a
unit, with the properties of atomicity, consistency, isolation and
durability. Is this a new requirement for IPP?
-Carl