Thanks Ira. I'm still going to write it up in a white paper / technical brief so that I can better outline the use cases, and we can use that to drive our discussion at the Feb. F2F.
Smith
> On Jan 26, 2017, at 11:14 AM, Ira McDonald <blueroofmusic at gmail.com> wrote:
>> Hi,
>> Smith plans to bring a whitepaper and/or slides on this new operation
> (tentatively to be named Get-User-Printer-Attributes for clarity) to the
> PWG F2F meeting in February.
>> On reflection, I suggest that perhaps we *should* add this operation
> to IPP System Service to enhance IPP Client interworking with IPP
> Printers (job services).
>> Mike has convinced me that the operation should look just like the
> existing Get-Printer-Attributes operation (input/output attributes),
> but allow the Printer (if so configured) to authenticate the Client's
> requesting user identity and always require filtering of the response
> based on the most authenticated requesting user identity.
>> Cheers,
> - Ira
>>> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
>http://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>
>http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>
> mailto: blueroofmusic at gmail.com <mailto:blueroofmusic at gmail.com>
> Jan-April: 579 Park Place Saline, MI 48176 734-944-0094
> May-Dec: PO Box 221 Grand Marais, MI 49839 906-494-2434
>>> On Sun, Jan 15, 2017 at 10:49 PM, Michael Sweet <msweet at apple.com <mailto:msweet at apple.com>> wrote:
> Ira,
>> > On Jan 15, 2017, at 8:45 PM, Ira McDonald <blueroofmusic at gmail.com <mailto:blueroofmusic at gmail.com>> wrote:
> >
> > Hi Mike,
> >
> > You are suggesting this new Get-User-Printer-Attributes operation
> > does NOT require authentication and authorization of the Client?
>> No, I am suggesting that this new operation *may* not require Client authentication, depending on the configuration of the Printer, just as Cancel-Job, Cancel-All-Jobs, Cancel-My-Jobs, Create-Job, Get-Job-Attributes, Get-Jobs, Print-Job, Print-URI, Send-Document, Send-URI, and Validate-Job do.
>> FWIW, Get-Printer-Attributes is basically the only operation in IPP/1.1 (RFC 2911/8011) that does not say anything about authentication, the most authenticated identity, authorization rights, or filtering of attributes or values based on the most authenticated identity. And that makes it impossible to add authentication requirements without breaking a lot of (read: all) Clients.
>> > If that's right, what value does this operation offer over the classic
> > Get-Printer-Attributes (with perhaps an "ipp-features-supported"
> > tag that says it supports User-based filtering)?
>> It makes it consistent with the Job operations.
>> > My reading of original RFC 2911 was that *any* operation could do
> > filtering based on the requesting user (i.e., Get-Jobs).
>> No, there is discussion of authentication and the most authenticated user/identity, but specific requirements and filtering are discussed in the description of each operation. In particular, Get-Jobs and Get-Job-Attributes talk about filtering based on security policy, while Get-Printer-Attributes only talks about filtering based on document format (and basically says everyone gets to see the same information).
>> This is arguably a bug in the original IPP specs, but there is nothing we can do to fix Get-Printer-Attributes now.
> (but there are advantages to having a public/guest "get" operation for discovering what a Printer will require, e.g., "uri-authentication-supported" values...)
>> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20170127/3c72aefa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4241 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ipp/attachments/20170127/3c72aefa/attachment.p7s>