Thanks for addressing a very difficult subject. The diagrams contain a lot of information but are unreadable without magnification. The alternative would be to break each transaction into multiple figures, which would also be cumbersome (and a lot more work).
A few trivial items related to the possible confusion between authentication and authorization. ( although I may have this wrong)
1. Line 155 “Andy enters his credential to prove access…” Presumably, Andy enters his credentials to support he is who he says he is, which may or may not provide access. Perhaps just “ Andy enters his credential.”
2. Canon commented “Sections 3.3.1 and 3.3.2 are exactly the same except one is for user Lisa and the other is for user Harry. One section is about Authentication Failure and the other is Authorization Failure. This is a bit confusing since the paragraphs are exactly the same except for the use case user name and the section titles.” I agree. Presumably one can have an account and a valid password but still nor be authorized to use the printer for some other reason. (para 5.1.3 and para 5.2.3 discuss this). The use cases should include a clear case of an authentication failure (unless it is out of scope for this document, in which case it should be under para 3.4.)
3. Although I may be missing it, the diagrams do not make clear what is an authentication failure vs an authorization failure. (indeed, the distinction between the terms in the diagrams is unclear in many cases, with the Authorization Service clearly doing authentication in many cases ). Aside from the Use Cases and the failure handling in section 5, the text does not appear to help in the distinction either.
I recognize that (I think) the common use is that the user is authorized on the basis of authentication credentials, thus:
a. HTTP Status Code 401 Unauthorized: The request has not been applied because it lacks valid authentication credentials
b. The comment that the use of the 'oauth' authentication method … depends on the Printer supporting the “oauth-authorization-server-uri” Printer Description attribute).
But some help in distinguishing an Authentication failure from an Authorization failure might be useful.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190226/db23998d/attachment.html>