[IPP] TIC has reviewed the IPP Authentication Methods and has comments

[IPP] TIC has reviewed the IPP Authentication Methods and has comments

wamwagner at comcast.net wamwagner at comcast.net
Tue Feb 26 21:03:08 UTC 2019


Thanks for  addressing a very  difficult subject. The diagrams contain a lot of information but are unreadable without magnification. The alternative would be to break each transaction into multiple figures, which would also be cumbersome (and a lot more work).

A few trivial items related to the  possible confusion between authentication and authorization. ( although I may have  this wrong)

1. Line 155 “Andy enters his credential to prove access…”  Presumably,  Andy enters his credentials to support he is who he says he is, which may or may not provide access.  Perhaps  just “ Andy enters his credential.”

2. Canon commented  “Sections 3.3.1 and 3.3.2 are exactly the same except one is for user Lisa and the other is for user Harry.  One section is about Authentication Failure and the other is Authorization Failure.  This is a bit confusing since the paragraphs are exactly the same except for the use case user name and the section titles.” I  agree.  Presumably one can have an  account and a valid password but still nor be authorized to use the printer for some other reason.  (para 5.1.3 and para 5.2.3  discuss this). The use cases should include a clear case of an authentication failure (unless it is out of scope for this document, in which case it should be under para 3.4.) 

3. Although I may be missing it, the diagrams do not make clear what is an authentication failure  vs an authorization failure. (indeed, the distinction between the terms in the diagrams is unclear in many cases, with the Authorization Service clearly doing authentication in many cases ).  Aside from the Use Cases and the failure handling in section 5, the text does not appear to help in the distinction either. 

I recognize that (I think) the common use is that the user is authorized on the basis of authentication credentials,  thus:

a. HTTP Status Code 401 Unauthorized: The request has not been applied because it lacks valid authentication credentials 
b. The  comment that  the use of the 'oauth' authentication method … depends on the Printer supporting the “oauth-authorization-server-uri” Printer Description attribute). 
But some help in distinguishing an Authentication failure from an Authorization failure might  be useful.

Thanks.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190226/db23998d/attachment.html>


More information about the ipp mailing list