Smith,
> On Mar 4, 2019, at 12:22 PM, Kennedy, Smith (Wireless & Standards Architect) via ipp <ipp at pwg.org> wrote:
>> Greetings,
>> Thanks to all who provided feedback on the 20190117 draft of IPP Authentication Methods. Since I received valuable non-editorial feedback in addition to editorial feedback on the draft from the PWG Last Call, I have produced a new revision that hopefully resolves all the issues and can be used in a second last call. The new draft is here:
>>https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304.odt <https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304.odt>
>https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304.pdf <https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304.pdf>
>https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304-rev.odt <https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304-rev.odt>
>https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304-rev.pdf <https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190304-rev.pdf>
>> I included the contents of my LCRC document in the "Change History" section. If those that submitted comments could review this draft offline and evaluate whether my changes have fixed their issues, I'd appreciate it.
The -rev version is (as usual) a bit hard to follow, but I like the changes. We normally do the LCRC comments in a separate txt file, but I'm fine with it being in the changes section for now. Process/3.0 doesn't require a particular format or filename, just that all comments and their resolutions be listed for review.
Feedback:
One addition I'd like to see to see for the "requesting-user-name" method is a note that some Clients use a constant identity as a privacy defense (e.g., "mobile" from iOS Clients) when sending requests, so from a Printer's perspective this method is basically useless. In the context of GDPR, this falls under a need for explicit consent - a password challenge or Client UI requesting permission to provide the real user name is required. At Apple we decided to always hide the requesting user on iOS for basic privacy reasons, relying on authentication where such information is genuinely needed.
In the general client recommendations (section 14.2?), you say:
Client security considerations (section 18.2) should also be followed.
Since we have a lowercase "should" here, perhaps reword this as:
Also see section 18.2 for Client security considerations and recommendations.
There is a similar statement in the general printer recommendation (section 14.4?), which should probably read "Also see section 18.4 for Printer security considerations and recommendations." (right now it says Client...)
_________________________________________________________
Michael Sweet, Senior Printing System Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190304/d8998b00/attachment.html>