IETF Logo Mail Archive

Re: [IPP] Possible updates to IPP INFRA

Cihan Colakoglu via ipp <ipp@pwg.org> Thu, 08 October 2020 18:59 UTC

Return-Path: <ipp-bounces@pwg.org>
X-Original-To: ietfarch-ipp-archive@ietfa.amsl.com
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF1593A0C42 for <ietfarch-ipp-archive@ietfa.amsl.com>; Thu, 8 Oct 2020 11:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.688
X-Spam-Level:
X-Spam-Status: No, score=-2.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFGJTZUa1Zha for <ietfarch-ipp-archive@ietfa.amsl.com>; Thu, 8 Oct 2020 11:59:17 -0700 (PDT)
Received: from mail.pwg.org (mail.pwg.org [50.116.7.199]) by ietfa.amsl.com (Postfix) with ESMTP id 67B5B3A0C40 for <ipp-archive2@ietf.org>; Thu, 8 Oct 2020 11:59:17 -0700 (PDT)
Received: by mail.pwg.org (Postfix, from userid 1002) id 286F4F35B; Thu, 8 Oct 2020 18:59:15 +0000 (UTC)
Received: from mail.pwg.org (localhost [IPv6:::1]) by mail.pwg.org (Postfix) with ESMTP id D186D1C7B; Thu, 8 Oct 2020 18:59:09 +0000 (UTC)
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002) id D664C4CE8; Thu, 8 Oct 2020 18:59:08 +0000 (UTC)
Received: from sonic302-31.consmr.mail.bf2.yahoo.com (sonic302-31.consmr.mail.bf2.yahoo.com [74.6.135.230]) by mail.pwg.org (Postfix) with ESMTPS id C73FE3A6A for <ipp@pwg.org>; Thu, 8 Oct 2020 18:59:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1602183545; bh=Z4QqhDafddKS1FmMp5TzOkLkESpw7o4DsJB1NTSYmsA=; h=Date:From:To:Subject:References:From:Subject; b=Be0SXhzEKqquB+V6waeQJYz4xRa7llukBostkHCJNZ0NVqHOAzhsYhcuqcmHti7X7GNdFUX442Hc4EkOKiWWuQBO+57VKSThI+DYN48Xvr0+ab03WM1yiTbiOV0R7si5/2B+nc8RW8tex04T4jk42Q+2ok6OjP2Npjb9VNaG6mgKnbjVYbSxufIK/+EKxYbLQqxStd3AcLRLEIHmCMO+SLCLvhqRjppEvSjI2YwPvCXg29EheJ2FLiaLDuXVqaP2HcdLDtbldMWQenVudlIQThfVLMOj+4d7x+O/7GhyiL/04Dd8qq5lzrpBU8wDKoL2DpA13iQmpOO2PbBJhAjMzA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1602183545; bh=8arSrGmerkZR87bJu69KdTQhAy2w6zBhDze3C2eaeA/=; h=Date:From:To:Subject; b=kAwf/RaL+GglwwNasAlNATYL+ZZolmowrRRCXKw+Aw8LHVzjgMND1pdfcNPE8S0iXg+fnau37NktffVnTW2myzWDLH3zHu8rqtQ82wqURchPNn/6GYK+FzOjntQ0+xN9Er6R3QIPBib+SaZVV1u197nXv2pJHPlCQQmTicgb6kIxuLjnrKyTkRhdbujZ04mCpz44A5AjzoAIJBtZoU7GTVjnL4LpxyC9r8TxkJZzUJ3wBKOb4TTQFg9umFS9Va3FQYueRsotJZvWjkb9Xjx93KNHPty41WaNPf0cjExC7DqN73dyHL+qXCZ8P8WS02gkaZwSKk9tgTTXoM51SfZUUA==
X-YMail-OSG: 6yK1iRoVM1nZFKlalIv7GWpKOGcvuOsh7Yn9EfKObLciFxy3yEa6hw.COlXkmMs uhkx7TAVFksuM3AJalwCJ1f6DZ7oP6UIXnxGlpxx.TT_q1EeM61O71O96PBkDF01LxVbgxyHFdJZ 4tHX2vWP.ORonTpufNwqiCzKZ73PxAfQORL8E9mRx947X3P5PHOSkdcp472CJ43C8cU6xMZ54tRS NwviLg6eEvxsU_NZ8rSLJQ8KSAsxPnzBekP9c4EjpwQmIY5LFCAHjw40b8FoKCsmcQ8XYHxbtmQv xBcg.GEfJclgazAh5vyOUW56mjRDWZDvx6CncdQg4.Rw30TrSM8eqJ8p.8nm5oV70aQ8jB.R_Vl1 LYeCGuba1hz6WYVTtDb3TI2IgxLmPNfLKVVlk6_GevB3vmi3jQJRaVGRb1Godu2LCiqe4e43d.t9 jmg7shzDgL451rUUSKxLmIr.BsHS2KYe5y2dQIhQ.xo_M6fK9TQErhkRJ1w4so6Ao3KkpnKzQwwc UX2.C9fPU5Qd8DQDJk1ZHsFiBvKbua96IEGUK12tQXMg9F1vxFBF2TVvP1JhGC3u3bdFISszLk1L naxmyqFq3LKaZQV1uQjYP.XFPT88DRY41rzT7UegJdrX64aa3lucqSTdSxf5WiDyv5SMnHg0VYT. rXrTiqmJpmetUDxlwy5tZZR2qDeGK_YCgE.r6O1SVoCQmilpP6Ro2lY1mKsy3ODhbIittc3hkjVj ORpcCldZB05RleB17F1WyRr8ATS2d9pRVW3zR2c7b7Zw9VgjSTvyCSPGOKQsXMdsIAUprVc4WVBa m1voubulT9gk4GZRgl1RBEeZelJoJpBGwxROhnr9AOQrMN.ElwNA84FgOfeT4_tlc9Bo8IVbEXAx NbwcosCTZhN8JbitwYgqkB5JYZ.X1JNB39H1DH16QqSVlHTxSfC24APlomCzP_uAlVSQGJriDZjy _GQI9UfOVvBBp0RH3PRAG5spOqmfVCTP2Lhp.MUjFSoGfSXwT4o1n3w8UHpX6s7tm7R1DE0laeGX WN.kWjilscYA2fBSgnNTiskgOeSZYd2HjrnqE.Y3wWfLYiv08Jy4T9.tL3q1NzoAHDp3FNQi.9Qd kZD6EB3eQUG2iojWo3JW6rINYu5niKNCv54KOZ7RSfWCSGt8UaKd7s_s_1Cy6SEKfOQ0tptOi3Zz nICLSKvhsZhPKuLlc4tIYGXFpgts8BvVDOQuH_unCUaJzk1OcByyuYojQ9D8YYgIz11xMTCUYwV9 Bk13N8QpeRq9dV3zgvZxwCZuLIgI7_BBqTI1Rb3F0UwjxVG6G.lrtP5c..okAkZaiPE9fuuwQCoE K66pkoF2M1qN2OM4_nIoZLU3AD6DcWMABOWCKlIqa5KwD.9D4JztupAdQOLRbXjf7HiDcWb51Oa6 n996c1CJTrawjrJJyax3eNIKL6ZYYpV5s4XPfgqjGZYwdeu8kKFzYhyP0Hs1OH8yDVWy2c_1CkHX 1yutlpT8MfMx.CF43SPLQt9nwPaKncYL85eALNpy25f1ZnppnkND21c0Um4iHHfhC
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.bf2.yahoo.com with HTTP; Thu, 8 Oct 2020 18:59:05 +0000
Date: Thu, 08 Oct 2020 18:57:04 +0000
To: "ipp@pwg.org" <ipp@pwg.org>
Message-ID: <214543360.520537.1602183424018@mail.yahoo.com>
MIME-Version: 1.0
References: <214543360.520537.1602183424018.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.16795 YMailNorrin Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Subject: Re: [IPP] Possible updates to IPP INFRA
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>, <mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>, <mailto:ipp-request@pwg.org?subject=subscribe>
From: Cihan Colakoglu via ipp <ipp@pwg.org>
Reply-To: Cihan Colakoglu <ccolamail-pwg@yahoo.com>
Content-Type: multipart/mixed; boundary="===============6237256801080950544=="
Errors-To: ipp-bounces@pwg.org
Sender: ipp <ipp-bounces@pwg.org>

Hello All,
After a long hiatus, I'd like to revive this topic.
Following the e-mail thread in May of this year, we've had some out-of-band discussions in June with some of the IPP workgroup members. The purpose of today's update is to summarize these discussions and post the main points to the IPP mailing list so that we can work towards creating an IPP Registration document that extends the IPP System Service Register-Output-Device operation to support the Proxy's X.509 certificate. Proposed attributes are defined Mike's previous e-mail in May 18 2020 (also copied below in this thread).
At a high level, we would like to define the use of X.509 certificates to establish cryptographic pairing during Registration of the Output Device to the Cloud through the Proxy. This is for *authenticating* and *authorizing* a Proxy/Output Device using an X.509 certificate.  

For the purposes of the INFRA Spec (finalized in 2015), the Registration (and how the credentials are managed) were out-of-scope. INFRA Spec. just dealt with a pre-existing relationship between the Proxy and Infrastructure Printer.
The Registration piece was defined in detail (also in 2015) in Cloud Imaging Requirements and Model (IMAGINGMODEL). This is the semantic model which does not define the specific operation and attributes.
Later in 2019, IPP System Service v1.0 (SYSTEM) Spec defined the Register-Output-Device operation and its attributes. Now we would like to extend these attributes by adding the use of X.509 certificates.
After more discussion, Mike also suggested adding a "system-mandatory-registration-attributes (1setOf keyword)" System Description attribute (as a semantically analogous version of "system-mandatory-printer-attributes") so that the System can tell a Proxy what information it expects/needs to register an Output Device. This suggestion was seconded by Ira as an important improvement (by the analogy to the one for Printers, necessary for Create-Printer to behave well). So, we will go ahead with this suggestion as well.
In case the X.509 certificate needs to be changed (for expiration or any other reason), I asked how we should update (refresh) the certificate used for registration, and we agreed to define this in the semantics - registering overwrites any previous pairing of UUID with X.509 certificate.
One specification note from Ira - we will NOT change registered operation names - that would be deemed a major breakage in compatibility and we have never done it before.
Finally, the Update-Output-Device-Attributes operation defined in INFRA Spec will not be used to "Update" the registration and the X.509 certificate.  The reason is granting access to a particular System resource is an administrative function, and so should *not* be something that a Proxy operation can do.  Thus, the right place to establish access controls/authorization is in the System operation, *not* the Proxy operation.
Next step is now to work on the IPP Registration document.
Regards,Cihan Colakoglu

On May 18, 2020, at 13:24:34 UTC, Michael Sweet via ipp <ipp at pwg.org> wrote:
Cihan,

Right now I think the path of least resistance is to develop an IPP Registration document that extends the IPP System Service Register-Output-Device operation to support the Proxy's X.509 certificate.  Proposed attributes are:

- "output-device-x509-certificate (1setOf text(MAX))" operation attribute, to be included in the request.
- "output-device-x509-certificate-supported (boolean)" System Description attribute, to tell the Client that the extension is supported.
- "output-device-col-supported (1setOf collection)" Printer Description attribute, to tell the Client which output devices are registered with a given Infrastructure Printer.  Member attributes would be "device-name (name(127))", "device-uuid (uri)", and "device-x509-certificate (1setOf text(MAX))".

The model section (4) of the registration can talk about all of the other concerns you've raised and provide pointers to IPP INFRA, IPP SYSTEM, IPP TRUSTNOONE, and CLOUDMODEL.  We should also talk about OAuth and the use of different authentication methods depending on the configuration and usage, e.g., personal printer connected to a Cloud Imaging System vs. enterprise printer where the Client/End User is a customer or employee.

Longer term we can add this content to an IPP System Service errata update, with a corresponding IPP Shared Infrastructure Extensions errata update that has pointers to IPP SYSTEM.


> On May 15, 2020, at 8:49 AM, Cihan Colakoglu via ipp <ipp at pwg.org> wrote:
> 
> Hello All,
>  
> I was reading the IPP INFRA Spec. (PWG 5100.18-2015:) and found some confusing areas (at least to me).
> Also had some questions about using X.509 certificates for registering the output device through the Proxy to the Cloud.
> I was wondering if an update to IPP INFRA would be warranted, or if we can do an Errata, or maybe even a Best Practice.
>  
> Regarding the issues with Registering an Output Device:
> ·         The INFRA Spec defines “Deregister-Output-Device” operation, but it does not define “Register-Output-Device”.
> ·         Instead, the INFRA Spec says “Update-Output-Device-Attributes” is the inverse of “Deregister-Output-Device”.
> ·         However, IPP System Service (PWG 5100.22-2019:) defines the “Register-Output-Device” and refers to INFRA.
> ·         INFRA does not refer to SYSTEM since INFRA was finalized in 2015, and SYSTEM was finalized in late 2019.
> ·         I understand now INFRA assumed registration was done out-of-band, and it just dealt with an existing association.
> ·         If we update INFRA, we may want to clarify the Registration/Provisioning piece was defined in the SYSTEM Spec.
>  
> Regarding using X.509 Certificates to establish cryptographic pairing during Registration of the Output Device:
> ·         The “Register-Output-Device” operation in SYTEM Spec. does not appear to have an attribute to use a certificate.
> ·         If we want to allow the use of X.509 Certificates for registration, I suppose we could define a new operation attribute.
> ·         There is also the question if a Self-Signed certificate can be used, or if we need a CA-Signed one (Private or Public).
> ·         If we define this, we may want to separate the “Client-to-INFRA-Printer” piece from “Proxy-to-INRA-Printer” piece.
> ·         Then, how would we define what an Admin can do from the Cloud Dashboard/Portal once the Registration is done?
> ·         Should the Registration be done ONLY from the Proxy to the Cloud, and not through the Cloud Portal for security?
>  
> Regarding possible Cloud to Cloud communication use-cases
> ·         In some instances, jobs may need to travel through multiple Clouds to get to the final Output Device.
> ·         I don’t believe IPP INFRA addresses this specifically, however could the Classic fan-out with IPP used for this?
> ·         If we do an update to INFRA, we may want to clarify how this type of communication could be handled with IPP.
>  
> Regarding the IPP Specifications relevant to a Cloud Model:
> ·         I think not everyone can navigate easily through all available (Historic and Current) IPP Specifications.
> ·         So, we may want to list the relevant specifications within the scope of a Cloud Printing model:
> o   IPP INFRA (PWG 5100.18-2015:)
> o   IPP System Service (PWG 5100.22-2019:)
> o   IPP Encrypted Jobs and Documents (Working Draft)
> o   Cloud Imaging Requirements and Model (Link)
> o   Any other?
>  
> I wanted to start a discussion whether it is warranted to update IPP INFRA all together, do an Errata, or a Best Practice.
> 
> Best Regards,
> Cihan Colakoglu

_______________________________________________
ipp mailing list
ipp@pwg.org
https://www.pwg.org/mailman/listinfo/ipp

v2.23.0 | Report a Bug | By Email