IETF Logo Mail Archive

Re: [IPP] Requiring authentication for all IPP operations with "cloud" Infrastructure printer

Michael Sweet via ipp <ipp@pwg.org> Sat, 13 November 2021 02:22 UTC

Return-Path: <ipp-bounces@pwg.org>
X-Original-To: ietfarch-ipp-archive@ietfa.amsl.com
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2F73A0F16 for <ietfarch-ipp-archive@ietfa.amsl.com>; Fri, 12 Nov 2021 18:22:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, MIME_HTML_MOSTLY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pwg.org header.b=JYpeuPJc; dkim=pass (1024-bit key) header.d=pwg.org header.b=madSrfmu; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=msweet.org header.b=p0CNR9nu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TIwaZAgEXogv for <ietfarch-ipp-archive@ietfa.amsl.com>; Fri, 12 Nov 2021 18:22:38 -0800 (PST)
Received: from mail.pwg.org (mail.pwg.org [50.116.7.199]) by ietfa.amsl.com (Postfix) with ESMTP id 49AB63A0F0F for <ipp-archive2@ietf.org>; Fri, 12 Nov 2021 18:22:38 -0800 (PST)
Received: by mail.pwg.org (Postfix, from userid 1002) id 35DFD3A5C; Sat, 13 Nov 2021 02:22:35 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 35DFD3A5C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default; t=1636770156; bh=+9TIdR2Ed2xpoGWTUwr68SaOCLmP5IAZ+FSOhKM/EnA=; h=Date:To:In-Reply-To:References:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=JYpeuPJcSnjIQ8WW03qErPwK7UPLjJST6qL0BBjFcnKkN3NgP+vngTThAB/fMLE1i MCcJuzRgLcWU0sFZq4XM6l1Abmav1AEhP5lQGKPkTdiqNwvEVTAXkVvkNGAp3cIAUf EeaWv4A3VMP/lUMQQaGCpUh80Q/EN5gcMyY3L79M=
Received: from mail.pwg.org (localhost [IPv6:::1]) by mail.pwg.org (Postfix) with ESMTP id 2C4EFA74; Sat, 13 Nov 2021 02:22:31 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 2C4EFA74
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default; t=1636770151; bh=+9TIdR2Ed2xpoGWTUwr68SaOCLmP5IAZ+FSOhKM/EnA=; h=Date:To:In-Reply-To:References:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=madSrfmu9qoO6y8PHMUWUimiXea0s9f9sruBe4Q0qi7AnYryhdXPk7U+3AnwDbJRw tHAjP5fN8qA8NhjcSwfIXqF6ztj31WV8llFwvVoYKHip+UMcPxP47Vl4xIQV/9H92i a70aS0iHlMhsZ9wMV4NOYKjOg0e3ndvwanRCUB+M=
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002) id 0470A2456; Sat, 13 Nov 2021 02:22:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 0470A2456
Authentication-Results: mail.pwg.org; dkim=pass (1024-bit key) header.d=msweet.org header.i=@msweet.org header.b="p0CNR9nu"
Received: from mail.msweet.org (mail.msweet.org [173.255.209.91]) by mail.pwg.org (Postfix) with ESMTP id 16BD023DF for <ipp@pwg.org>; Sat, 13 Nov 2021 02:22:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 16BD023DF
Received: from [10.0.1.185] (cbl-66-186-76-47.vianet.ca [66.186.76.47]) by mail.msweet.org (Postfix) with ESMTPSA id CAD1480B4A; Sat, 13 Nov 2021 02:22:27 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.msweet.org CAD1480B4A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=msweet.org; s=default; t=1636770148; bh=iBd9YmIe7Eanh/GiwResmGD0wDWCA/LSyaisvVVPCbI=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=p0CNR9nu0IoaOUlXdIhPZqg7fN0O6dZPRk1SQQ4cdGXjXtrhw8TmztSKMOOTdKuGs 2zPrF/4aKKXaYjJbJekpFTg2bTweIZg4MpdkuJEUjtOxHEMKR4PEdg8ma6pcZSAE33 kgT7GrbDxXXIlnNgiBPjYJm6xza3PyAw73lhVFew=
Date: Fri, 12 Nov 2021 21:22:19 -0500
To: "\"=?utf-8?Q?Kennedy=2C_Smith_(Wireless_&_IPP_Standards)?=\"" <smith.kennedy@hp.com>
Message-ID: <1167d3ea-4a6e-4ad0-89b9-849259157b46@Spark>
In-Reply-To: <4CDE601A-F0AF-4929-9B8A-B1308559D0D4@hp.com>
References: <0446E67E-3B0F-442B-B51E-ED7966C71E82@hp.com> <C1D8E8B0-614C-41AE-AAA3-23AECA70927E@msweet.org> <9DDE6032-F733-4540-99C7-D2F5A13766EA@hp.com> <0AFEFF7B-526F-4DE5-9F5C-2C91ABD717BA@msweet.org> <BD403A4C-D49F-4203-AC89-D458D598B9FA@hp.com> <CAN40gSs4OB441bZVYmx4T-VkCRqOiZScnGYHXZB3xkE1vzZMKA@mail.gmail.com> <77D30945-1B08-4954-BA1F-D66CB9A32B2C@hp.com> <12D1CCDB-B619-49B4-8209-4FABDA20887C@msweet.org> <4CDE601A-F0AF-4929-9B8A-B1308559D0D4@hp.com>
X-Readdle-Message-ID: 1167d3ea-4a6e-4ad0-89b9-849259157b46@Spark
MIME-Version: 1.0
Cc: PWG IPP WG Reflector <ipp@pwg.org>
Subject: Re: [IPP] Requiring authentication for all IPP operations with "cloud" Infrastructure printer
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>, <mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>, <mailto:ipp-request@pwg.org?subject=subscribe>
From: Michael Sweet via ipp <ipp@pwg.org>
Reply-To: Michael Sweet <msweet@msweet.org>
Content-Type: multipart/mixed; boundary="===============4969997196449472629=="
Errors-To: ipp-bounces@pwg.org
Sender: "ipp" <ipp-bounces@pwg.org>

Smith,
On Nov 12, 2021, 4:01 PM -0500, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy@hp.com>om>, wrote:
	Hi Mike,

	On Nov 12, 2021, at 11:34 AM, Michael Sweet <msweet@msweet.org> wrote:

Smith,

	On Nov 12, 2021, at 12:49 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy@hp.com> wrote:

Hi Ira,

As you suggested, I've added the IPP Workgroup reflector to the list of recipients to bring this sidebar discussion into the forum without having to start from scratch.

	I do agree that it's not desirable that IPP Infrastructure Printers should
accept anything except Get-Printers w/out TLS security.

If an Infrastructure Printer object is supposed to be available on the Internet but for "private use only", how does that work given the legacy Get-Printer-Attributes use precedent?

OK, some (hopefully obvious) observations:

0. We need to separate the notion of legal access and protocol access to a service.
1. A service that accepts connections over the Internet is, by definition, publicly accessible at the protocol level.
2. Get-Printer-Attributes (and Get-System-Attributes) allow a Client to determine the *legal* access permissions.

So protocol access == YES and legal access == YES for Get-Printer-Attributes and Get-System-Attributes.

	3. All other operations enforce the legal access permissions.

So protocol access == YES but legal access == MAYBE (may require authentication).

If Get-Printer-Attributes and Get-System-Attributes are always legally accessible, then it seems to me that all of the Printer's Printer Description attributes and/or System's System Description attributes have to be "safe" i.e. free of PII and not confidential. And we need to clearly assert that somewhere so that we can point to that assertion.

No, we need to document that attributes can/might contain PII and it is up to the administrator to restrict network access and/or configure the attributes to remove any PII. We don’t make assertions like this in PWG specs, we merely identify potential issues.

Honestly, the Internet-accessible address and URI of a service is PII enough to uniquely identify a particular printer/service. The administrator has control over the contact info which will typically be blank/empty by default…

			What should the response be from the "System Service" or other process actually hosting the IPP Printer object? HTTP 404? Or an IPP layer equivalent? I'm not sure we ever considered this use case in 5100.18.

HTTP 200 OK with the full set of attributes and values.

	At the very least, we need to have a statement / paper prepared that provides guidance to Infrastructure Printer implementors to the critique that a Get-Printer-Attributes does not constitute either a security or a privacy risk. If each cloud / Infrastructure Printer hosting provider does something different, that makes it very difficult for client implementations to support in any consistent way.

It makes sense to add a discussion of Get-Printer-Attributes to the IPP/2.x update and log an issue against PWG 5100.22 for Get-System-Attributes.  We might also include references to this in 5100.18.

I think from the point of view of a vendor or service provider that owns or manages a publicly accessible IPP Printer object, I would want a clear and confidently stated statement that this is by design and doesn't represent an attack surface so long as the set of Printer Description / Printer Status attributes are "safe", so that if we get scrutinized by someone claiming a security concern, we can reference the PWG clauses and say "works as expected”.

The attributes are (per STD92) there to describe the state, capabilities, and configuration of the printer/system object so that a Client is able to use it. I see no reason to make *any* further statements concerning their necessity or that they are “as designed”.

So while it *is* appropriate to note potential security/privacy considerations, it isn’t appropriate for us to make any legal claims or restrict usage over the Internet. After all, the I in IPP is Internet, right? :)


_______________________________________________
ipp mailing list
ipp@pwg.org
https://www.pwg.org/mailman/listinfo/ipp

v2.8.7 | Report a Bug | By Email