Re: [IPP] Requiring authentication for all IPP operations with "cloud" Infrastructure printer
"Kennedy, Smith (Wireless & IPP Standards) via ipp" <ipp@pwg.org> Fri, 12 November 2021 17:49 UTC
Return-Path: <ipp-bounces@pwg.org>
X-Original-To: ietfarch-ipp-archive@ietfa.amsl.com
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 0AD823A0F4D
for <ietfarch-ipp-archive@ietfa.amsl.com>; Fri, 12 Nov 2021 09:49:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.098
X-Spam-Level:
X-Spam-Status: No, score=-3.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=pwg.org header.b=gJJXeOOX; dkim=pass (1024-bit key)
header.d=pwg.org header.b=JSp53fns; dkim=fail (1024-bit key)
reason="fail (message has been altered)" header.d=hp.com
header.b=BglnywAG
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LU7lkYR-tAwS for <ietfarch-ipp-archive@ietfa.amsl.com>;
Fri, 12 Nov 2021 09:49:25 -0800 (PST)
Received: from mail.pwg.org (mail.pwg.org [50.116.7.199])
by ietfa.amsl.com (Postfix) with ESMTP id BF75B3A0F74
for <ipp-archive2@ietf.org>; Fri, 12 Nov 2021 09:49:20 -0800 (PST)
Received: by mail.pwg.org (Postfix, from userid 1002)
id 7FDE7F07F; Fri, 12 Nov 2021 17:49:19 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 7FDE7F07F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default;
t=1636739360; bh=rEw/XSVWj9L+9SyV9zwMVMu0L36ogG3zB4Wz3HhEGLU=;
h=To:Date:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=gJJXeOOXPIGqwR/PZ9ZTyalx7PwQCwwEy90+raUHNYC2eY0ZehbL+n+zeOQad7kHT
62FZu40/ITKePTLW/wqjvKYwCihFQTEsIZ0GVVizjPwx8UuGPB8D5BfkV75AvPMyBC
Ow1eYEyHRAQnGVsFCIva+wY5+GJ7DgvVSxCk6x24=
Received: from mail.pwg.org (localhost [IPv6:::1])
by mail.pwg.org (Postfix) with ESMTP id DC27FF06D;
Fri, 12 Nov 2021 17:49:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org DC27FF06D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default;
t=1636739354; bh=rEw/XSVWj9L+9SyV9zwMVMu0L36ogG3zB4Wz3HhEGLU=;
h=To:Date:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
From;
b=JSp53fnsHQJWLqY39OugRF5XUFOx4XqsulnjOLXtNgKsqQD4H/b9MJtA9xfQenfv1
EfLj+Du5Xuxwn2o0bGg+g6OuyDdG5stMjuDtbzHHbvrYXGlxfPAzl/wxLhFzGytRxC
QfLiu/bLGvBw8GScM/FvWBu87qFjPUM0UQRBSjgs=
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002)
id 72BAFF06D; Fri, 12 Nov 2021 17:49:13 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 72BAFF06D
Authentication-Results: mail.pwg.org;
dkim=pass (1024-bit key) header.d=hp.com header.i=@hp.com header.b="BglnywAG"
Received: from us-smtp-delivery-162.mimecast.com
(us-smtp-delivery-162.mimecast.com [170.10.129.162])
by mail.pwg.org (Postfix) with ESMTPS id 6BFAD5EE6
for <ipp@pwg.org>; Fri, 12 Nov 2021 17:49:10 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 6BFAD5EE6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hp.com;
s=mimecast20180716; t=1636739349;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references;
bh=01AkQJMKrEcZsDUssmwyURA0nCAMQLkIFz8rc73H23g=;
b=BglnywAGgSUpmpi643myObS4iEg05XHE8fw2P2oY1awmuPxKpXtBhminh2gWj0Kbx++/RT
ojZCg56vxfwLN7DlgiBbIqwzrT6A/NZiDI4yT5zhrpHOVy4V9Xwm1qBqsik8dydJQZxySr
uIZfTILN+xPicvSyiNSiXjSmkCGh3Fk=
Received: from NAM11-BN8-obe.outbound.protection.outlook.com
(mail-bn8nam11lp2170.outbound.protection.outlook.com [104.47.58.170])
(Using TLS) by relay.mimecast.com with ESMTP id
us-mta-153-x_evbhBwP1SFTbFvzpuzJw-1; Fri, 12 Nov 2021 12:49:06 -0500
X-MC-Unique: x_evbhBwP1SFTbFvzpuzJw-1
Received: from CS1PR8401MB0518.NAMPRD84.PROD.OUTLOOK.COM
(2a01:111:e400:7512::12) by CS1PR8401MB0838.NAMPRD84.PROD.OUTLOOK.COM
(2a01:111:e400:7510::21) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.15; Fri, 12 Nov
2021 17:49:04 +0000
Received: from CS1PR8401MB0518.NAMPRD84.PROD.OUTLOOK.COM
([fe80::b5af:6e57:18ee:3516]) by CS1PR8401MB0518.NAMPRD84.PROD.OUTLOOK.COM
([fe80::b5af:6e57:18ee:3516%7]) with mapi id 15.20.4690.016; Fri, 12 Nov 2021
17:49:04 +0000
To: Ira McDonald <blueroofmusic@gmail.com>, Michael Sweet <msweet@msweet.org>,
PWG IPP WG Reflector <ipp@pwg.org>
Thread-Topic: Requiring authentication for all IPP operations with "cloud"
Infrastructure printer
Thread-Index: AQHX1n3n2i29jCMPY0ORyH8b+lr3B6v9W3cAgAAJ82WAAB9rAIAAMbcAgAFrgICAAQwbAA==
Date: Fri, 12 Nov 2021 17:49:04 +0000
Message-ID: <77D30945-1B08-4954-BA1F-D66CB9A32B2C@hp.com>
References: <0446E67E-3B0F-442B-B51E-ED7966C71E82@hp.com>
<C1D8E8B0-614C-41AE-AAA3-23AECA70927E@msweet.org>
<9DDE6032-F733-4540-99C7-D2F5A13766EA@hp.com>
<0AFEFF7B-526F-4DE5-9F5C-2C91ABD717BA@msweet.org>
<BD403A4C-D49F-4203-AC89-D458D598B9FA@hp.com>
<CAN40gSs4OB441bZVYmx4T-VkCRqOiZScnGYHXZB3xkE1vzZMKA@mail.gmail.com>
In-Reply-To: <CAN40gSs4OB441bZVYmx4T-VkCRqOiZScnGYHXZB3xkE1vzZMKA@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3693.20.0.1.32)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 655dc6ae-285e-48a9-48ad-08d9a604b7ea
x-ms-traffictypediagnostic: CS1PR8401MB0838:
x-microsoft-antispam-prvs: <CS1PR8401MB08385553B066FCAFDF7D6A639E959@CS1PR8401MB0838.NAMPRD84.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:1186
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: /fSONJuLXY0ge/+L18ql/O6tb5jYwP4wXN/u4AVjAAFlKRtUjDR3eHGsAzoIbadFPwMC8T/jFBHpeLFqUuoRW/BeYB8HPah7j65hB8hCkRtcEi5aGTs8Uy6px+SoNUKAp7UpuZSu1IS5O1fDwmMZ51dhLSTMuenSPEuafHzRF/PWo/xDkg11pbUW7p5dNe4AQvQB99eqZdCI3hNV7oBVpzIMs61VZsC/7uKFnDfIfXR+FAQ/14bLd4J58qMKIhCmKy8rBVmkVB/CTjZz203uKx/ovyKYlwKwEOABQYeck6K+PmFlIdC1DFBwuPzS8YKoOki/jbTxUXTW9RH0lB6pqOE4J+hCM6C77rGEwc6JwwY7DEUn6/lo4l6jYfmqa6M3OamR92xddBVdGusV2HBtQ8dmOQ2YJHvBdVi5vHXUMh/XJWoRsN9ppYP+7VL6INBGXo9scRu+nswLXgwlwIB+UXMDHscXefaYLoSk3/we4EF2xwKWC7SZDmZwqdp6eF3Sx7/xUlp7uCxnzfqVD7pizun77veN/clnMCbBfbKvM2xYLPqHIMv7AYdd1LWHU9mTAq1SQ37nU68tas3X4yIVr230TdiTLxD8nBPr2IW+oXiCXDfvQodkpZFHgZI2l6zLuABZCQCVDd9+tZ5U3suAk3Seet2SYeCIQQ6kwf+s9uNvei6ersUZufm7p6yJDDbbYGW+2JbZxOSEXPN/ktsM40tGDLz1htIkCRwg0HJ+Q7EFdHabBJ1Tuf2KakI/H/o+CdPO6QeIw2AFuK02iAYAOLNctqq9dBAJNJu82MSoA4Jf2LnXTUu74evOLn//XUVb+8lYrgszM7/uCSMnK1RsQtNum5sUhfuPSTVJOtbggOa22//en7y06AbSlivUvHdV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:CS1PR8401MB0518.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
SFS:(366004)(8936002)(122000001)(66946007)(66476007)(38070700005)(66574015)(6512007)(38100700002)(33656002)(966005)(36756003)(66556008)(66446008)(64756008)(82960400001)(99936003)(8676002)(110136005)(26005)(316002)(91956017)(2906002)(6486002)(2616005)(186003)(86362001)(76116006)(40140700001)(508600001)(53546011)(19273905006)(6506007)(166002)(83380400001)(71200400001)(5660300002)(45980500001)(563064011);
DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?TGhyTHNidzZmVysvK08rdHpmaDhzbHZ1ejlWcHNRdWpQRS9mV21rTlZlM1Rw?=
=?utf-8?B?c3ZBWk9vWjFCazNaM1ZGRWVYNnIrNWFyV0RvdnM1VFpJbHB6dS9JY2xqOWNB?=
=?utf-8?B?VE9VNjkxelBYRnNKeGJqMFZ5cndqZ2tzWGROZ1VhSElZTFZ4N2tkTjNSMWt6?=
=?utf-8?B?amllbVJ5dnloSHFFMU5FWnJ4TXB0VHlvNHg3OWNKWTdkbFI0aWw4L2pUMkVO?=
=?utf-8?B?dk4vazNsa21xWXZseTl2KzlncFl4eTFLWDVmeDNFNFVDRzNtTnZqSWhBT3hH?=
=?utf-8?B?RW9LWXpCbHlCSTZGNnZoMVZDeTRsMXl5RkZHUUc2MUkwYVlhbmFVS2JzczRY?=
=?utf-8?B?MEF2dUdzYXM0cElGa3NBdlh5c25CbjVYdzRVdUxwVjJvWlMrT2hzSm1sclNJ?=
=?utf-8?B?Wkx2UndPRWJvdU9xZXRpa0tGNXQxWFdicDgwRVk0cGtSVm5BVFlveFZzajR3?=
=?utf-8?B?ZThSU3ByMXFrMWdzeGtKS04wZzlFaFlFb1haY3BNTTY1bGNuT0JJeFZmS25M?=
=?utf-8?B?NFRORHBsdllwdUFMYzd3N0w3YjBsaERDTUxqQk8yWjY5MVI4RG83K3c2bDNC?=
=?utf-8?B?Z0FQaTV2TnIrQk4rR0tTd0VTWmpnRDNhSTlqelRNRzArb0FsRjl3K3ZwV1o0?=
=?utf-8?B?NzIrRHU3a3BkZ3B3UEZEUmdXUTQ5Qzh1ZGRuOG9zcmZ2dzVKckgrTHhJdUEx?=
=?utf-8?B?OHBOY1VPdzJVYUhKVVlLRUhPd0pmbDd4S05acERpb1ptcUNyVnNuVEVoRkor?=
=?utf-8?B?NHNlYjFER1c3WVVjQk95MU1VVmlWVHdmNGFsQUMzbUhOTkpHbTBTQnRFMUF0?=
=?utf-8?B?amFnWTlrRXhBcnF0cUFvK1ZSRXZlSm8zVzdsSVZqOG1pM3A0S1VRN0xCTmtW?=
=?utf-8?B?OTlsdVU2c3BWM1FlMUpKODdwM0hMenVkMmNNY212NXBoVm8zMk1CdVBqT0tj?=
=?utf-8?B?QUtrZUxrYVZoS09xNFlFTWxmbldtSkZLSmpwTU5veUg3QlZxQVhSZ3dDT1My?=
=?utf-8?B?VWlKSzBmeTlYcmlqeEFWZTNOSFdnR01EWDgxODREaUZQcWZSVEo3Ym81NzdF?=
=?utf-8?B?bldyaTZYYUw5cGU5UUtSamhuOFluK3JYa2dwblVGMVpSRXlTWnBpSVV5c2Qv?=
=?utf-8?B?TjI4TFhJTkZDek90TXdxcVZvUnVxTDZmZzlzd0Y3VXBSRGxieWYyYjlSSHVu?=
=?utf-8?B?TDV1TXdtRW1KNmFMcldVQjl0OHhRazJVZ3pUVVZCYVkwZ3ZkUk02V0E2QUNU?=
=?utf-8?B?TnVFK01jaGs5TnZQZUxiTGp1VEprcncwN21HZjRrM2hPZ3A4ZzhFWlp0K0Rp?=
=?utf-8?B?ZXZqd0dqVHVXdldzVlZIMTd2clhlUXQ3eWo5MGUwN2k1YmpRbW84RzYxOE5K?=
=?utf-8?B?Yy9VZXRiaUpiaVc5WVp5WHl5K2RoMzNCZDFYK0JRK0kxZzA1UTEyVDk0NFVK?=
=?utf-8?B?UlF2OCtiVytQb2dRcHRKQ1ZMcE5RaEtsSzNTeCtDTkVybGpTb1U4Y3cwZTFi?=
=?utf-8?B?VmUvZzlHRkRKY1hjN3NFL3RoaHArRDN4VHJKWC9oSG1VMGY0S0NpOVhhMnRN?=
=?utf-8?B?OTk0ZTROak0vSU52QXhRRncyZHRIZkFEMnh5Uk50ZlhrSXhGOWFSTzY0VFJx?=
=?utf-8?B?N3RFOEtCWG1PSTNVSVAzdTA1bFltb3JmS0JSNGQvRWFlUVRKbHJQY015akFG?=
=?utf-8?B?WWxhOFVQbUEwa01IazdaeE84Q2tFR1UrWUlqb3dTdzRlK1FSQ010cXg2bUVM?=
=?utf-8?B?V3VCTmZmUktVaWtjYXZSQUc0ZVNXdnFBWU9Ed0lYd1BXaEJGYlJhSFpVckZw?=
=?utf-8?B?NDc5cmRTZUlTRUpPVnZ4aWUzYVdhT0FvWHM5cExnc1NUYXNsRDcvRWt0V2RI?=
=?utf-8?B?TUo0MkVpeEMyWTMvczNTZzUvZkpNcFl0Q3NHQndlVXdxQ1ptbGF2WTR0YjBF?=
=?utf-8?B?dU56QmRSUG5hZGZmMllhL295UGJ1cG5yWDUyVWFnaDN4aXdob3U4eFVNbHFi?=
=?utf-8?B?cFZWQ2l3dW5Rb1Y1a2NzdVVUZTJFcUtQWWVUQWdjTmZKQysvTWMyRDNHU2Iz?=
=?utf-8?B?NGQrbjd5UzhBTDBBTnVSQlAxU0pVd3R4VTZJZWhEamNST1NCRFJhZDBaUTFt?=
=?utf-8?B?enJDcTZwWW9IejRIQTJPNFZCQ09HNjA1TkswUUFvdzJuOHB4V3VKY0YvSkFI?=
=?utf-8?Q?fikpwaVbU/iyJTsXbH4rRVE=3D?=
MIME-Version: 1.0
X-OriginatorOrg: hp.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CS1PR8401MB0518.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 655dc6ae-285e-48a9-48ad-08d9a604b7ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2021 17:49:04.3911 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ca7981a2-785a-463d-b82a-3db87dfc3ce6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cCS+Mjh4knAUv89NIawIgkJx0BC7eiwHRG7uRaUp4ZgoanGw9MyzGLBa5pJod0+8pdUDodkwPe78ezokTrh8aQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CS1PR8401MB0838
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA62A171 smtp.mailfrom=smith.kennedy@hp.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: hp.com
Content-Language: en-US
Subject: Re: [IPP] Requiring authentication for all IPP operations with
"cloud" Infrastructure printer
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum
<ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>,
<mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>,
<mailto:ipp-request@pwg.org?subject=subscribe>
From: "Kennedy, Smith \(Wireless & IPP Standards\) via ipp" <ipp@pwg.org>
Reply-To: "Kennedy, Smith \(Wireless & IPP Standards\)" <smith.kennedy@hp.com>
Content-Type: multipart/mixed; boundary="===============1430169377236462651=="
Errors-To: ipp-bounces@pwg.org
Sender: "ipp" <ipp-bounces@pwg.org>
Hi Ira,
As you suggested, I've added the IPP Workgroup reflector to the list of recipients to bring this sidebar discussion into the forum without having to start from scratch.
> I do agree that it's not desirable that IPP Infrastructure Printers should
> accept anything except Get-Printers w/out TLS security.
If an Infrastructure Printer object is supposed to be available on the Internet but for "private use only", how does that work given the legacy Get-Printer-Attributes use precedent? What should the response be from the "System Service" or other process actually hosting the IPP Printer object? HTTP 404? Or an IPP layer equivalent? I'm not sure we ever considered this use case in 5100.18.
At the very least, we need to have a statement / paper prepared that provides guidance to Infrastructure Printer implementors to the critique that a Get-Printer-Attributes does not constitute either a security or a privacy risk. If each cloud / Infrastructure Printer hosting provider does something different, that makes it very difficult for client implementations to support in any consistent way.
Thoughts?
Smith
/**
Smith Kennedy
HP Inc.
*/
> On Nov 11, 2021, at 6:49 PM, Ira McDonald <blueroofmusic@gmail.com> wrote:
>
> Hi,
>
> +1 to future discussion in IPP Implementors Guide.
>
> +1 to near-term discussion in Enterprise Printing Extensions.
>
> +1 to also saying something in IPP 2.x 4th Edition.
>
> I suggest we should take this topic to the IPP WG mailing list.
>
> I do agree that it's not desirable that IPP Infrastructure Printers should
> accept anything except Get-Printers w/out TLS security.
>
> Cheers,
> - Ira
>
> Ira McDonald (Musician / Software Architect)
> Chair - SAE Trust Anchors and Authentication TF
> Co-Chair - TCG Trusted Mobility Solutions WG
> Co-Chair - TCG Metadata Access Protocol SG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic <http://sites.google.com/site/blueroofmusic>
> http://sites.google.com/site/highnorthinc <http://sites.google.com/site/highnorthinc>
> mailto: blueroofmusic@gmail.com <mailto:blueroofmusic@gmail.com>
> (permanent) PO Box 221 Grand Marais, MI 49839 906-494-2434
>
>
> On Wed, Nov 10, 2021 at 11:08 PM Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy@hp.com <mailto:smith.kennedy@hp.com>> wrote:
>
>
> > On Nov 10, 2021, at 6:10 PM, Michael Sweet <msweet@msweet.org <mailto:msweet@msweet.org>> wrote:
> >
> > Smith,
> >
> > It isn't so much explicitly disallowing it, it is just that Get-Printer-Attributes is the only operation in STD92 that doesn't talk about access rights and historically no implementation has ever required authentication for it. As a result, no client supports authentication when querying printer status/capabilities with Get-Printer-Attributes...
>
> Wow, I am surprised that I didn't have this committed to memory. š That makes it pretty awkward to cite from a normative / testing point of view. I really think somewhere needs to overtly state this. Maybe IPP/2.0 Fourth Edition? I also think this should be discussed more clearly in the IPP IG and maybe in Enterprise Printing Extensions which now hosts the definition of Get-User-Printer-Attributes.
>
> >
> >
> >> On Nov 10, 2021, at 6:17 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy@hp.com <mailto:smith.kennedy@hp.com>> wrote:
> >>
> >> I was being asked which specific clause in a PWG or IETF IPP spec actually made that assertion. I was unable to locate it. š Can you point out the clause in one of our specs that specifically disallows authentication with Get-Printer-Attributes?
> >>
> >> For an infrastructure printer, it really doesnāt seem unreasonable for the Printer to require authentication for all IPP operations, including Get-Printer-Attributes. I suppose that could cause problems with legacy clients. But that seems to leave the door open to abuse or at least misunderstanding by āsecurity researchersā.
>
> Any comments or thoughts on this? I wonder if we ought to have 5100.18 v1.1 say that the unauthenticated Get-Printer-Attributes should limit the attributes it provides.
>
> >>
> >> Cheers,
> >> Smith
> >> ---
> >> Smith Kennedy
> >> smith.kennedy@hp.com <mailto:smith.kennedy@hp.com>
> >>
> >>
> >>> On Nov 10, 2021, at 3:42 PM, Michael Sweet <msweet@msweet.org <mailto:msweet@msweet.org>> wrote:
> >>>
> >>> ļ»æSmith,
> >>>
> >>> The "rules" are the same for Cloud vs. local - all operations *except* Get-Printer-Attributes/Get-System-Attributes can require authentication. The Get operations are exempt because they are the only way to discover what the authentication requirements are... :)
> >>>
> >>>
> >>>> On Nov 10, 2021, at 4:57 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy@hp.com <mailto:smith.kennedy@hp.com>> wrote:
> >>>>
> >>>> Hi there,
> >>>>
> >>>> If you have a "cloud" printer, is it "OK" to have the cloud Printer (Infrastructure Printer) require authentication for ALL IPP operations?
> >>>>
> >>>> I'm trolling through 8011 and 5100.18 to see if I can find language on the subject but if either of you know that would be helpful.
> >>>>
> >>>> Smith
> >>>>
> >>>> /**
> >>>> Smith Kennedy
> >>>> HP Inc.
> >>>> */
> >>>>
> >>>
> >>> ________________________
> >>> Michael Sweet
> >>>
> >>>
> >>>
> >
> > ________________________
> > Michael Sweet
> >
> >
> >
>
_______________________________________________ ipp mailing list ipp@pwg.org https://www.pwg.org/mailman/listinfo/ipp
- Re: [IPP] Requiring authentication for all IPP opā¦ Kennedy, Smith (Wireless & IPP Standards) via ipp
- Re: [IPP] Requiring authentication for all IPP opā¦ Michael Sweet via ipp
- Re: [IPP] Requiring authentication for all IPP opā¦ Kennedy, Smith (Wireless & IPP Standards) via ipp
- Re: [IPP] Requiring authentication for all IPP opā¦ Michael Sweet via ipp