IETF Logo Mail Archive

Re: IPP> possible compromise?

Harry Lewis <harryl@us.ibm.com> Wed, 15 July 1998 20:17 UTC

Delivery-Date: Wed, 15 Jul 1998 16:17:27 -0400
Return-Path: ipp-owner@pwg.org
Received: from cnri.reston.va.us (ns [132.151.1.1]) by ietf.org (8.8.5/8.8.7a) with ESMTP id QAA24488 for <ietf-archive@ietf.org>; Wed, 15 Jul 1998 16:17:16 -0400 (EDT)
Received: from lists.underscore.com (uscore-1.mv.com [199.125.85.30]) by cnri.reston.va.us (8.8.5/8.8.7a) with ESMTP id QAA17142 for <ietf-archive@cnri.reston.va.us>; Wed, 15 Jul 1998 16:17:13 -0400 (EDT)
Received: from localhost (daemon@localhost) by lists.underscore.com (8.7.5/8.7.3) with SMTP id QAA02838 for <ietf-archive@cnri.reston.va.us>; Wed, 15 Jul 1998 16:17:14 -0400 (EDT)
Received: by pwg.org (bulk_mailer v1.5); Wed, 15 Jul 1998 16:10:23 -0400
Received: (from daemon@localhost) by lists.underscore.com (8.7.5/8.7.3) id QAA02210 for ipp-outgoing; Wed, 15 Jul 1998 16:08:02 -0400 (EDT)
From: Harry Lewis <harryl@us.ibm.com>
To: <moore@cs.utk.edu>
Cc: <ipp@pwg.org>, <imcdonal@eso.mc.xerox.com>
Subject: Re: IPP> possible compromise?
Message-ID: <5030100023184031000002L012*@MHS>
Date: Wed, 15 Jul 1998 16:04:24 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Sender: owner-ipp@pwg.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id QAA24488

I like the tune (different words) ... LPR was already out there... the IETF
wants to encourage a more interoperable standard... IPP isn't any worse,
security wise than LPR. I hope we can forgo the carrot and stick and
concentrate on the lettuce... as in let us do it ;-)

Harry Lewis - IBM Printing Systems



moore@cs.utk.edu on 07/15/98 01:38:27 PM
Please respond to moore@cs.utk.edu
To: imcdonal@eso.mc.xerox.com
cc: moore@cs.utk.edu, ipp@pwg.org, moore@cs.utk.edu, Harry
Lewis/Boulder/IBM@ibmus
Subject: Re: IPP> possible compromise?


> I think it's useful to note that even LDAPv3 has recently been
> permitted to publish standards track RFCs WITHOUT any security
> mechanism (and a rather naive note that suggests read-only
> implementations).

The LDAPv3 case was a little odd.  LDAPv2 was already out there
without any useful security.  For various reasons, we wanted
to encourage people to move to LDAPv3, and LDAPv3 wasn't any
worse security-wise than LDAPv2.  The IESG note was the
carrot part of the compromise that was worked out.   The stick
was that the LDAP folks were supposed to do security before
anything else.   It didn't work very well; they drug their
feet about security.

> I maintain that even a read-only implementation of LDAPv3 without
> any security (for read) is a good deal more dangerous in the
> business liability and exposure sense that an implementation
> of IPP without any security in some printers is.

Obviously it depends on what information you're making available
through LDAPv3, and whether you're just doing so within your
enterprise vs. exporting it to the rest of the world.

Keith

v2.8.7 | Report a Bug | By Email