[IPP] Registration template: Obsolete access-x509-certificate member attributes
Michael Sweet msweet at apple.com 
Wed Jun 20 13:03:07 UTC 2018

The IPP workgroup would like to obsolete the "access-x509-certificate" member
attribute of the "destination-accesses" [PWG5100.17] and "document-access"
[PWG5100.18] operation attributes.  This member attribute cannot be implemented
securely since:

1. Use of an X.509 certificate for TLS authentication requires access to the
corresponding private key;
2. Sending the private key to a Printer would effectively compromise the X.509
certificate, violating security policies; and
3. Using an unauthenticated X.509 certificate provides no security.

There are no known implementations of this member attribute.


Operation attributes:                                          Reference
--------------------                                           ---------
destination-accesses (1setOf collection)                       [PWG5100.17]
  access-x509-certificate(obsolete) (1setOf octetString(MAX))  [IPPWG20180620]

document-access (collection)                                   [PWG5100.18]
  access-x509-certificate(obsolete) (1setOf octetString(MAX))  [IPPWG20180620]

_________________________________________________________
Michael Sweet, Senior Printing System Engineer