Comparar commits

..

1 Commits

Autor SHA1 Mensagem Data
msweet 75c4e7f14f Import cups.org releases
git-svn-id: svn+ssh://src.apple.com/svn/cups/cups.org/tags/release-1.5b2@4306 a1ca3aef-8c08-0410-bb20-df032aa958be
2013-05-10 18:56:23 +00:00
99 arquivos alterados com 122145 adições e 5069 exclusões
-8
Ver Arquivo
@@ -1,13 +1,6 @@
CHANGES-1.4.txt
---------------
CHANGES IN CUPS V1.4.8
- The scheduler would delete job data files when restarted (STR #3880)
- The network backends could crash if a printer returned a value of 0
for the maximum capacity for a supply (STR #3875)
CHANGES IN CUPS V1.4.7
- Documentation changes (STR #3710, STR #3720, STR #3745, STR #3750,
@@ -16,7 +9,6 @@ CHANGES IN CUPS V1.4.7
STR #3755, STR #3769, STR #3783)
- Configure script fixes (STR #3659, STR #3691)
- Compilation fixes (STR #3718, STR #3771, STR #3774)
- The imageto* filters could crash with bad GIF files (STR #3867)
- The scheduler might leave old job data files in the spool directory
(STR #3795)
- CUPS did not work with locales using the ASCII character set
+1 -27
Ver Arquivo
@@ -1,32 +1,6 @@
CHANGES.txt - 2011-07-25
CHANGES.txt - 2011-05-26
------------------------
CHANGES IN CUPS V1.5.0
- Documentation updates.
- Localization update (STR #3865)
- Needed to limit TLS to v1.0 on some versions of Mac OS X.
- The snmp backend did not work with some printers.
CHANGES IN CUPS V1.5rc1
- Compile fixes (STR #3849, STR #3850)
- The scheduler didn't check for empty values for several configuration
directives (STR #3861)
- ipptool didn't generate valid XML when a test was skipped.
- Added additional error checking to the 1284 device ID code (STR #3858)
- Fixed some compatibility issues migrating from the old usblp backend
to the libusb backend (STR #3860)
- Fixed the wake-from-sleep printing behavior on Mac OS X.
- The scheduler incorrectly allowed jobs to be held from a terminating
state.
- The cups-driverd program could crash when a PPD was renamed.
- The dnssd backend took too long to discover printers on large or busy
networks with the new default timeout used by lpinfo and the web
interface. This resulted in "lost" printers.
CHANGES IN CUPS V1.5b2
- Documentation updates.
+1 -1
Ver Arquivo
@@ -1,4 +1,4 @@
INSTALL - CUPS v1.5.0 - 2011-07-25
INSTALL - CUPS v1.5b2 - 2011-05-26
----------------------------------
This file describes how to compile and install CUPS from source code. For more
+2 -2
Ver Arquivo
@@ -1,5 +1,5 @@
README - CUPS v1.5.0 - 2011-07-25
----------------------------------
README - CUPS v1.5b2 - 2011-05-26
---------------------------------
Looking for compile instructions? Read the file "INSTALL.txt"
instead...
+9 -53
Ver Arquivo
@@ -44,7 +44,6 @@ typedef enum
{
CUPS_DEVICE_PRINTER = 0, /* lpd://... */
CUPS_DEVICE_IPP, /* ipp://... */
CUPS_DEVICE_IPPS, /* ipps://... */
CUPS_DEVICE_FAX_IPP, /* ipp://... */
CUPS_DEVICE_PDL_DATASTREAM, /* socket://... */
CUPS_DEVICE_RIOUSBPRINT /* riousbprint://... */
@@ -124,11 +123,9 @@ main(int argc, /* I - Number of command-line args */
fax_ipp_ref, /* IPP fax service reference */
ipp_ref, /* IPP service reference */
ipp_tls_ref, /* IPP w/TLS service reference */
ipps_ref, /* IPP service reference */
local_fax_ipp_ref, /* Local IPP fax service reference */
local_ipp_ref, /* Local IPP service reference */
local_ipp_tls_ref, /* Local IPP w/TLS service reference */
local_ipps_ref, /* Local IPP service reference */
local_printer_ref, /* Local LPD service reference */
pdl_datastream_ref, /* AppSocket service reference */
printer_ref, /* LPD service reference */
@@ -218,10 +215,6 @@ main(int argc, /* I - Number of command-line args */
DNSServiceBrowse(&ipp_tls_ref, kDNSServiceFlagsShareConnection, 0,
"_ipp-tls._tcp", NULL, browse_callback, devices);
ipps_ref = main_ref;
DNSServiceBrowse(&ipp_ref, kDNSServiceFlagsShareConnection, 0,
"_ipps._tcp", NULL, browse_callback, devices);
local_fax_ipp_ref = main_ref;
DNSServiceBrowse(&local_fax_ipp_ref, kDNSServiceFlagsShareConnection,
kDNSServiceInterfaceIndexLocalOnly,
@@ -237,11 +230,6 @@ main(int argc, /* I - Number of command-line args */
kDNSServiceInterfaceIndexLocalOnly,
"_ipp-tls._tcp", NULL, browse_local_callback, devices);
local_ipps_ref = main_ref;
DNSServiceBrowse(&local_ipp_ref, kDNSServiceFlagsShareConnection,
kDNSServiceInterfaceIndexLocalOnly,
"_ipps._tcp", NULL, browse_local_callback, devices);
local_printer_ref = main_ref;
DNSServiceBrowse(&local_printer_ref, kDNSServiceFlagsShareConnection,
kDNSServiceInterfaceIndexLocalOnly,
@@ -268,8 +256,8 @@ main(int argc, /* I - Number of command-line args */
FD_ZERO(&input);
FD_SET(fd, &input);
timeout.tv_sec = 0;
timeout.tv_usec = 250000;
timeout.tv_sec = 1;
timeout.tv_usec = 0;
if (select(fd + 1, &input, NULL, NULL, &timeout) < 0)
continue;
@@ -292,26 +280,19 @@ main(int argc, /* I - Number of command-line args */
cups_device_t *best; /* Best matching device */
char device_uri[1024]; /* Device URI */
int count; /* Number of queries */
int sent; /* Number of sent */
for (device = (cups_device_t *)cupsArrayFirst(devices),
best = NULL, count = 0, sent = 0;
best = NULL, count = 0;
device;
device = (cups_device_t *)cupsArrayNext(devices))
{
if (device->sent)
sent ++;
if (device->ref)
count ++;
if (!device->ref && !device->sent)
{
/*
* Found the device, now get the TXT record(s) for it...
*/
if (count < 20)
if (count < 10)
{
device->ref = main_ref;
@@ -357,8 +338,6 @@ main(int argc, /* I - Number of command-line args */
best->name, best->device_id, NULL);
best->sent = 1;
best = device;
sent ++;
}
else if (best->priority > device->priority ||
(best->priority == device->priority &&
@@ -366,17 +345,10 @@ main(int argc, /* I - Number of command-line args */
{
best->sent = 1;
best = device;
sent ++;
}
else
{
device->sent = 1;
sent ++;
}
}
}
if (best)
{
@@ -389,11 +361,7 @@ main(int argc, /* I - Number of command-line args */
cupsBackendReport("network", device_uri, best->make_and_model,
best->name, best->device_id, NULL);
best->sent = 1;
sent ++;
}
if (sent == cupsArrayCount(devices))
break;
}
}
@@ -590,11 +558,9 @@ get_device(cups_array_t *devices, /* I - Device array */
key.name = (char *)serviceName;
if (!strcmp(regtype, "_ipp._tcp."))
if (!strcmp(regtype, "_ipp._tcp.") ||
!strcmp(regtype, "_ipp-tls._tcp."))
key.type = CUPS_DEVICE_IPP;
else if (!strcmp(regtype, "_ipps._tcp.") ||
!strcmp(regtype, "_ipp-tls._tcp."))
key.type = CUPS_DEVICE_IPPS;
else if (!strcmp(regtype, "_fax-ipp._tcp."))
key.type = CUPS_DEVICE_FAX_IPP;
else if (!strcmp(regtype, "_printer._tcp."))
@@ -714,11 +680,9 @@ query_callback(
if ((ptr = strstr(name, "._")) != NULL)
*ptr = '\0';
if (strstr(fullName, "_ipp._tcp."))
if (strstr(fullName, "_ipp._tcp.") ||
strstr(fullName, "_ipp-tls._tcp."))
dkey.type = CUPS_DEVICE_IPP;
else if (strstr(fullName, "_ipps._tcp.") ||
strstr(fullName, "_ipp-tls._tcp."))
dkey.type = CUPS_DEVICE_IPPS;
else if (strstr(fullName, "_fax-ipp._tcp."))
dkey.type = CUPS_DEVICE_FAX_IPP;
else if (strstr(fullName, "_printer._tcp."))
@@ -790,16 +754,9 @@ query_callback(
if (data < datanext)
memcpy(value, data, datanext - data);
value[datanext - data] = '\0';
fprintf(stderr, "DEBUG2: query_callback: \"%s=%s\".\n",
key, value);
}
else
{
fprintf(stderr, "DEBUG2: query_callback: \"%s\" with no value.\n",
key);
continue;
}
if (!_cups_strncasecmp(key, "usb_", 4))
{
@@ -843,7 +800,6 @@ query_callback(
else if (!_cups_strcasecmp(key, "priority"))
device->priority = atoi(value);
else if ((device->type == CUPS_DEVICE_IPP ||
device->type == CUPS_DEVICE_IPPS ||
device->type == CUPS_DEVICE_PRINTER) &&
!_cups_strcasecmp(key, "printer-type"))
{
+3 -21
Ver Arquivo
@@ -65,7 +65,6 @@ backendGetDeviceID(
# if defined(__sun) && defined(ECPPIOC_GETDEVID)
struct ecpp_device_id did; /* Device ID buffer */
# endif /* __sun && ECPPIOC_GETDEVID */
char *ptr; /* Pointer into device ID */
DEBUG_printf(("backendGetDeviceID(fd=%d, device_id=%p, device_id_size=%d, "
@@ -187,7 +186,7 @@ backendGetDeviceID(
* and then limit the length to the size of our buffer...
*/
if (length > device_id_size || length < 14)
if (length > device_id_size)
length = (((unsigned)device_id[1] & 255) << 8) +
((unsigned)device_id[0] & 255);
@@ -225,12 +224,11 @@ backendGetDeviceID(
device_id[length] = '\0';
}
}
# ifdef DEBUG
else
{
DEBUG_printf(("backendGetDeviceID: ioctl failed - %s\n",
strerror(errno)));
*device_id = '\0';
}
# endif /* DEBUG */
# endif /* __linux */
# if defined(__sun) && defined(ECPPIOC_GETDEVID)
@@ -258,22 +256,6 @@ backendGetDeviceID(
# endif /* __sun && ECPPIOC_GETDEVID */
}
/*
* Check whether device ID is valid. Turn line breaks and tabs to spaces and
* reject device IDs with non-printable characters.
*/
for (ptr = device_id; *ptr; ptr ++)
if (_cups_isspace(*ptr))
*ptr = ' ';
else if ((*ptr & 255) < ' ' || *ptr == 127)
{
DEBUG_printf(("backendGetDeviceID: Bad device_id character %d.",
*ptr & 255));
*device_id = '\0';
break;
}
DEBUG_printf(("backendGetDeviceID: device_id=\"%s\"\n", device_id));
if (scheme && uri)
+4 -1
Ver Arquivo
@@ -436,7 +436,10 @@ backendWaitLoop(
{
fd_set input; /* Input set for reading */
time_t curtime, /* Current time */
snmp_update = 0; /* Last SNMP status update */
snmp_update = 0;
#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
struct sigaction action; /* Actions for POSIX signals */
#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
fprintf(stderr, "DEBUG: backendWaitLoop(snmp_fd=%d, addr=%p, side_cb=%p)\n",
+1 -1
Ver Arquivo
@@ -948,7 +948,7 @@ read_snmp_response(int fd) /* I - SNMP socket file descriptor */
debug_printf("DEBUG: request-id=%d\n", packet.request_id);
debug_printf("DEBUG: error-status=%d\n", packet.error_status);
if (packet.error_status && packet.request_id != DEVICE_TYPE)
if (packet.error_status)
return;
/*
+1 -92
Ver Arquivo
@@ -505,7 +505,6 @@ make_device_uri(
*mdl, /* Model */
*des, /* Description */
*sern; /* Serial number */
size_t mfglen; /* Length of manufacturer string */
char tempmfg[256], /* Temporary manufacturer string */
tempsern[256], /* Temporary serial number string */
*tempptr; /* Pointer into temp string */
@@ -585,16 +584,6 @@ make_device_uri(
mfg = tempmfg;
}
mfglen = strlen(mfg);
if (!strncasecmp(mdl, mfg, mfglen) && _cups_isspace(mdl[mfglen]))
{
mdl += mfglen + 1;
while (_cups_isspace(*mdl))
mdl ++;
}
/*
* Generate the device URI from the manufacturer, model, serial number,
* and interface number...
@@ -747,87 +736,7 @@ print_cb(usb_printer_t *printer, /* I - Printer */
const char *device_id, /* I - IEEE-1284 device ID */
const void *data) /* I - User data (make, model, S/N) */
{
char requested_uri[1024], /* Requested URI */
*requested_ptr, /* Pointer into requested URI */
detected_uri[1024], /* Detected URI */
*detected_ptr; /* Pointer into detected URI */
/*
* If we have an exact match, stop now...
*/
if (!strcmp((char *)data, device_uri))
return (1);
/*
* Work on copies of the URIs...
*/
strlcpy(requested_uri, (char *)data, sizeof(requested_uri));
strlcpy(detected_uri, device_uri, sizeof(detected_uri));
/*
* libusb-discovered URIs can have an "interface" specification and this
* never happens for usblp-discovered URIs, so remove the "interface"
* specification from the URI which we are checking currently. This way a
* queue for a usblp-discovered printer can now be accessed via libusb.
*
* Similarly, strip "?serial=NNN...NNN" as needed.
*/
if ((requested_ptr = strstr(requested_uri, "?interface=")) == NULL)
requested_ptr = strstr(requested_uri, "&interface=");
if ((detected_ptr = strstr(detected_uri, "?interface=")) == NULL)
detected_ptr = strstr(detected_uri, "&interface=");
if (!requested_ptr && detected_ptr)
{
/*
* Strip "[?&]interface=nnn" from the detected printer.
*/
*detected_ptr = '\0';
}
else if (requested_ptr && !detected_ptr)
{
/*
* Strip "[?&]interface=nnn" from the requested printer.
*/
*requested_ptr = '\0';
}
if ((requested_ptr = strstr(requested_uri, "?serial=?")) != NULL)
{
/*
* Strip "?serial=?" from the requested printer. This is a special
* case, as "?serial=?" means no serial number and not the serial
* number '?'. This is not covered by the checks below...
*/
*requested_ptr = '\0';
}
if ((requested_ptr = strstr(requested_uri, "?serial=")) == NULL &&
(detected_ptr = strstr(detected_uri, "?serial=")) != NULL)
{
/*
* Strip "?serial=nnn" from the detected printer.
*/
*detected_ptr = '\0';
}
else if (requested_ptr && !detected_ptr)
{
/*
* Strip "?serial=nnn" from the requested printer.
*/
*requested_ptr = '\0';
}
return (!strcmp(requested_uri, detected_uri));
return (!strcmp((char *)data, device_uri));
}
+4 -4
Ver Arquivo
@@ -1,5 +1,5 @@
dnl
dnl "$Id: cups-common.m4 9839 2011-06-19 04:30:07Z mike $"
dnl "$Id: cups-common.m4 9810 2011-05-26 12:34:56Z mike $"
dnl
dnl Common configuration stuff for CUPS.
dnl
@@ -20,7 +20,7 @@ dnl Set the name of the config header file...
AC_CONFIG_HEADER(config.h)
dnl Version number information...
CUPS_VERSION="1.5.0"
CUPS_VERSION="1.5b2"
CUPS_REVISION=""
#if test -z "$CUPS_REVISION" -a -d .svn; then
# CUPS_REVISION="-r`svnversion . | awk -F: '{print $NF}' | sed -e '1,$s/[[a-zA-Z]]*//g'`"
@@ -406,7 +406,7 @@ AC_ARG_WITH(components, [ --with-components set components to build:
case "$COMPONENTS" in
all)
BUILDDIRS="filter backend berkeley cgi-bin driver monitor notifier ppdc scheduler systemv conf data desktop locale man doc examples templates"
BUILDDIRS="filter backend berkeley cgi-bin driver monitor notifier ppdc scheduler systemv conf data locale man doc examples templates"
;;
core)
@@ -421,5 +421,5 @@ esac
AC_SUBST(BUILDDIRS)
dnl
dnl End of "$Id: cups-common.m4 9839 2011-06-19 04:30:07Z mike $".
dnl End of "$Id: cups-common.m4 9810 2011-05-26 12:34:56Z mike $".
dnl
+3 -3
Ver Arquivo
@@ -1,5 +1,5 @@
dnl
dnl "$Id: cups-compiler.m4 9818 2011-06-10 21:16:18Z mike $"
dnl "$Id: cups-compiler.m4 9809 2011-05-26 12:24:20Z mike $"
dnl
dnl Compiler stuff for CUPS.
dnl
@@ -162,7 +162,7 @@ if test -n "$GCC"; then
else
AC_MSG_CHECKING(if GCC supports -Wno-tautological-compare)
OLDCFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -Werror -Wno-tautological-compare"
CFLAGS="$CFLAGS -Wno-tautological-compare"
AC_TRY_COMPILE(,,
[OPTIM="$OPTIM -Wno-tautological-compare"
AC_MSG_RESULT(yes)],
@@ -560,5 +560,5 @@ case $uname in
esac
dnl
dnl End of "$Id: cups-compiler.m4 9818 2011-06-10 21:16:18Z mike $".
dnl End of "$Id: cups-compiler.m4 9809 2011-05-26 12:24:20Z mike $".
dnl
+2 -8
Ver Arquivo
@@ -1,5 +1,5 @@
dnl
dnl "$Id: cups-ssl.m4 9837 2011-06-16 20:12:16Z mike $"
dnl "$Id: cups-ssl.m4 9756 2011-05-11 00:52:08Z mike $"
dnl
dnl OpenSSL/GNUTLS stuff for CUPS.
dnl
@@ -56,12 +56,6 @@ if test x$enable_ssl != xno; then
AC_CHECK_HEADER(Security/SecIdentitySearchPriv.h,
AC_DEFINE(HAVE_SECIDENTITYSEARCHPRIV_H))
dnl Check for SSLSetProtocolVersionMax...
SAVELIBS="$LIBS"
LIBS="$LIBS -framework Security"
AC_CHECK_FUNC(SSLSetProtocolVersionMax)
LIBS="$SAVELIBS"
dnl Check for SecCertificateCopyData..
AC_MSG_CHECKING(for SecCertificateCopyData)
if test $uversion -ge 100; then
@@ -175,5 +169,5 @@ AC_SUBST(EXPORT_SSLLIBS)
dnl
dnl End of "$Id: cups-ssl.m4 9837 2011-06-16 20:12:16Z mike $".
dnl End of "$Id: cups-ssl.m4 9756 2011-05-11 00:52:08Z mike $".
dnl
-7
Ver Arquivo
@@ -342,13 +342,6 @@
#undef HAVE_SECPOLICYCREATESSL
/*
* Do we have the SSLSetProtocolVersionMax function?
*/
#undef HAVE_SSLSETPROTOCOLVERSIONMAX
/*
* Do we have the cssmErrorString function?
*/
+4 -4
Ver Arquivo
@@ -270,7 +270,7 @@ cupsResolveConflicts(
* Resolver loop!
*/
DEBUG_printf(("1cupsResolveConflicts: Resolver loop with %s!",
DEBUG_printf(("1ppdResolveConflicts: Resolver loop with %s!",
consts->resolver));
goto error;
}
@@ -278,14 +278,14 @@ cupsResolveConflicts(
if ((resolver = ppdFindAttr(ppd, "cupsUIResolver",
consts->resolver)) == NULL)
{
DEBUG_printf(("1cupsResolveConflicts: Resolver %s not found!",
DEBUG_printf(("1ppdResolveConflicts: Resolver %s not found!",
consts->resolver));
goto error;
}
if (!resolver->value)
{
DEBUG_printf(("1cupsResolveConflicts: Resolver %s has no value!",
DEBUG_printf(("1ppdResolveConflicts: Resolver %s has no value!",
consts->resolver));
goto error;
}
@@ -507,7 +507,7 @@ cupsResolveConflicts(
if (!changed)
{
DEBUG_puts("1cupsResolveConflicts: Unable to automatically resolve "
DEBUG_puts("1ppdResolveConflicts: Unable to automatically resolve "
"constraint!");
goto error;
}
-2
Ver Arquivo
@@ -39,7 +39,6 @@
* cupsFilePeekChar() - Peek at the next character from a file.
* cupsFilePrintf() - Write a formatted string.
* cupsFilePutChar() - Write a character.
* cupsFilePutConf() - Write a configuration line.
* cupsFilePuts() - Write a string.
* cupsFileRead() - Read from a file.
* cupsFileRewind() - Set the current file position to the beginning of
@@ -53,7 +52,6 @@
* cupsFileWrite() - Write to a file.
* cups_compress() - Compress a buffer of data.
* cups_fill() - Fill the input buffer.
* cups_open() - Safely open a file for writing.
* cups_read() - Read from a file descriptor.
* cups_write() - Write to a file descriptor.
*/
+1 -1
Ver Arquivo
@@ -466,7 +466,7 @@ _httpAssembleUUID(const char *server, /* I - Server name */
snprintf(data, sizeof(data), "%s:%d:%s:%d:%04x:%04x", server,
port, name ? name : server, number,
(unsigned)CUPS_RAND() & 0xffff, (unsigned)CUPS_RAND() & 0xffff);
CUPS_RAND() & 0xffff, CUPS_RAND() & 0xffff);
_cupsMD5Init(&md5state);
_cupsMD5Append(&md5state, (unsigned char *)data, strlen(data));
-9
Ver Arquivo
@@ -3920,15 +3920,6 @@ http_setup_ssl(http_t *http) /* I - Connection to server */
cg->expired_root, (int)error));
}
# ifdef HAVE_SSLSETPROTOCOLVERSIONMAX
if (!error)
{
error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
DEBUG_printf(("4http_setup_ssl: SSLSetProtocolVersionMax(kTLSProtocol1), "
"error=%d", (int)error));
}
# endif /* HAVE_SSLSETPROTOCOLVERSIONMAX */
# ifdef HAVE_SECCERTIFICATECOPYDATA
if (!error)
{
+5 -8
Ver Arquivo
@@ -171,17 +171,16 @@ cupsCharsetToUTF8(
if (map_to_utf8 != (iconv_t)-1)
{
char *altdestptr = (char *)dest; /* Silence bogus GCC type-punned */
srclen = strlen(src);
outBytesLeft = maxout - 1;
iconv(map_to_utf8, (char **)&src, &srclen, &altdestptr, &outBytesLeft);
*altdestptr = '\0';
iconv(map_to_utf8, (char **)&src, &srclen, (char **)&destptr,
&outBytesLeft);
*destptr = '\0';
_cupsMutexUnlock(&map_mutex);
return ((int)(altdestptr - (char *)dest));
return ((int)(destptr - dest));
}
_cupsMutexUnlock(&map_mutex);
@@ -296,12 +295,10 @@ cupsUTF8ToCharset(
if (map_from_utf8 != (iconv_t)-1)
{
char *altsrc = (char *)src; /* Silence bogus GCC type-punned */
srclen = strlen((char *)src);
outBytesLeft = maxout - 1;
iconv(map_from_utf8, &altsrc, &srclen, &destptr, &outBytesLeft);
iconv(map_from_utf8, (char **)&src, &srclen, &destptr, &outBytesLeft);
*destptr = '\0';
_cupsMutexUnlock(&map_mutex);
+51 -18
Ver Arquivo
@@ -8,7 +8,11 @@
<H1 CLASS="title">Using Kerberos Authentication</H1>
<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication on your local CUPS server and when printing to a remote authenticated queue. This document describes how to configure CUPS to use Kerberos authentication and provides links to the MIT help pages for configuring Kerberos on your systems and network.</P>
<P>CUPS allows you to use a Key Distribution Center (KDC) for authentication
on your local CUPS server and when printing to a remote authenticated queue.
This document describes how to configure CUPS to use Kerberos authentication
and provides links to the MIT help pages for configuring Kerberos on your
systems and network.</P>
<H2 CLASS="title"><A NAME="REQUIREMENTS">System Requirements</A></H2>
@@ -19,31 +23,42 @@
<li>Heimdal Kerberos (any version) or MIT Kerberos (1.6.3 or newer)</li>
<li>Properly configured Domain Name System (DNS) infrastructure (for your servers):<ol type='a'>
<li>DNS server(s) with static IP addresses for all CUPS servers or configured to allow DHCP updates to the host addresses and</li>
<li>Properly configured Domain Name System (DNS)
infrastructure:<ol type='a'>
<li>DNS server(s) with static IP addresses for all CUPS clients
and servers or configured to allow DHCP updates to the host
addresses</li>
<li>All CUPS clients and servers configured to use the same
DNS server(s).</li>
DNS server(s)</li>
</ol></li>
<li>Properly configured Kerberos infrastructure:<ol type='a'>
<li>KDC configured to allow CUPS servers to obtain Service Granting Tickets (SGTs) for the "host" service,</li>
<li>LDAP-based user accounts - both OpenDirectory and ActiveDirectory provide this with the KDC, and</li>
<li>CUPS clients and servers bound to the same KDC and LDAP
server(s).</li>
<li>KDC configured to allow CUPS clients and servers to obtain
Service Granting Tickets (SGTs) for the "ipp" service</li>
<li>LDAP-based user accounts - both OpenDirectory and
ActiveDirectory provide this with the KDC</li>
<li>CUPS clients and servers bound to the KDC and LDAP
server(s)</li>
</ol></li>
<li>A "host" Service Granting Ticket (SGT) for every CUPS server</li>
<li>An "ipp" Service Granting Ticket (SGT) for every CUPS client and
server</li>
</ol>
<H2 CLASS="title"><A NAME="KRB5">Configuring Kerberos on Your System</A></H2>
<P>Before you can use Kerberos with CUPS, you will need to configure Kerberos on your system and setup a system as a KDC. Because this configuration is highly system and site-specific, please consult the following on-line resources provided by the creators of Kerberos at the Massachusetts Institute of Technology (MIT):</P>
<P>Before you can use Kerberos with CUPS, you will need to configure
Kerberos on your system and setup a system as a KDC. Because this
configuration is highly system and site-specific, please consult
the following on-line resources provided by the creators of Kerberos
at the Massachusetts Institute of Technology (MIT):</P>
<UL>
<LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network Authentication Protocol</A></LI>
<LI><A HREF="http://web.mit.edu/kerberos/">Kerberos: The Network
Authentication Protocol</A></LI>
<LI><A HREF="http://web.mit.edu/macdev/KfM/Common/Documentation/faq-osx.html">Kerberos
on Mac OS X Frequently Asked Questions</A></LI>
@@ -62,28 +77,46 @@ DNS server(s).</li>
<H2 CLASS="title"><A NAME="CUPS">Configuring CUPS to Use Kerberos</A></H2>
<P>Once youhave configured Kerberos on your system(s), you can then enable Kerberos authentication by selecting the <tt>Negotiate</tt> authentication type. The simplest way to do this is using the <tt>cupsctl(8)</tt> command on your server(s):</P>
<P>Once you have configured Kerberos on your system(s), you can then
enable Kerberos authentication by selecting the <tt>Negotiate</tt>
authentication type. The simplest way to do this is using the
<tt>cupsctl(8)</tt> command:</P>
<PRE CLASS="command">
<KBD>cupsctl DefaultAuthType=Negotiate</KBD>
</PRE>
<P>You can also enable Kerberos from the web interface by checking the <VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change Settings</VAR>:</P>
<P>You can also enable Kerberos from the web interface by checking the
<VAR>Use Kerberos Authentication</VAR> box and clicking <VAR>Change
Settings</VAR>:</P>
<PRE CLASS="command">
http://server.example.com:631/admin
http://localhost:631/admin
</PRE>
<P>After you have enabled Kerberos authentication, use the built-in "authenticated" policy or your own custom policies with the printers you will be sharing. See <a href="policies.html">Managing Operation Policies</a> for more information.</P>
<P>After you have enabled Kerberos authentication, use the built-in
"authenticated" policy or your own custom policies with the printers you
will be sharing. See <a href="policies.html">Managing Operation Policies</a>
for more information.</P>
<H2 CLASS="title"><A NAME="IMPLEMENT">Implementation Information</A></H2>
<P>CUPS implements Kerberos over HTTP using GSSAPI and the service name "host". Because of limitations in the HTTP GSSAPI protocol extension, only a single domain/KDC is supported for authentication. The HTTP extension is described in <a href="http://tools.ietf.org/html/rfc4559">RFC 4559</a>.</P>
<P>CUPS implements Kerberos over HTTP using GSSAPI and the service name
"host". Because of limitations in the HTTP GSSAPI protocol extension, only
a single domain/KDC is supported for authentication.</P>
<P>When doing printing tasks that require authentication, CUPS requests single-use "tickets" from your login session to authenticate who you are. These tickets give CUPS a username of the form "user@REALM", which is then converted to just "user" for purposes of user and group checks.</P>
<P>When doing printing tasks that require authentication, CUPS requests a
single-use "ticket" from your login session to authenticate who you are.
This ticket gives CUPS a username of the form "user@REALM", which is then
converted to just "user" for purposes of user and group checks.</P>
<P>In order to support printing to a shared printer, CUPS runs the IPP backend as the owner of the print job so it can obtain the necessary credentials.</P>
<P>In order to support printing to a shared printer, CUPS has to ask the KDC
for a copy of your credentials (this is called delegation) that can be sent to
the remote server for authentication. Delegation only works when the system
has a stable hostname which maps to the current address of the system, which
is why you need a static IP address or DHCP that updates the DNS entry for your
system.</P>
</BODY>
</HTML>
+2 -4
Ver Arquivo
@@ -341,7 +341,7 @@ div.contents ul.subcontents li {
<body>
<div class='body'>
<!--
"$Id: spec-ppd.html 9813 2011-06-01 17:00:27Z mike $"
"$Id: spec-ppd.html 9803 2011-05-26 02:11:20Z mike $"
PPD extension documentation for CUPS.
@@ -604,10 +604,9 @@ f(x) = density * x <sup style='font-size: 100%'>gamma</sup>
<h4>Customizing the Profile Selection Keywords</h4>
<p>The <tt>ColorModel</tt>, <tt>MediaType</tt>, and <tt>Resolution</tt> main keywords can be reassigned to different main keywords, allowing drivers to do color profile selection based on different parameters. The <tt>cupsICCQualifier1</tt>, <tt>cupsICCQualifier2</tt>, and <tt>cupsICCQualifier3</tt> keywords define the mapping from selector to main keyword:</p>
<p>The <tt>MediaType</tt> and <tt>Resolution</tt> main keywords can be reassigned to different main keywords, allowing drivers to do color profile selection based on different parameters. The <tt>cupsICCQualifier2</tt> and <tt>cupsICCQualifier3</tt> keywords define the mapping from selector to main keyword:</p>
<pre class='command'>
*cupsICCQualifier1: MainKeyword1
*cupsICCQualifier2: MainKeyword2
*cupsICCQualifier3: MainKeyword3
</pre>
@@ -615,7 +614,6 @@ f(x) = density * x <sup style='font-size: 100%'>gamma</sup>
<p>The default mapping is as follows:</p>
<pre class='command'>
*cupsICCQualifier1: ColorModel
*cupsICCQualifier2: MediaType
*cupsICCQualifier3: Resolution
</pre>
+26 -20
Ver Arquivo
@@ -353,7 +353,7 @@ gif_get_code(FILE *fp, /* I - File to read from */
* Read in another buffer...
*/
if ((count = gif_get_block(fp, buf + last_byte)) <= 0)
if ((count = gif_get_block (fp, buf + last_byte)) <= 0)
{
/*
* Whoops, no more data!
@@ -582,13 +582,19 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
gif_get_code(fp, 0, 1);
/*
* Wipe the decompressor table (already mostly 0 due to the calloc above...)
* Wipe the decompressor table...
*/
fresh = 1;
for (i = 1; i < clear_code; i ++)
for (i = 0; i < clear_code; i ++)
{
table[0][i] = 0;
table[1][i] = i;
}
for (; i < 4096; i ++)
table[0][i] = table[1][0] = 0;
sp = stack;
@@ -599,30 +605,29 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
fresh = 0;
do
{
firstcode = oldcode = gif_get_code(fp, code_size, 0);
}
while (firstcode == clear_code);
return (firstcode & 255);
return (firstcode);
}
else if (!table)
return (0);
if (sp > stack)
return ((*--sp) & 255);
return (*--sp);
while ((code = gif_get_code(fp, code_size, 0)) >= 0)
while ((code = gif_get_code (fp, code_size, 0)) >= 0)
{
if (code == clear_code)
{
/*
* Clear/reset the compression table...
*/
memset(table, 0, 2 * sizeof(gif_table_t));
for (i = 1; i < clear_code; i ++)
for (i = 0; i < clear_code; i ++)
{
table[0][i] = 0;
table[1][i] = i;
}
for (; i < 4096; i ++)
table[0][i] = table[1][i] = 0;
code_size = set_code_size + 1;
max_code_size = 2 * clear_code;
@@ -632,11 +637,12 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
firstcode = oldcode = gif_get_code(fp, code_size, 0);
return (firstcode & 255);
return (firstcode);
}
else if (code == end_code || code > max_code)
else if (code == end_code)
{
unsigned char buf[260]; /* Block buffer */
unsigned char buf[260];
if (!gif_eof)
while (gif_get_block(fp, buf) > 0);
@@ -646,7 +652,7 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
incode = code;
if (code == max_code)
if (code >= max_code)
{
*sp++ = firstcode;
code = oldcode;
@@ -680,10 +686,10 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
oldcode = incode;
if (sp > stack)
return ((*--sp) & 255);
return (*--sp);
}
return (code & 255);
return (code);
}
+1 -3
Ver Arquivo
@@ -165,10 +165,9 @@ f(x) = density * x <sup style='font-size: 100%'>gamma</sup>
<h4>Customizing the Profile Selection Keywords</h4>
<p>The <tt>ColorModel</tt>, <tt>MediaType</tt>, and <tt>Resolution</tt> main keywords can be reassigned to different main keywords, allowing drivers to do color profile selection based on different parameters. The <tt>cupsICCQualifier1</tt>, <tt>cupsICCQualifier2</tt>, and <tt>cupsICCQualifier3</tt> keywords define the mapping from selector to main keyword:</p>
<p>The <tt>MediaType</tt> and <tt>Resolution</tt> main keywords can be reassigned to different main keywords, allowing drivers to do color profile selection based on different parameters. The <tt>cupsICCQualifier2</tt> and <tt>cupsICCQualifier3</tt> keywords define the mapping from selector to main keyword:</p>
<pre class='command'>
*cupsICCQualifier1: MainKeyword1
*cupsICCQualifier2: MainKeyword2
*cupsICCQualifier3: MainKeyword3
</pre>
@@ -176,7 +175,6 @@ f(x) = density * x <sup style='font-size: 100%'>gamma</sup>
<p>The default mapping is as follows:</p>
<pre class='command'>
*cupsICCQualifier1: ColorModel
*cupsICCQualifier2: MediaType
*cupsICCQualifier3: Resolution
</pre>
+4192 -4586
Ver Arquivo
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+5 -5
Ver Arquivo
@@ -5,7 +5,7 @@
#
# Original version by Jason McMullan <jmcc@ontv.com>.
#
# Copyright 2007-2011 by Apple Inc.
# Copyright 2007-2010 by Apple Inc.
# Copyright 1999-2007 by Easy Software Products, all rights reserved.
#
# These coded instructions, statements, and computer programs are the
@@ -79,7 +79,7 @@ Requires: %{name}-libs = %{epoch}:%{version}
%description
CUPS is the standards-based, open source printing system developed by
Apple Inc. for Mac OS® X and other UNIX®-like operating systems.
Apple Inc. for Mac OS¨ X and other UNIX¨-like operating systems.
%description devel
This package provides the CUPS headers and development environment.
@@ -190,11 +190,10 @@ rm -rf $RPM_BUILD_ROOT
%dir /usr/lib/cups
%dir /usr/lib/cups/backend
/usr/lib/cups/backend/http
/usr/lib/cups/backend/https
%attr(0700,root,root) /usr/lib/cups/backend/ipp
/usr/lib/cups/backend/ipps
%attr(0700,root,root) /usr/lib/cups/backend/lpd
/usr/lib/cups/backend/parallel
/usr/lib/cups/backend/scsi
/usr/lib/cups/backend/serial
/usr/lib/cups/backend/snmp
/usr/lib/cups/backend/socket
@@ -204,7 +203,6 @@ rm -rf $RPM_BUILD_ROOT
%dir /usr/lib/cups/daemon
/usr/lib/cups/daemon/cups-deviced
/usr/lib/cups/daemon/cups-driverd
/usr/lib/cups/daemon/cups-exec
/usr/lib/cups/daemon/cups-polld
%dir /usr/lib/cups/driver
%dir /usr/lib/cups/filter
@@ -290,6 +288,8 @@ rm -rf $RPM_BUILD_ROOT
/usr/share/man/man5/*.conf.5.gz
/usr/share/man/man5/ipptoolfile.5.gz
/usr/share/man/man5/mime.*.5.gz
%dir /usr/share/man/man7
/usr/share/man/man7/drv*
%dir /usr/share/man/man8
/usr/share/man/man8/accept.8.gz
/usr/share/man/man8/cupsaddsmb.8.gz
+1 -1
Ver Arquivo
@@ -3220,7 +3220,7 @@ encrypt_client(cupsd_client_t *con) /* I - Client to encrypt */
gnutls_certificate_set_x509_key_file(*credentials, ServerCertificate,
ServerKey, GNUTLS_X509_FMT_PEM);
gnutls_init(&con->http.tls, GNUTLS_SERVER);
gnutls_init(&con->http.tls), GNUTLS_SERVER);
gnutls_set_default_priority(con->http.tls);
gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));
+2 -14
Ver Arquivo
@@ -2593,11 +2593,11 @@ read_configuration(cups_file_t *fp) /* I - File to read from */
"FaxRetryLimit is deprecated; use "
"JobRetryLimit on line %d.", linenum);
}
else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
else if (!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
#ifdef HAVE_SSL
|| !_cups_strcasecmp(line, "SSLPort") || !_cups_strcasecmp(line, "SSLListen")
#endif /* HAVE_SSL */
) && value)
)
{
/*
* Add listening address(es) to the list...
@@ -3740,12 +3740,6 @@ read_location(cups_file_t *fp, /* I - Configuration file */
else if (!_cups_strcasecmp(line, "</Limit>") ||
!_cups_strcasecmp(line, "</LimitExcept>"))
loc = parent;
else if (!value)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value on line %d.", linenum);
if (FatalErrors & CUPSD_FATAL_CONFIG)
return (0);
}
else if (!parse_aaa(loc, line, value, linenum))
{
cupsdLogMessage(CUPSD_LOG_ERROR,
@@ -3895,12 +3889,6 @@ read_policy(cups_file_t *fp, /* I - Configuration file */
op = NULL;
}
else if (!value)
{
cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value on line %d.", linenum);
if (FatalErrors & CUPSD_FATAL_CONFIG)
return (0);
}
else if (!_cups_strcasecmp(line, "JobPrivateAccess") ||
!_cups_strcasecmp(line, "JobPrivateValues") ||
!_cups_strcasecmp(line, "SubscriptionPrivateAccess") ||
+2 -7
Ver Arquivo
@@ -750,11 +750,8 @@ compare_ppds(const ppd_info_t *p0, /* I - First PPD file */
else if ((diff = cupsdCompareNames(p0->record.make_and_model,
p1->record.make_and_model)) != 0)
return (diff);
else if ((diff = strcmp(p0->record.languages[0],
p1->record.languages[0])) != 0)
return (diff);
else
return (compare_names(p0, p1));
return (strcmp(p0->record.languages[0], p1->record.languages[0]));
}
@@ -1411,9 +1408,7 @@ load_drv(const char *filename, /* I - Actual filename */
* Add a dummy entry for the file...
*/
httpAssembleURIf(HTTP_URI_CODING_ALL, uri, sizeof(uri), "drv", "", "", 0,
"/%s", name);
add_ppd(name, uri, "", "", "", "", "", "", mtime, size, 0,
add_ppd(name, name, "", "", "", "", "", "", mtime, size, 0,
PPD_TYPE_DRV, "drv");
ChangedPPD = 1;
-16
Ver Arquivo
@@ -8885,22 +8885,6 @@ hold_job(cupsd_client_t *con, /* I - Client connection */
return;
}
/*
* See if the job is in a state that allows holding...
*/
if (job->state_value > IPP_JOB_STOPPED)
{
/*
* Return a "not-possible" error...
*/
send_ipp_status(con, IPP_NOT_POSSIBLE,
_("Job #%d is finished and cannot be altered."),
job->id);
return;
}
/*
* Hold the job and return...
*/
+15 -20
Ver Arquivo
@@ -1343,22 +1343,17 @@ cupsdDeleteJob(cupsd_job_t *job, /* I - Job */
free(job->compressions);
free(job->filetypes);
if (action == CUPSD_JOB_PURGE)
while (job->num_files > 0)
{
while (job->num_files > 0)
{
snprintf(filename, sizeof(filename), "%s/d%05d-%03d", RequestRoot,
job->id, job->num_files);
if (Classification)
cupsdRemoveFile(filename);
else
unlink(filename);
snprintf(filename, sizeof(filename), "%s/d%05d-%03d", RequestRoot,
job->id, job->num_files);
if (Classification)
cupsdRemoveFile(filename);
else
unlink(filename);
job->num_files --;
}
job->num_files --;
}
else
job->num_files = 0;
}
if (job->history)
@@ -2335,14 +2330,14 @@ cupsdSetJobState(
if (!cupsdLoadJob(job))
return;
/*
* Don't do anything if the state is unchanged and we aren't purging the
* job...
*/
/*
* Don't do anything if the state is unchanged and we aren't purging the
* job...
*/
oldstate = job->state_value;
if (newstate == oldstate && action != CUPSD_JOB_PURGE)
return;
oldstate = job->state_value;
if (newstate == oldstate && action != CUPSD_JOB_PURGE)
return;
/*
* Stop any processes that are working on the current job...
-83
Ver Arquivo
@@ -76,9 +76,6 @@
#ifdef HAVE_SYS_VFS_H
# include <sys/vfs.h>
#endif /* HAVE_SYS_VFS_H */
#ifdef __APPLE__
# include <asl.h>
#endif /* __APPLE__ */
/*
@@ -93,7 +90,6 @@ static int compare_printers(void *first, void *second, void *data);
static void delete_printer_filters(cupsd_printer_t *p);
static void dirty_printer(cupsd_printer_t *p);
static void load_ppd(cupsd_printer_t *p);
static void log_ipp_conformance(cupsd_printer_t *p, const char *reason);
static ipp_t *new_media_col(_pwg_size_t *size, const char *source,
const char *type);
#ifdef __sgi
@@ -2761,10 +2757,6 @@ cupsdSetPrinterReasons(
if (i >= p->num_reasons)
{
if (!strncmp(reason, "cups-ipp-missing-", 17) ||
!strncmp(reason, "cups-ipp-wrong-", 15))
log_ipp_conformance(p, reason);
if (i >= (int)(sizeof(p->reasons) / sizeof(p->reasons[0])))
{
cupsdLogMessage(CUPSD_LOG_ALERT,
@@ -5082,81 +5074,6 @@ load_ppd(cupsd_printer_t *p) /* I - Printer */
}
/*
* 'log_ipp_conformance()' - Log an IPP conformance issue with a printer.
*/
static void
log_ipp_conformance(
cupsd_printer_t *p, /* I - Printer */
const char *reason) /* I - Printer state reason */
{
const char *message; /* Message to log */
#ifdef __APPLE__
aslmsg aslm; /* Apple System Log message */
#endif /* __APPLE__ */
/*
* Strip the leading "cups-ipp-" from the reason and create a log message for
* it...
*/
reason += 9;
if (!strcmp(reason, "missing-cancel-job"))
message = "Printer does not support REQUIRED Cancel-Job operation.";
else if (!strcmp(reason, "missing-get-job-attributes"))
message = "Printer does not support REQUIRED Get-Job-Attributes operation.";
else if (!strcmp(reason, "missing-print-job"))
message = "Printer does not support REQUIRED Print-Job operation.";
else if (!strcmp(reason, "missing-validate-job"))
message = "Printer does not support REQUIRED Validate-Job operation.";
else if (!strcmp(reason, "missing-get-printer-attributes"))
message = "Printer does not support REQUIRED Get-Printer-Attributes operation.";
else if (!strcmp(reason, "missing-job-history"))
message = "Printer does not provide REQUIRED job history.";
else if (!strcmp(reason, "missing-job-id"))
message = "Printer does not provide REQUIRED job-id attribute.";
else if (!strcmp(reason, "missing-job-state"))
message = "Printer does not provide REQUIRED job-state attribute.";
else if (!strcmp(reason, "missing-operations-supported"))
message = "Printer does not provide REQUIRED operations-supported "
"attribute.";
else if (!strcmp(reason, "missing-printer-is-accepting-jobs"))
message = "Printer does not provide REQUIRED printer-is-accepting-jobs "
"attribute.";
else if (!strcmp(reason, "missing-printer-state-reasons"))
message = "Printer does not provide REQUIRED printer-state-reasons "
"attribute.";
else if (!strcmp(reason, "wrong-http-version"))
message = "Printer does not use REQUIRED HTTP/1.1 transport.";
else
message = "Unknown IPP conformance failure.";
cupsdLogMessage(CUPSD_LOG_WARN, "%s: %s", p->name, message);
#ifdef __APPLE__
/*
* Report the failure information to Apple if the user opts into providing
* feedback to Apple...
*/
aslm = asl_new(ASL_TYPE_MSG);
if (aslm)
{
asl_set(aslm, "com.apple.message.domain", "com.apple.printing.ipp.conformance");
asl_set(aslm, "com.apple.message.domain_scope", "com.apple.printing.ipp.conformance");
asl_set(aslm, "com.apple.message.signature", reason);
asl_set(aslm, "com.apple.message.signature2",
p->make_model ? p->make_model : "Unknown");
asl_log(NULL, aslm, ASL_LEVEL_NOTICE, "%s: %s",
p->make_model ? p->make_model : "Unknown", message);
asl_free(aslm);
}
#endif /* __APPLE__ */
}
/*
* 'new_media_col()' - Create a media-col collection value.
*/
+16 -18
Ver Arquivo
@@ -196,10 +196,6 @@ cupsdSetBusyState(void)
if (job)
newbusy |= 2;
cupsdLogMessage(CUPSD_LOG_DEBUG,
"cupsdSetBusyState: newbusy=\"%s\", busy=\"%s\"",
busy_text[newbusy], busy_text[busy]);
/*
* Manage state changes...
*/
@@ -217,23 +213,25 @@ cupsdSetBusyState(void)
vtran = 0;
}
#endif /* HAVE_VPROC_TRANSACTION_BEGIN */
}
#ifdef kIOPMAssertionTypeDenySystemSleep
if (cupsArrayCount(PrintingJobs) > 0 && !dark_wake)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "Asserting dark wake.");
IOPMAssertionCreateWithName(kIOPMAssertionTypeDenySystemSleep,
kIOPMAssertionLevelOn,
CFSTR("org.cups.cupsd"), &dark_wake);
}
else if (cupsArrayCount(PrintingJobs) == 0 && dark_wake)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "Releasing dark wake assertion.");
IOPMAssertionRelease(dark_wake);
dark_wake = 0;
}
if ((busy & 2) && !dark_wake)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "Asserting dark wake.");
IOPMAssertionCreateWithName(kIOPMAssertionTypeDenySystemSleep,
kIOPMAssertionLevelOn,
CFSTR("org.cups.cupsd"), &dark_wake);
}
else if (!(busy & 2) && dark_wake)
{
cupsdLogMessage(CUPSD_LOG_DEBUG2, "Releasing dark wake assertion.");
IOPMAssertionRelease(dark_wake);
dark_wake = 0;
}
#endif /* kIOPMAssertionTypeDenySystemSleep */
cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdSetBusyState: %s", busy_text[busy]);
}
}
+163
Ver Arquivo
@@ -0,0 +1,163 @@
#
# "$Id$"
#
# Standards makefile for CUPS.
#
# Copyright 2007-2010 by Apple Inc.
# Copyright 2006 by Easy Software Products.
#
# These coded instructions, statements, and computer programs are the
# property of Apple Inc. and are protected by Federal copyright
# law. Distribution and use rights are outlined in the file "LICENSE.txt"
# which should have been included with this file. If this file is
# file is missing or damaged, see the license at "http://www.cups.org/".
#
include ../Makedefs
#
# Standards...
#
RFCS = \
rfc1155.txt \
rfc1157.txt \
rfc1179.txt \
rfc1213.txt \
rfc1321.txt \
rfc2222.txt \
rfc2246.txt \
rfc2487.txt \
rfc2554.txt \
rfc2567.txt \
rfc2568.txt \
rfc2569.txt \
rfc2578.txt \
rfc2595.txt \
rfc2616.txt \
rfc2617.txt \
rfc2712.txt \
rfc2790.txt \
rfc2817.txt \
rfc2818.txt \
rfc2821.txt \
rfc2822.txt \
rfc2910.txt \
rfc2911.txt \
rfc2965.txt \
rfc3196.txt \
rfc3239.txt \
rfc3380.txt \
rfc3381.txt \
rfc3382.txt \
rfc3391.txt \
rfc3510.txt \
rfc3712.txt \
rfc3805.txt \
rfc3875.txt \
rfc3986.txt \
rfc3995.txt \
rfc3996.txt \
rfc3997.txt \
rfc3998.txt \
rfc4122.txt \
rfc4234.txt
.SUFFIXES: .html .txt
.txt.html: rfctohtml
echo Converting $< to HTML...
./rfctohtml $< ../doc/help/$@
#
# Make everything...
#
all: rfctohtml $(RFCS:.txt=.html)
#
# Make library targets...
#
libs:
#
# Make unit tests...
#
unittests:
#
# Clean all config and object files...
#
clean:
$(RM) rfctohtml rfctohtml.o
$(RM) $(RFCS:.txt=.html)
#
# Dummy depend target...
#
depend:
#
# Install all targets...
#
install: all install-data install-headers install-libs install-exec
#
# Install data files...
#
install-data:
#
# Install programs...
#
install-exec:
#
# Install headers...
#
install-headers:
#
# Install libraries...
#
install-libs:
#
# Uninstall files...
#
uninstall:
#
# rfctohtml - make html versions of RFCs...
#
rfctohtml: rfctohtml.o ../cups/$(LIBCUPSSTATIC)
$(CC) $(ARCHFLAGS) $(LDFLAGS) -o $@ rfctohtml.o ../cups/$(LIBCUPSSTATIC) \
$(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) $(COMMONLIBS) $(LIBZ)
#
# End of "$Id$".
#
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Arquivo binário não exibido.
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+787
Ver Arquivo
@@ -0,0 +1,787 @@
Network Printing Working Group L. McLaughlin III, Editor
Request for Comments: 1179 The Wollongong Group
August 1990
Line Printer Daemon Protocol
Status of this Memo
This RFC describes an existing print server protocol widely used on
the Internet for communicating between line printer daemons (both
clients and servers). This memo is for informational purposes only,
and does not specify an Internet standard. Please refer to the
current edition of the "IAB Official Protocol Standards" for the
standardization state and status of this protocol. Distribution of
this memo is unlimited.
1. Introduction
The Berkeley versions of the Unix(tm) operating system provide line
printer spooling with a collection of programs: lpr (assign to
queue), lpq (display the queue), lprm (remove from queue), and lpc
(control the queue). These programs interact with an autonomous
process called the line printer daemon. This RFC describes the
protocols with which a line printer daemon client may control
printing.
This memo is based almost entirely on the work of Robert Knight at
Princeton University. I gratefully acknowledge his efforts in
deciphering the UNIX lpr protocol and producing earlier versions of
this document.
2. Model of Printing Environment
A group of hosts request services from a line printer daemon process
running on a host. The services provided by the process are related
to printing jobs. A printing job produces output from one file.
Each job will have a unique job number which is between 0 and 999,
inclusive. The jobs are requested by users which have names. These
user names may not start with a digit.
3. Specification of the Protocol
The specification includes file formats for the control and data
files as well as messages used by the protocol.
McLaughlin [Page 1]
RFC 1179 LPR August 1990
3.1 Message formats
LPR is a a TCP-based protocol. The port on which a line printer
daemon listens is 515. The source port must be in the range 721 to
731, inclusive. A line printer daemon responds to commands send to
its port. All commands begin with a single octet code, which is a
binary number which represents the requested function. The code is
immediately followed by the ASCII name of the printer queue name on
which the function is to be performed. If there are other operands
to the command, they are separated from the printer queue name with
white space (ASCII space, horizontal tab, vertical tab, and form
feed). The end of the command is indicated with an ASCII line feed
character.
4. Diagram Conventions
The diagrams in the rest of this RFC use these conventions. These
diagrams show the format of an octet stream sent to the server. The
outermost box represents this stream. Each box within the outermost
one shows one portion of the stream. If the contents of the box is
two decimal digits, this indicates that the binary 8 bit value is to
be used. If the contents is two uppercase letters, this indicates
that the corresponding ASCII control character is to be used. An
exception to this is that the character SP can be interpreted as
white space. (See the preceding section for a definition.) If the
contents is a single letter, the ASCII code for this letter must be
sent. Otherwise, the contents are intended to be mnemonic of the
contents of the field which is a sequence of octets.
5. Daemon commands
The verbs in the command names should be interpreted as statements
made to the daemon. Thus, the command "Print any waiting jobs" is an
imperative to the line printer daemon to which it is sent. A new
connection must be made for each command to be given to the daemon.
5.1 01 - Print any waiting jobs
+----+-------+----+
| 01 | Queue | LF |
+----+-------+----+
Command code - 1
Operand - Printer queue name
This command starts the printing process if it not already running.
McLaughlin [Page 2]
RFC 1179 LPR August 1990
5.2 02 - Receive a printer job
+----+-------+----+
| 02 | Queue | LF |
+----+-------+----+
Command code - 2
Operand - Printer queue name
Receiving a job is controlled by a second level of commands. The
daemon is given commands by sending them over the same connection.
The commands are described in the next section (6).
After this command is sent, the client must read an acknowledgement
octet from the daemon. A positive acknowledgement is an octet of
zero bits. A negative acknowledgement is an octet of any other
pattern.
5.3 03 - Send queue state (short)
+----+-------+----+------+----+
| 03 | Queue | SP | List | LF |
+----+-------+----+------+----+
Command code - 3
Operand 1 - Printer queue name
Other operands - User names or job numbers
If the user names or job numbers or both are supplied then only those
jobs for those users or with those numbers will be sent.
The response is an ASCII stream which describes the printer queue.
The stream continues until the connection closes. Ends of lines are
indicated with ASCII LF control characters. The lines may also
contain ASCII HT control characters.
5.4 04 - Send queue state (long)
+----+-------+----+------+----+
| 04 | Queue | SP | List | LF |
+----+-------+----+------+----+
Command code - 4
Operand 1 - Printer queue name
Other operands - User names or job numbers
If the user names or job numbers or both are supplied then only those
jobs for those users or with those numbers will be sent.
The response is an ASCII stream which describes the printer queue.
The stream continues until the connection closes. Ends of lines are
McLaughlin [Page 3]
RFC 1179 LPR August 1990
indicated with ASCII LF control characters. The lines may also
contain ASCII HT control characters.
5.5 05 - Remove jobs
+----+-------+----+-------+----+------+----+
| 05 | Queue | SP | Agent | SP | List | LF |
+----+-------+----+-------+----+------+----+
Command code - 5
Operand 1 - Printer queue name
Operand 2 - User name making request (the agent)
Other operands - User names or job numbers
This command deletes the print jobs from the specified queue which
are listed as the other operands. If only the agent is given, the
command is to delete the currently active job. Unless the agent is
"root", it is not possible to delete a job which is not owned by the
user. This is also the case for specifying user names instead of
numbers. That is, agent "root" can delete jobs by user name but no
other agents can.
6. Receive job subcommands
These commands are processed when the line printer daemon has
been given the receive job command. The daemon will continue to
process commands until the connection is closed.
After a subcommand is sent, the client must wait for an
acknowledgement from the daemon. A positive acknowledgement is an
octet of zero bits. A negative acknowledgement is an octet of any
other pattern.
LPR clients SHOULD be able to sent the receive data file and receive
control file subcommands in either order. LPR servers MUST be able
to receive the control file subcommand first and SHOULD be able to
receive the data file subcommand first.
6.1 01 - Abort job
Command code - 1
+----+----+
| 01 | LF |
+----+----+
No operands should be supplied. This subcommand will remove any
files which have been created during this "Receive job" command.
McLaughlin [Page 4]
RFC 1179 LPR August 1990
6.2 02 - Receive control file
+----+-------+----+------+----+
| 02 | Count | SP | Name | LF |
+----+-------+----+------+----+
Command code - 2
Operand 1 - Number of bytes in control file
Operand 2 - Name of control file
The control file must be an ASCII stream with the ends of lines
indicated by ASCII LF. The total number of bytes in the stream is
sent as the first operand. The name of the control file is sent as
the second. It should start with ASCII "cfA", followed by a three
digit job number, followed by the host name which has constructed the
control file. Acknowledgement processing must occur as usual after
the command is sent.
The next "Operand 1" octets over the same TCP connection are the
intended contents of the control file. Once all of the contents have
been delivered, an octet of zero bits is sent as an indication that
the file being sent is complete. A second level of acknowledgement
processing must occur at this point.
6.3 03 - Receive data file
+----+-------+----+------+----+
| 03 | Count | SP | Name | LF |
+----+-------+----+------+----+
Command code - 3
Operand 1 - Number of bytes in data file
Operand 2 - Name of data file
The data file may contain any 8 bit values at all. The total number
of bytes in the stream may be sent as the first operand, otherwise
the field should be cleared to 0. The name of the data file should
start with ASCII "dfA". This should be followed by a three digit job
number. The job number should be followed by the host name which has
constructed the data file. Interpretation of the contents of the
data file is determined by the contents of the corresponding control
file. If a data file length has been specified, the next "Operand 1"
octets over the same TCP connection are the intended contents of the
data file. In this case, once all of the contents have been
delivered, an octet of zero bits is sent as an indication that the
file being sent is complete. A second level of acknowledgement
processing must occur at this point.
McLaughlin [Page 5]
RFC 1179 LPR August 1990
7. Control file lines
This section discusses the format of the lines in the control file
which is sent to the line printer daemon.
Each line of the control file consists of a single, printable ASCII
character which represents a function to be performed when the file
is printed. Interpretation of these command characters are case-
sensitive. The rest of the line after the command character is the
command's operand. No leading white space is permitted after the
command character. The line ends with an ASCII new line.
Those commands which have a lower case letter as a command code are
used to specify an actual printing request. The commands which use
upper case are used to describe parametric values or background
conditions.
Some commands must be included in every control file. These are 'H'
(responsible host) and 'P' (responsible user). Additionally, there
must be at least one lower case command to produce any output.
7.1 C - Class for banner page
+---+-------+----+
| C | Class | LF |
+---+-------+----+
Command code - 'C'
Operand - Name of class for banner pages
This command sets the class name to be printed on the banner page.
The name must be 31 or fewer octets. The name can be omitted. If it
is, the name of the host on which the file is printed will be used.
The class is conventionally used to display the host from which the
printing job originated. It will be ignored unless the print banner
command ('L') is also used.
7.2 H - Host name
+---+------+----+
| H | Host | LF |
+---+------+----+
Command code - 'H'
Operand - Name of host
This command specifies the name of the host which is to be treated as
the source of the print job. The command must be included in the
control file. The name of the host must be 31 or fewer octets.
McLaughlin [Page 6]
RFC 1179 LPR August 1990
7.3 I - Indent Printing
+---+-------+----+
| I | count | LF |
+---+-------+----+
Command code - 'I'
Operand - Indenting count
This command specifies that, for files which are printed with the
'f', of columns given. (It is ignored for other output generating
commands.) The identing count operand must be all decimal digits.
7.4 J - Job name for banner page
+---+----------+----+
| J | Job name | LF |
+---+----------+----+
Command code - 'J'
Operand - Job name
This command sets the job name to be printed on the banner page. The
name of the job must be 99 or fewer octets. It can be omitted. The
job name is conventionally used to display the name of the file or
files which were "printed". It will be ignored unless the print
banner command ('L') is also used.
7.5 L - Print banner page
+---+------+----+
| L | User | LF |
+---+------+----+
Command code - 'L'
Operand - Name of user for burst pages
This command causes the banner page to be printed. The user name can
be omitted. The class name for banner page and job name for banner
page commands must precede this command in the control file to be
effective.
7.6 M - Mail When Printed
+---+------+----+
| M | user | LF |
+---+------+----+
Command code - 'M'
Operand - User name
This entry causes mail to be sent to the user given as the operand at
McLaughlin [Page 7]
RFC 1179 LPR August 1990
the host specified by the 'H' entry when the printing operation ends
(successfully or unsuccessfully).
7.7 N - Name of source file
+---+------+----+
| N | Name | LF |
+---+------+----+
Command code - 'N'
Operand - File name
This command specifies the name of the file from which the data file
was constructed. It is returned on a query and used in printing with
the 'p' command when no title has been given. It must be 131 or
fewer octets.
7.8 P - User identification
+---+------+----+
| P | Name | LF |
+---+------+----+
Command code - 'P'
Operand - User id
This command specifies the user identification of the entity
requesting the printing job. This command must be included in the
control file. The user identification must be 31 or fewer octets.
7.9 S - Symbolic link data
+---+--------+----+-------+----+
| S | device | SP | inode | LF |
+---+--------+----+-------+----+
Command code - 'S'
Operand 1 - Device number
Operand 2 - Inode number
This command is used to record symbolic link data on a Unix system so
that changing a file's directory entry after a file is printed will
not print the new file. It is ignored if the data file is not
symbolically linked.
McLaughlin [Page 8]
RFC 1179 LPR August 1990
7.10 T - Title for pr
+---+-------+----+
| T | title | LF |
+---+-------+----+
Command code - 'T'
Operand - Title text
This command provides a title for a file which is to be printed with
either the 'p' command. (It is ignored by all of the other printing
commands.) The title must be 79 or fewer octets.
7.11 U - Unlink data file
+---+------+----+
| U | file | LF |
+---+------+----+
Command code - 'U'
Operand - File to unlink
This command indicates that the specified file is no longer needed.
This should only be used for data files.
7.12 W - Width of output
+---+-------+----+
| W | width | LF |
+---+-------+----+
Command code - 'W'
Operand - Width count
This command limits the output to the specified number of columns for
the 'f', 'l', and 'p' commands. (It is ignored for other output
generating commands.) The width count operand must be all decimal
digits. It may be silently reduced to some lower value. The default
value for the width is 132.
7.13 1 - troff R font
+---+------+----+
| 1 | file | LF |
+---+------+----+
Command code - '1'
Operand - File name
This command specifies the file name for the troff R font. [1] This
is the font which is printed using Times Roman by default.
McLaughlin [Page 9]
RFC 1179 LPR August 1990
7.14 2 - troff I font
+---+------+----+
| 2 | file | LF |
+---+------+----+
Command code - '2'
Operand - File name
This command specifies the file name for the troff I font. [1] This
is the font which is printed using Times Italic by default.
7.15 3 - troff B font
+---+------+----+
| 3 | file | LF |
+---+------+----+
Command code - '3'
Operand - File name
This command specifies the file name for the troff B font. [1] This
is the font which is printed using Times Bold by default.
7.16 4 - troff S font
+---+------+----+
| 4 | file | LF |
+---+------+----+
Command code - '4'
Operand - File name
This command specifies the file name for the troff S font. [1] This
is the font which is printed using Special Mathematical Font by
default.
7.17 c - Plot CIF file
+---+------+----+
| c | file | LF |
+---+------+----+
Command code - 'c'
Operand - File to plot
This command causes the data file to be plotted, treating the data as
CIF (CalTech Intermediate Form) graphics language. [2]
McLaughlin [Page 10]
RFC 1179 LPR August 1990
7.18 d - Print DVI file
+---+------+----+
| d | file | LF |
+---+------+----+
Command code - 'd'
Operand - File to print
This command causes the data file to be printed, treating the data as
DVI (TeX output). [3]
7.19 f - Print formatted file
+---+------+----+
| f | file | LF |
+---+------+----+
Command code - 'f'
Operand - File to print
This command cause the data file to be printed as a plain text file,
providing page breaks as necessary. Any ASCII control characters
which are not in the following list are discarded: HT, CR, FF, LF,
and BS.
7.20 g - Plot file
+---+------+----+
| g | file | LF |
+---+------+----+
Command code - 'g'
Operand - File to plot
This command causes the data file to be plotted, treating the data as
output from the Berkeley Unix plot library. [1]
7.21 k - Reserved for use by Kerberized LPR clients and servers.
7.22 l - Print file leaving control characters
+---+------+----+
| l | file | LF |
+---+------+----+
Command code - 'l' (lower case L)
Operand - File to print
This command causes the specified data file to printed without
filtering the control characters (as is done with the 'f' command).
McLaughlin [Page 11]
RFC 1179 LPR August 1990
7.23 n - Print ditroff output file
+---+------+----+
| n | file | LF |
+---+------+----+
Command code - 'n'
Operand - File to print
This command prints the data file to be printed, treating the data as
ditroff output. [4]
7.24 o - Print Postscript output file
+---+------+----+
| o | file | LF |
+---+------+----+
Command code - 'o'
Operand - File to print
This command prints the data file to be printed, treating the data as
standard Postscript input.
7.25 p - Print file with 'pr' format
+---+------+----+
| p | file | LF |
+---+------+----+
Command code - 'p'
Operand - File to print
This command causes the data file to be printed with a heading, page
numbers, and pagination. The heading should include the date and
time that printing was started, the title, and a page number
identifier followed by the page number. The title is the name of
file as specified by the 'N' command, unless the 'T' command (title)
has been given. After a page of text has been printed, a new page is
started with a new page number. (There is no way to specify the
length of the page.)
7.26 r - File to print with FORTRAN carriage control
+---+------+----+
| r | file | LF |
+---+------+----+
Command code - 'r'
Operand - File to print
This command causes the data file to be printed, interpreting the
McLaughlin [Page 12]
RFC 1179 LPR August 1990
first column of each line as FORTRAN carriage control. The FORTRAN
standard limits this to blank, "1", "0", and "+" carriage controls.
Most FORTRAN programmers also expect "-" (triple space) to work as
well.
7.27 t - Print troff output file
+---+------+----+
| t | file | LF |
+---+------+----+
Command code - 't'
Operand - File to print
This command prints the data file as Graphic Systems C/A/T
phototypesetter input. [5] This is the standard output of the Unix
"troff" command.
7.28 v - Print raster file
+---+------+----+
| v | file | LF |
+---+------+----+
Command code - 'v'
Operand - File to print
This command prints a Sun raster format file. [6]
7.29 z - Reserved for future use with the Palladium print system.
REFERENCES and BIBLIOGRAPHY
[1] Computer Science Research Group, "UNIX Programmer's Reference
Manual", USENIX, 1986.
[2] Hon and Sequin, "A Guide to LSI Implementation", XEROX PARC,
1980.
[3] Knuth, D., "TeX The Program".
[4] Kernighan, B., "A Typesetter-independent TROFF".
[5] "Model C/A/T Phototypesetter", Graphic Systems, Inc. Hudson, N.H.
[6] Sun Microsystems, "Pixrect Reference Manual", Sun Microsystems,
Mountain View, CA, 1988.
McLaughlin [Page 13]
RFC 1179 LPR August 1990
Security Considerations
Security issues are not discussed in this memo.
Author's Address
Leo J. McLaughlin III
The Wollongong Group
1129 San Antonio Road
Palo Alto, CA 94303
Phone: 415-962-7100
EMail: ljm@twg.com
McLaughlin [Page 14]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+899
Ver Arquivo
@@ -0,0 +1,899 @@
Network Working Group J. Myers
Request for Comments: 2222 Netscape Communications
Category: Standards Track October 1997
Simple Authentication and Security Layer (SASL)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1997). All Rights Reserved.
Table of Contents
1. Abstract .............................................. 2
2. Organization of this Document ......................... 2
2.1. How to Read This Document ............................. 2
2.2. Conventions Used in this Document ..................... 2
2.3. Examples .............................................. 3
3. Introduction and Overview ............................. 3
4. Profiling requirements ................................ 4
5. Specific issues ....................................... 5
5.1. Client sends data first ............................... 5
5.2. Server returns success with additional data ........... 5
5.3. Multiple authentications .............................. 5
6. Registration procedures ............................... 6
6.1. Comments on SASL mechanism registrations .............. 6
6.2. Location of Registered SASL Mechanism List ............ 6
6.3. Change Control ........................................ 7
6.4. Registration Template ................................. 7
7. Mechanism definitions ................................. 8
7.1. Kerberos version 4 mechanism .......................... 8
7.2. GSSAPI mechanism ...................................... 9
7.2.1 Client side of authentication protocol exchange ....... 9
7.2.2 Server side of authentication protocol exchange ....... 10
7.2.3 Security layer ........................................ 11
7.3. S/Key mechanism ....................................... 11
7.4. External mechanism .................................... 12
8. References ............................................ 13
9. Security Considerations ............................... 13
10. Author's Address ...................................... 14
Myers Standards Track [Page 1]
RFC 2222 SASL October 1997
Appendix A. Relation of SASL to Transport Security .......... 15
Full Copyright Statement .................................... 16
1. Abstract
This document describes a method for adding authentication support to
connection-based protocols. To use this specification, a protocol
includes a command for identifying and authenticating a user to a
server and for optionally negotiating protection of subsequent
protocol interactions. If its use is negotiated, a security layer is
inserted between the protocol and the connection. This document
describes how a protocol specifies such a command, defines several
mechanisms for use by the command, and defines the protocol used for
carrying a negotiated security layer over the connection.
2. Organization of this Document
2.1. How to Read This Document
This document is written to serve two different audiences, protocol
designers using this specification to support authentication in their
protocol, and implementors of clients or servers for those protocols
using this specification.
The sections "Introduction and Overview", "Profiling requirements",
and "Security Considerations" cover issues that protocol designers
need to understand and address in profiling this specification for
use in a specific protocol.
Implementors of a protocol using this specification need the
protocol-specific profiling information in addition to the
information in this document.
2.2. Conventions Used in this Document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [RFC 2119].
Myers Standards Track [Page 2]
RFC 2222 SASL October 1997
2.3. Examples
Examples in this document are for the IMAP profile [RFC 2060] of this
specification. The base64 encoding of challenges and responses, as
well as the "+ " preceding the responses are part of the IMAP4
profile, not part of the SASL specification itself.
3. Introduction and Overview
The Simple Authentication and Security Layer (SASL) is a method for
adding authentication support to connection-based protocols. To use
this specification, a protocol includes a command for identifying and
authenticating a user to a server and for optionally negotiating a
security layer for subsequent protocol interactions.
The command has a required argument identifying a SASL mechanism.
SASL mechanisms are named by strings, from 1 to 20 characters in
length, consisting of upper-case letters, digits, hyphens, and/or
underscores. SASL mechanism names must be registered with the IANA.
Procedures for registering new SASL mechanisms are given in the
section "Registration procedures"
If a server supports the requested mechanism, it initiates an
authentication protocol exchange. This consists of a series of
server challenges and client responses that are specific to the
requested mechanism. The challenges and responses are defined by the
mechanisms as binary tokens of arbitrary length. The protocol's
profile then specifies how these binary tokens are then encoded for
transfer over the connection.
After receiving the authentication command or any client response, a
server may issue a challenge, indicate failure, or indicate
completion. The protocol's profile specifies how the server
indicates which of the above it is doing.
After receiving a challenge, a client may issue a response or abort
the exchange. The protocol's profile specifies how the client
indicates which of the above it is doing.
During the authentication protocol exchange, the mechanism performs
authentication, transmits an authorization identity (frequently known
as a userid) from the client to server, and negotiates the use of a
mechanism-specific security layer. If the use of a security layer is
agreed upon, then the mechanism must also define or negotiate the
maximum cipher-text buffer size that each side is able to receive.
Myers Standards Track [Page 3]
RFC 2222 SASL October 1997
The transmitted authorization identity may be different than the
identity in the client's authentication credentials. This permits
agents such as proxy servers to authenticate using their own
credentials, yet request the access privileges of the identity for
which they are proxying. With any mechanism, transmitting an
authorization identity of the empty string directs the server to
derive an authorization identity from the client's authentication
credentials.
If use of a security layer is negotiated, it is applied to all
subsequent data sent over the connection. The security layer takes
effect immediately following the last response of the authentication
exchange for data sent by the client and the completion indication
for data sent by the server. Once the security layer is in effect,
the protocol stream is processed by the security layer into buffers
of cipher-text. Each buffer is transferred over the connection as a
stream of octets prepended with a four octet field in network byte
order that represents the length of the following buffer. The length
of the cipher-text buffer must be no larger than the maximum size
that was defined or negotiated by the other side.
4. Profiling requirements
In order to use this specification, a protocol definition must supply
the following information:
1. A service name, to be selected from the IANA registry of "service"
elements for the GSSAPI host-based service name form [RFC 2078].
2. A definition of the command to initiate the authentication
protocol exchange. This command must have as a parameter the
mechanism name being selected by the client.
The command SHOULD have an optional parameter giving an initial
response. This optional parameter allows the client to avoid a
round trip when using a mechanism which is defined to have the
client send data first. When this initial response is sent by the
client and the selected mechanism is defined to have the server
start with an initial challenge, the command fails. See section
5.1 of this document for further information.
3. A definition of the method by which the authentication protocol
exchange is carried out, including how the challenges and
responses are encoded, how the server indicates completion or
failure of the exchange, how the client aborts an exchange, and
how the exchange method interacts with any line length limits in
the protocol.
Myers Standards Track [Page 4]
RFC 2222 SASL October 1997
4. Identification of the octet where any negotiated security layer
starts to take effect, in both directions.
5. A specification of how the authorization identity passed from the
client to the server is to be interpreted.
5. Specific issues
5.1. Client sends data first
Some mechanisms specify that the first data sent in the
authentication protocol exchange is from the client to the server.
If a protocol's profile permits the command which initiates an
authentication protocol exchange to contain an initial client
response, this parameter SHOULD be used with such mechanisms.
If the initial client response parameter is not given, or if a
protocol's profile does not permit the command which initiates an
authentication protocol exchange to contain an initial client
response, then the server issues a challenge with no data. The
client's response to this challenge is then used as the initial
client response. (The server then proceeds to send the next
challenge, indicates completion, or indicates failure.)
5.2. Server returns success with additional data
Some mechanisms may specify that server challenge data be sent to the
client along with an indication of successful completion of the
exchange. This data would, for example, authenticate the server to
the client.
If a protocol's profile does not permit this server challenge to be
returned with a success indication, then the server issues the server
challenge without an indication of successful completion. The client
then responds with no data. After receiving this empty response, the
server then indicates successful completion.
5.3. Multiple authentications
Unless otherwise stated by the protocol's profile, only one
successful SASL negotiation may occur in a protocol session. In this
case, once an authentication protocol exchange has successfully
completed, further attempts to initiate an authentication protocol
exchange fail.
Myers Standards Track [Page 5]
RFC 2222 SASL October 1997
In the case that a profile explicitly permits multiple successful
SASL negotiations to occur, then in no case may multiple security
layers be simultaneously in effect. If a security layer is in effect
and a subsequent SASL negotiation selects no security layer, the
original security layer remains in effect. If a security layer is in
effect and a subsequent SASL negotiation selects a second security
layer, then the second security layer replaces the first.
6. Registration procedures
Registration of a SASL mechanism is done by filling in the template
in section 6.4 and sending it in to iana@isi.edu. IANA has the right
to reject obviously bogus registrations, but will perform no review
of clams made in the registration form.
There is no naming convention for SASL mechanisms; any name that
conforms to the syntax of a SASL mechanism name can be registered.
While the registration procedures do not require it, authors of SASL
mechanisms are encouraged to seek community review and comment
whenever that is feasible. Authors may seek community review by
posting a specification of their proposed mechanism as an internet-
draft. SASL mechanisms intended for widespread use should be
standardized through the normal IETF process, when appropriate.
6.1. Comments on SASL mechanism registrations
Comments on registered SASL mechanisms should first be sent to the
"owner" of the mechanism. Submitters of comments may, after a
reasonable attempt to contact the owner, request IANA to attach their
comment to the SASL mechanism registration itself. If IANA approves
of this the comment will be made accessible in conjunction with the
SASL mechanism registration itself.
6.2. Location of Registered SASL Mechanism List
SASL mechanism registrations will be posted in the anonymous FTP
directory "ftp://ftp.isi.edu/in-notes/iana/assignments/sasl-
mechanisms/" and all registered SASL mechanisms will be listed in the
periodically issued "Assigned Numbers" RFC [currently STD 2, RFC
1700]. The SASL mechanism description and other supporting material
may also be published as an Informational RFC by sending it to "rfc-
editor@isi.edu" (please follow the instructions to RFC authors [RFC
2223]).
Myers Standards Track [Page 6]
RFC 2222 SASL October 1997
6.3. Change Control
Once a SASL mechanism registration has been published by IANA, the
author may request a change to its definition. The change request
follows the same procedure as the registration request.
The owner of a SASL mechanism may pass responsibility for the SASL
mechanism to another person or agency by informing IANA; this can be
done without discussion or review.
The IESG may reassign responsibility for a SASL mechanism. The most
common case of this will be to enable changes to be made to
mechanisms where the author of the registration has died, moved out
of contact or is otherwise unable to make changes that are important
to the community.
SASL mechanism registrations may not be deleted; mechanisms which are
no longer believed appropriate for use can be declared OBSOLETE by a
change to their "intended use" field; such SASL mechanisms will be
clearly marked in the lists published by IANA.
The IESG is considered to be the owner of all SASL mechanisms which
are on the IETF standards track.
6.4. Registration Template
To: iana@iana.org
Subject: Registration of SASL mechanism X
SASL mechanism name:
Security considerations:
Published specification (optional, recommended):
Person & email address to contact for further information:
Intended usage:
(One of COMMON, LIMITED USE or OBSOLETE)
Author/Change controller:
(Any other information that the author deems interesting may be
added below this line.)
Myers Standards Track [Page 7]
RFC 2222 SASL October 1997
7. Mechanism definitions
The following mechanisms are hereby defined.
7.1. Kerberos version 4 mechanism
The mechanism name associated with Kerberos version 4 is
"KERBEROS_V4".
The first challenge consists of a random 32-bit number in network
byte order. The client responds with a Kerberos ticket and an
authenticator for the principal "service.hostname@realm", where
"service" is the service name specified in the protocol's profile,
"hostname" is the first component of the host name of the server with
all letters in lower case, and where "realm" is the Kerberos realm of
the server. The encrypted checksum field included within the
Kerberos authenticator contains the server provided challenge in
network byte order.
Upon decrypting and verifying the ticket and authenticator, the
server verifies that the contained checksum field equals the original
server provided random 32-bit number. Should the verification be
successful, the server must add one to the checksum and construct 8
octets of data, with the first four octets containing the incremented
checksum in network byte order, the fifth octet containing a bit-mask
specifying the security layers supported by the server, and the sixth
through eighth octets containing, in network byte order, the maximum
cipher-text buffer size the server is able to receive. The server
must encrypt using DES ECB mode the 8 octets of data in the session
key and issue that encrypted data in a second challenge. The client
considers the server authenticated if the first four octets of the
un-encrypted data is equal to one plus the checksum it previously
sent.
The client must construct data with the first four octets containing
the original server-issued checksum in network byte order, the fifth
octet containing the bit-mask specifying the selected security layer,
the sixth through eighth octets containing in network byte order the
maximum cipher-text buffer size the client is able to receive, and
the following octets containing the authorization identity. The
client must then append from one to eight zero-valued octets so that
the length of the data is a multiple of eight octets. The client must
then encrypt using DES PCBC mode the data with the session key and
respond with the encrypted data. The server decrypts the data and
verifies the contained checksum. The server must verify that the
principal identified in the Kerberos ticket is authorized to connect
as that authorization identity. After this verification, the
authentication process is complete.
Myers Standards Track [Page 8]
RFC 2222 SASL October 1997
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity (krb_mk_safe) protection
4 Privacy (krb_mk_priv) protection
Other bit-masks may be defined in the future; bits which are not
understood must be negotiated off.
EXAMPLE: The following are two Kerberos version 4 login scenarios to
the IMAP4 protocol (note that the line breaks in the sample
authenticators are for editorial clarity and are not in real
authenticators)
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + AmFYig==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: + or//EoAADZI=
C: DiAF5A4gA+oOIALuBkAAmw==
S: A001 OK Kerberos V4 authentication successful
S: * OK IMAP4 Server
C: A001 AUTHENTICATE KERBEROS_V4
S: + gcfgCA==
C: BAcAQU5EUkVXLkNNVS5FRFUAOCAsho84kLN3/IJmrMG+25a4DT
+nZImJjnTNHJUtxAA+o0KPKfHEcAFs9a3CL5Oebe/ydHJUwYFd
WwuQ1MWiy6IesKvjL5rL9WjXUb9MwT9bpObYLGOKi1Qh
S: A001 NO Kerberos V4 authentication failed
7.2. GSSAPI mechanism
The mechanism name associated with all mechanisms employing the
GSSAPI [RFC 2078] is "GSSAPI".
7.2.1 Client side of authentication protocol exchange
The client calls GSS_Init_sec_context, passing in 0 for
input_context_handle (initially) and a targ_name equal to output_name
from GSS_Import_Name called with input_name_type of
GSS_C_NT_HOSTBASED_SERVICE and input_name_string of
"service@hostname" where "service" is the service name specified in
the protocol's profile, and "hostname" is the fully qualified host
name of the server. The client then responds with the resulting
output_token. If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED,
Myers Standards Track [Page 9]
RFC 2222 SASL October 1997
then the client should expect the server to issue a token in a
subsequent challenge. The client must pass the token to another call
to GSS_Init_sec_context, repeating the actions in this paragraph.
When GSS_Init_sec_context returns GSS_S_COMPLETE, the client takes
the following actions: If the last call to GSS_Init_sec_context
returned an output_token, then the client responds with the
output_token, otherwise the client responds with no data. The client
should then expect the server to issue a token in a subsequent
challenge. The client passes this token to GSS_Unwrap and interprets
the first octet of resulting cleartext as a bit-mask specifying the
security layers supported by the server and the second through fourth
octets as the maximum size output_message to send to the server. The
client then constructs data, with the first octet containing the
bit-mask specifying the selected security layer, the second through
fourth octets containing in network byte order the maximum size
output_message the client is able to receive, and the remaining
octets containing the authorization identity. The client passes the
data to GSS_Wrap with conf_flag set to FALSE, and responds with the
generated output_message. The client can then consider the server
authenticated.
7.2.2 Server side of authentication protocol exchange
The server passes the initial client response to
GSS_Accept_sec_context as input_token, setting input_context_handle
to 0 (initially). If GSS_Accept_sec_context returns
GSS_S_CONTINUE_NEEDED, the server returns the generated output_token
to the client in challenge and passes the resulting response to
another call to GSS_Accept_sec_context, repeating the actions in this
paragraph.
When GSS_Accept_sec_context returns GSS_S_COMPLETE, the client takes
the following actions: If the last call to GSS_Accept_sec_context
returned an output_token, the server returns it to the client in a
challenge and expects a reply from the client with no data. Whether
or not an output_token was returned (and after receipt of any
response from the client to such an output_token), the server then
constructs 4 octets of data, with the first octet containing a bit-
mask specifying the security layers supported by the server and the
second through fourth octets containing in network byte order the
maximum size output_token the server is able to receive. The server
must then pass the plaintext to GSS_Wrap with conf_flag set to FALSE
and issue the generated output_message to the client in a challenge.
The server must then pass the resulting response to GSS_Unwrap and
interpret the first octet of resulting cleartext as the bit-mask for
the selected security layer, the second through fourth octets as the
maximum size output_message to send to the client, and the remaining
Myers Standards Track [Page 10]
RFC 2222 SASL October 1997
octets as the authorization identity. The server must verify that
the src_name is authorized to authenticate as the authorization
identity. After these verifications, the authentication process is
complete.
7.2.3 Security layer
The security layers and their corresponding bit-masks are as follows:
1 No security layer
2 Integrity protection.
Sender calls GSS_Wrap with conf_flag set to FALSE
4 Privacy protection.
Sender calls GSS_Wrap with conf_flag set to TRUE
Other bit-masks may be defined in the future; bits which are not
understood must be negotiated off.
7.3. S/Key mechanism
The mechanism name associated with S/Key [RFC 1760] using the MD4
digest algorithm is "SKEY".
The client sends an initial response with the authorization identity.
The server then issues a challenge which contains the decimal
sequence number followed by a single space and the seed string for
the indicated authorization identity. The client responds with the
one-time-password, as either a 64-bit value in network byte order or
encoded in the "six English words" format.
The server must verify the one-time-password. After this
verification, the authentication process is complete.
S/Key authentication does not provide for any security layers.
EXAMPLE: The following are two S/Key login scenarios in the IMAP4
protocol.
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: bW9yZ2Fu
S: + OTUgUWE1ODMwOA==
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
S: A001 OK S/Key authentication successful
Myers Standards Track [Page 11]
RFC 2222 SASL October 1997
S: * OK IMAP4 Server
C: A001 AUTHENTICATE SKEY
S: +
C: c21pdGg=
S: + OTUgUWE1ODMwOA==
C: BsAY3g4gBNo=
S: A001 NO S/Key authentication failed
The following is an S/Key login scenario in an IMAP4-like protocol
which has an optional "initial response" argument to the AUTHENTICATE
command.
S: * OK IMAP4-Like Server
C: A001 AUTHENTICATE SKEY bW9yZ2Fu
S: + OTUgUWE1ODMwOA==
C: Rk9VUiBNQU5OIFNPT04gRklSIFZBUlkgTUFTSA==
S: A001 OK S/Key authentication successful
7.4. External mechanism
The mechanism name associated with external authentication is
"EXTERNAL".
The client sends an initial response with the authorization identity.
The server uses information, external to SASL, to determine whether
the client is authorized to authenticate as the authorization
identity. If the client is so authorized, the server indicates
successful completion of the authentication exchange; otherwise the
server indicates failure.
The system providing this external information may be, for example,
IPsec or TLS.
If the client sends the empty string as the authorization identity
(thus requesting the authorization identity be derived from the
client's authentication credentials), the authorization identity is
to be derived from authentication credentials which exist in the
system which is providing the external authentication.
Myers Standards Track [Page 12]
RFC 2222 SASL October 1997
8. References
[RFC 2060] Crispin, M., "Internet Message Access Protocol - Version
4rev1", RFC 2060, December 1996.
[RFC 2078] Linn, J., "Generic Security Service Application Program
Interface, Version 2", RFC 2078, January 1997.
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC 2223] Postel, J., and J. Reynolds, "Instructions to RFC
Authors", RFC 2223, October 1997.
[RFC 1760] Haller, N., "The S/Key One-Time Password System", RFC
1760, February 1995.
[RFC 1700] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2,
RFC 1700, October 1994.
9. Security Considerations
Security issues are discussed throughout this memo.
The mechanisms that support integrity protection are designed such
that the negotiation of the security layer and authorization identity
is integrity protected. When the client selects a security layer
with at least integrity protection, this protects against an active
attacker hijacking the connection and modifying the authentication
exchange to negotiate a plaintext connection.
When a server or client supports multiple authentication mechanisms,
each of which has a different security strength, it is possible for
an active attacker to cause a party to use the least secure mechanism
supported. To protect against this sort of attack, a client or
server which supports mechanisms of different strengths should have a
configurable minimum strength that it will use. It is not sufficient
for this minimum strength check to only be on the server, since an
active attacker can change which mechanisms the client sees as being
supported, causing the client to send authentication credentials for
its weakest supported mechanism.
Myers Standards Track [Page 13]
RFC 2222 SASL October 1997
The client's selection of a SASL mechanism is done in the clear and
may be modified by an active attacker. It is important for any new
SASL mechanisms to be designed such that an active attacker cannot
obtain an authentication with weaker security properties by modifying
the SASL mechanism name and/or the challenges and responses.
Any protocol interactions prior to authentication are performed in
the clear and may be modified by an active attacker. In the case
where a client selects integrity protection, it is important that any
security-sensitive protocol negotiations be performed after
authentication is complete. Protocols should be designed such that
negotiations performed prior to authentication should be either
ignored or revalidated once authentication is complete.
10. Author's Address
John G. Myers
Netscape Communications
501 E. Middlefield Road
Mail Stop MV-029
Mountain View, CA 94043-4042
EMail: jgmyers@netscape.com
Myers Standards Track [Page 14]
RFC 2222 SASL October 1997
Appendix A. Relation of SASL to Transport Security
Questions have been raised about the relationship between SASL and
various services (such as IPsec and TLS) which provide a secured
connection.
Two of the key features of SASL are:
1. The separation of the authorization identity from the identity in
the client's credentials. This permits agents such as proxy
servers to authenticate using their own credentials, yet request
the access privileges of the identity for which they are proxying.
2. Upon successful completion of an authentication exchange, the
server knows the authorization identity the client wishes to use.
This allows servers to move to a "user is authenticated" state in
the protocol.
These features are extremely important to some application protocols,
yet Transport Security services do not always provide them. To
define SASL mechanisms based on these services would be a very messy
task, as the framing of these services would be redundant with the
framing of SASL and some method of providing these important SASL
features would have to be devised.
Sometimes it is desired to enable within an existing connection the
use of a security service which does not fit the SASL model. (TLS is
an example of such a service.) This can be done by adding a command,
for example "STARTTLS", to the protocol. Such a command is outside
the scope of SASL, and should be different from the command which
starts a SASL authentication protocol exchange.
In certain situations, it is reasonable to use SASL underneath one of
these Transport Security services. The transport service would
secure the connection, either service would authenticate the client,
and SASL would negotiate the authorization identity. The SASL
negotiation would be what moves the protocol from "unauthenticated"
to "authenticated" state. The "EXTERNAL" SASL mechanism is
explicitly intended to handle the case where the transport service
secures the connection and authenticates the client and SASL
negotiates the authorization identity.
When using SASL underneath a sufficiently strong Transport Security
service, a SASL security layer would most likely be redundant. The
client and server would thus probably want to negotiate off the use
of a SASL security layer.
Myers Standards Track [Page 15]
RFC 2222 SASL October 1997
Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published
andand distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Myers Standards Track [Page 16]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+451
Ver Arquivo
@@ -0,0 +1,451 @@
Network Working Group P. Hoffman
Request for Comments: 2487 Internet Mail Consortium
Category: Standards Track January 1999
SMTP Service Extension for Secure SMTP over TLS
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
1. Abstract
This document describes an extension to the SMTP service that allows
an SMTP server and client to use transport-layer security to provide
private, authenticated communication over the Internet. This gives
SMTP agents the ability to protect some or all of their
communications from eavesdroppers and attackers.
2. Introduction
SMTP [RFC-821] servers and clients normally communicate in the clear
over the Internet. In many cases, this communication goes through one
or more router that is not controlled or trusted by either entity.
Such an untrusted router might allow a third party to monitor or
alter the communications between the server and client.
Further, there is often a desire for two SMTP agents to be able to
authenticate each others' identities. For example, a secure SMTP
server might only allow communications from other SMTP agents it
knows, or it might act differently for messages received from an
agent it knows than from one it doesn't know.
TLS [TLS], more commonly known as SSL, is a popular mechanism for
enhancing TCP communications with privacy and authentication. TLS is
in wide use with the HTTP protocol, and is also being used for adding
security to many other common protocols that run over TCP.
Hoffman Standards Track [Page 1]
RFC 2487 SMTP Service Extension January 1999
2.1 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC-2119].
3. STARTTLS Extension
The STARTTLS extension to SMTP is laid out as follows:
(1) the name of the SMTP service defined here is STARTTLS;
(2) the EHLO keyword value associated with the extension is STARTTLS;
(3) the STARTTLS keyword has no parameters;
(4) a new SMTP verb, "STARTTLS", is defined;
(5) no additional parameters are added to any SMTP command.
4. The STARTTLS Keyword
The STARTTLS keyword is used to tell the SMTP client that the SMTP
server allows use of TLS. It takes no parameters.
5. The STARTTLS Command
The format for the STARTTLS command is:
STARTTLS
with no parameters.
After the client gives the STARTTLS command, the server responds with
one of the following reply codes:
220 Ready to start TLS
501 Syntax error (no parameters allowed)
454 TLS not available due to temporary reason
A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension from damaging the interoperability of
the Internet's SMTP infrastructure. A publicly-referenced SMTP server
is an SMTP server which runs on port 25 of an Internet host listed in
the MX record (or A record if an MX record is not present) for the
domain name on the right hand side of an Internet mail address.
Hoffman Standards Track [Page 2]
RFC 2487 SMTP Service Extension January 1999
Any SMTP server may refuse to accept messages for relay based on
authentication supplied during the TLS negotiation. An SMTP server
that is not publicly referenced may refuse to accept any messages for
relay or local delivery based on authentication supplied during the
TLS negotiation.
A SMTP server that is not publicly referenced may choose to require
that the client perform a TLS negotiation before accepting any
commands. In this case, the server SHOULD return the reply code:
530 Must issue a STARTTLS command first
to every command other than NOOP, EHLO, STARTTLS, or QUIT. If the
client and server are using the ENHANCEDSTATUSCODES ESMTP extension
[RFC-2034], the status code to be returned SHOULD be 5.7.0.
After receiving a 220 response to a STARTTLS command, the client
SHOULD start the TLS negotiation before giving any other SMTP
commands.
If the SMTP client is using pipelining as defined in RFC 1854, the
STARTTLS command must be the last command in a group.
5.1 Processing After the STARTTLS Command
After the TLS handshake has been completed, both parties MUST
immediately decide whether or not to continue based on the
authentication and privacy achieved. The SMTP client and server may
decide to move ahead even if the TLS negotiation ended with no
authentication and/or no privacy because most SMTP services are
performed with no authentication and no privacy, but some SMTP
clients or servers may want to continue only if a particular level of
authentication and/or privacy was achieved.
If the SMTP client decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD issue an
SMTP QUIT command immediately after the TLS negotiation is complete.
If the SMTP server decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD reply to
every SMTP command from the client (other than a QUIT command) with
the 554 reply code (with a possible text string such as "Command
refused due to lack of security").
The decision of whether or not to believe the authenticity of the
other party in a TLS negotiation is a local matter. However, some
general rules for the decisions are:
Hoffman Standards Track [Page 3]
RFC 2487 SMTP Service Extension January 1999
- A SMTP client would probably only want to authenticate an SMTP
server whose server certificate has a domain name that is the
domain name that the client thought it was connecting to.
- A publicly-referenced SMTP server would probably want to accept
any certificate from an SMTP client, and would possibly want to
put distinguishing information about the certificate in the
Received header of messages that were relayed or submitted from
the client.
5.2 Result of the STARTTLS Command
Upon completion of the TLS handshake, the SMTP protocol is reset to
the initial state (the state in SMTP after a server issues a 220
service ready greeting). The server MUST discard any knowledge
obtained from the client, such as the argument to the EHLO command,
which was not obtained from the TLS negotiation itself. The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself. The client SHOULD send an EHLO command as the
first command after a successful TLS negotiation.
The list of SMTP service extensions returned in response to an EHLO
command received after the TLS handshake MAY be different than the
list returned before the TLS handshake. For example, an SMTP server
might not want to advertise support for a particular SASL mechanism
[SASL] unless a client has sent an appropriate client certificate
during a TLS handshake.
Both the client and the server MUST know if there is a TLS session
active. A client MUST NOT attempt to start a TLS session if a TLS
session is already active. A server MUST NOT return the TLS extension
in response to an EHLO command received after a TLS handshake has
completed.
6. Usage Example
The following dialog illustrates how a client and server can start a
TLS session:
S: <waits for connection on TCP port 25>
C: <opens connection>
S: 220 mail.imc.org SMTP service ready
C: EHLO mail.ietf.org
S: 250-mail.imc.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
C: <starts TLS negotiation>
Hoffman Standards Track [Page 4]
RFC 2487 SMTP Service Extension January 1999
C & S: <negotiate a TLS session>
C & S: <check result of negotiation>
C: <continues by sending an SMTP command>
. . .
7. Security Considerations
It should be noted that SMTP is not an end-to-end mechanism. Thus, if
an SMTP client/server pair decide to add TLS privacy, they are not
securing the transport from the originating mail user agent to the
recipient. Further, because delivery of a single piece of mail may
go between more than two SMTP servers, adding TLS privacy to one pair
of servers does not mean that the entire SMTP chain has been made
private. Further, just because an SMTP server can authenticate an
SMTP client, it does not mean that the mail from the SMTP client was
authenticated by the SMTP client when the client received it.
Both the STMP client and server must check the result of the TLS
negotiation to see whether acceptable authentication or privacy was
achieved. Ignoring this step completely invalidates using TLS for
security. The decision about whether acceptable authentication or
privacy was achieved is made locally, is implementation-dependant,
and is beyond the scope of this document.
The SMTP client and server should note carefully the result of the
TLS negotiation. If the negotiation results in no privacy, or if it
results in privacy using algorithms or key lengths that are deemed
not strong enough, or if the authentication is not good enough for
either party, the client may choose to end the SMTP session with an
immediate QUIT command, or the server may choose to not accept any
more SMTP commands.
A server announcing in an EHLO response that it uses a particular TLS
protocol should not pose any security issues, since any use of TLS
will be at least as secure as no use of TLS.
A man-in-the-middle attack can be launched by deleting the "250
STARTTLS" response from the server. This would cause the client not
to try to start a TLS session. An SMTP client can protect against
this attack by recording the fact that a particular SMTP server
offers TLS during one session and generating an alarm if it does not
appear in the EHLO response for a later session. The lack of TLS
during a session SHOULD NOT result in the bouncing of email, although
it could result in delayed processing.
Hoffman Standards Track [Page 5]
RFC 2487 SMTP Service Extension January 1999
Before the TLS handshake has begun, any protocol interactions are
performed in the clear and may be modified by an active attacker. For
this reason, clients and servers MUST discard any knowledge obtained
prior to the start of the TLS handshake upon completion of the TLS
handshake.
The STARTTLS extension is not suitable for authenticating the author
of an email message unless every hop in the delivery chain, including
the submission to the first SMTP server, is authenticated. Another
proposal [SMTP-AUTH] can be used to authenticate delivery and MIME
security multiparts [MIME-SEC] can be used to authenticate the author
of an email message. In addition, the [SMTP-AUTH] proposal offers
simpler and more flexible options to authenticate an SMTP client and
the SASL EXTERNAL mechanism [SASL] MAY be used in conjunction with
the STARTTLS command to provide an authorization identity.
Hoffman Standards Track [Page 6]
RFC 2487 SMTP Service Extension January 1999
A. References
[RFC-821] Postel, J., "Simple Mail Transfer Protocol", RFC 821,
August 1982.
[RFC-1869] Klensin, J., Freed, N, Rose, M, Stefferud, E. and D.
Crocker, "SMTP Service Extensions", STD 10, RFC 1869,
November 1995.
[RFC-2034] Freed, N., "SMTP Service Extension for Returning Enhanced
Error Codes", RFC 2034, October 1996.
[RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SASL] Myers, J., "Simple Authentication and Security Layer
(SASL)", RFC 2222, October 1997.
[SMTP-AUTH] "SMTP Service Extension for Authentication", Work in
Progress.
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
B. Author's Address
Paul Hoffman
Internet Mail Consortium
127 Segre Place
Santa Cruz, CA 95060
Phone: (831) 426-9827
EMail: phoffman@imc.org
Hoffman Standards Track [Page 7]
RFC 2487 SMTP Service Extension January 1999
C. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Hoffman Standards Track [Page 8]
+619
Ver Arquivo
@@ -0,0 +1,619 @@
Network Working Group J. Myers
Request for Comments: 2554 Netscape Communications
Category: Standards Track March 1999
SMTP Service Extension
for Authentication
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
1. Introduction
This document defines an SMTP service extension [ESMTP] whereby an
SMTP client may indicate an authentication mechanism to the server,
perform an authentication protocol exchange, and optionally negotiate
a security layer for subsequent protocol interactions. This
extension is a profile of the Simple Authentication and Security
Layer [SASL].
2. Conventions Used in this Document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
in this document are to be interpreted as defined in "Key words for
use in RFCs to Indicate Requirement Levels" [KEYWORDS].
3. The Authentication service extension
(1) the name of the SMTP service extension is "Authentication"
(2) the EHLO keyword value associated with this extension is "AUTH"
Myers Standards Track [Page 1]
RFC 2554 SMTP Authentication March 1999
(3) The AUTH EHLO keyword contains as a parameter a space separated
list of the names of supported SASL mechanisms.
(4) a new SMTP verb "AUTH" is defined
(5) an optional parameter using the keyword "AUTH" is added to the
MAIL FROM command, and extends the maximum line length of the
MAIL FROM command by 500 characters.
(6) this extension is appropriate for the submission protocol
[SUBMIT].
4. The AUTH command
AUTH mechanism [initial-response]
Arguments:
a string identifying a SASL authentication mechanism.
an optional base64-encoded response
Restrictions:
After an AUTH command has successfully completed, no more AUTH
commands may be issued in the same session. After a successful
AUTH command completes, a server MUST reject any further AUTH
commands with a 503 reply.
The AUTH command is not permitted during a mail transaction.
Discussion:
The AUTH command indicates an authentication mechanism to the
server. If the server supports the requested authentication
mechanism, it performs an authentication protocol exchange to
authenticate and identify the user. Optionally, it also
negotiates a security layer for subsequent protocol
interactions. If the requested authentication mechanism is not
supported, the server rejects the AUTH command with a 504
reply.
The authentication protocol exchange consists of a series of
server challenges and client answers that are specific to the
authentication mechanism. A server challenge, otherwise known
as a ready response, is a 334 reply with the text part
containing a BASE64 encoded string. The client answer consists
of a line containing a BASE64 encoded string. If the client
wishes to cancel an authentication exchange, it issues a line
with a single "*". If the server receives such an answer, it
MUST reject the AUTH command by sending a 501 reply.
Myers Standards Track [Page 2]
RFC 2554 SMTP Authentication March 1999
The optional initial-response argument to the AUTH command is
used to save a round trip when using authentication mechanisms
that are defined to send no data in the initial challenge.
When the initial-response argument is used with such a
mechanism, the initial empty challenge is not sent to the
client and the server uses the data in the initial-response
argument as if it were sent in response to the empty challenge.
Unlike a zero-length client answer to a 334 reply, a zero-
length initial response is sent as a single equals sign ("=").
If the client uses an initial-response argument to the AUTH
command with a mechanism that sends data in the initial
challenge, the server rejects the AUTH command with a 535
reply.
If the server cannot BASE64 decode the argument, it rejects the
AUTH command with a 501 reply. If the server rejects the
authentication data, it SHOULD reject the AUTH command with a
535 reply unless a more specific error code, such as one listed
in section 6, is appropriate. Should the client successfully
complete the authentication exchange, the SMTP server issues a
235 reply.
The service name specified by this protocol's profile of SASL
is "smtp".
If a security layer is negotiated through the SASL
authentication exchange, it takes effect immediately following
the CRLF that concludes the authentication exchange for the
client, and the CRLF of the success reply for the server. Upon
a security layer's taking effect, the SMTP protocol is reset to
the initial state (the state in SMTP after a server issues a
220 service ready greeting). The server MUST discard any
knowledge obtained from the client, such as the argument to the
EHLO command, which was not obtained from the SASL negotiation
itself. The client MUST discard any knowledge obtained from
the server, such as the list of SMTP service extensions, which
was not obtained from the SASL negotiation itself (with the
exception that a client MAY compare the list of advertised SASL
mechanisms before and after authentication in order to detect
an active down-negotiation attack). The client SHOULD send an
EHLO command as the first command after a successful SASL
negotiation which results in the enabling of a security layer.
The server is not required to support any particular
authentication mechanism, nor are authentication mechanisms
required to support any security layers. If an AUTH command
fails, the client may try another authentication mechanism by
issuing another AUTH command.
Myers Standards Track [Page 3]
RFC 2554 SMTP Authentication March 1999
If an AUTH command fails, the server MUST behave the same as if
the client had not issued the AUTH command.
The BASE64 string may in general be arbitrarily long. Clients
and servers MUST be able to support challenges and responses
that are as long as are generated by the authentication
mechanisms they support, independent of any line length
limitations the client or server may have in other parts of its
protocol implementation.
Examples:
S: 220 smtp.example.com ESMTP server ready
C: EHLO jgm.example.com
S: 250-smtp.example.com
S: 250 AUTH CRAM-MD5 DIGEST-MD5
C: AUTH FOOBAR
S: 504 Unrecognized authentication type.
C: AUTH CRAM-MD5
S: 334
PENCeUxFREJoU0NnbmhNWitOMjNGNndAZWx3b29kLmlubm9zb2Z0LmNvbT4=
C: ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2ZQ==
S: 235 Authentication successful.
5. The AUTH parameter to the MAIL FROM command
AUTH=addr-spec
Arguments:
An addr-spec containing the identity which submitted the message
to the delivery system, or the two character sequence "<>"
indicating such an identity is unknown or insufficiently
authenticated. To comply with the restrictions imposed on ESMTP
parameters, the addr-spec is encoded inside an xtext. The syntax
of an xtext is described in section 5 of [ESMTP-DSN].
Discussion:
The optional AUTH parameter to the MAIL FROM command allows
cooperating agents in a trusted environment to communicate the
authentication of individual messages.
If the server trusts the authenticated identity of the client to
assert that the message was originally submitted by the supplied
addr-spec, then the server SHOULD supply the same addr-spec in an
AUTH parameter when relaying the message to any server which
supports the AUTH extension.
Myers Standards Track [Page 4]
RFC 2554 SMTP Authentication March 1999
A MAIL FROM parameter of AUTH=<> indicates that the original
submitter of the message is not known. The server MUST NOT treat
the message as having been originally submitted by the client.
If the AUTH parameter to the MAIL FROM is not supplied, the
client has authenticated, and the server believes the message is
an original submission by the client, the server MAY supply the
client's identity in the addr-spec in an AUTH parameter when
relaying the message to any server which supports the AUTH
extension.
If the server does not sufficiently trust the authenticated
identity of the client, or if the client is not authenticated,
then the server MUST behave as if the AUTH=<> parameter was
supplied. The server MAY, however, write the value of the AUTH
parameter to a log file.
If an AUTH=<> parameter was supplied, either explicitly or due to
the requirement in the previous paragraph, then the server MUST
supply the AUTH=<> parameter when relaying the message to any
server which it has authenticated to using the AUTH extension.
A server MAY treat expansion of a mailing list as a new
submission, setting the AUTH parameter to the mailing list
address or mailing list administration address when relaying the
message to list subscribers.
It is conforming for an implementation to be hard-coded to treat
all clients as being insufficiently trusted. In that case, the
implementation does nothing more than parse and discard
syntactically valid AUTH parameters to the MAIL FROM command and
supply AUTH=<> parameters to any servers to which it
authenticates using the AUTH extension.
Examples:
C: MAIL FROM:<e=mc2@example.com> AUTH=e+3Dmc2@example.com
S: 250 OK
Myers Standards Track [Page 5]
RFC 2554 SMTP Authentication March 1999
6. Error Codes
The following error codes may be used to indicate various conditions
as described.
432 A password transition is needed
This response to the AUTH command indicates that the user needs to
transition to the selected authentication mechanism. This typically
done by authenticating once using the PLAIN authentication mechanism.
534 Authentication mechanism is too weak
This response to the AUTH command indicates that the selected
authentication mechanism is weaker than server policy permits for
that user.
538 Encryption required for requested authentication mechanism
This response to the AUTH command indicates that the selected
authentication mechanism may only be used when the underlying SMTP
connection is encrypted.
454 Temporary authentication failure
This response to the AUTH command indicates that the authentication
failed due to a temporary server failure.
530 Authentication required
This response may be returned by any command other than AUTH, EHLO,
HELO, NOOP, RSET, or QUIT. It indicates that server policy requires
authentication in order to perform the requested action.
Myers Standards Track [Page 6]
RFC 2554 SMTP Authentication March 1999
7. Formal Syntax
The following syntax specification uses the augmented Backus-Naur
Form (BNF) notation as specified in [ABNF].
Except as noted otherwise, all alphabetic characters are case-
insensitive. The use of upper or lower case characters to define
token strings is for editorial clarity only. Implementations MUST
accept these strings in a case-insensitive fashion.
UPALPHA = %x41-5A ;; Uppercase: A-Z
LOALPHA = %x61-7A ;; Lowercase: a-z
ALPHA = UPALPHA / LOALPHA ;; case insensitive
DIGIT = %x30-39 ;; Digits 0-9
HEXDIGIT = %x41-46 / DIGIT ;; hexidecimal digit (uppercase)
hexchar = "+" HEXDIGIT HEXDIGIT
xchar = %x21-2A / %x2C-3C / %x3E-7E
;; US-ASCII except for "+", "=", SPACE and CTL
xtext = *(xchar / hexchar)
AUTH_CHAR = ALPHA / DIGIT / "-" / "_"
auth_type = 1*20AUTH_CHAR
auth_command = "AUTH" SPACE auth_type [SPACE (base64 / "=")]
*(CRLF [base64]) CRLF
auth_param = "AUTH=" xtext
;; The decoded form of the xtext MUST be either
;; an addr-spec or the two characters "<>"
base64 = base64_terminal /
( 1*(4base64_CHAR) [base64_terminal] )
base64_char = UPALPHA / LOALPHA / DIGIT / "+" / "/"
;; Case-sensitive
base64_terminal = (2base64_char "==") / (3base64_char "=")
continue_req = "334" SPACE [base64] CRLF
Myers Standards Track [Page 7]
RFC 2554 SMTP Authentication March 1999
CR = %x0C ;; ASCII CR, carriage return
CRLF = CR LF
CTL = %x00-1F / %x7F ;; any ASCII control character and DEL
LF = %x0A ;; ASCII LF, line feed
SPACE = %x20 ;; ASCII SP, space
8. References
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[CRAM-MD5] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
AUTHorize Extension for Simple Challenge/Response", RFC
2195, September 1997.
[ESMTP] Klensin, J., Freed, N., Rose, M., Stefferud, E. and D.
Crocker, "SMTP Service Extensions", RFC 1869, November
1995.
[ESMTP-DSN] Moore, K, "SMTP Service Extension for Delivery Status
Notifications", RFC 1891, January 1996.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SASL] Myers, J., "Simple Authentication and Security Layer
(SASL)", RFC 2222, October 1997.
[SUBMIT] Gellens, R. and J. Klensin, "Message Submission", RFC
2476, December 1998.
[RFC821] Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC
821, August 1982.
[RFC822] Crocker, D., "Standard for the Format of ARPA Internet
Text Messages", STD 11, RFC 822, August 1982.
Myers Standards Track [Page 8]
RFC 2554 SMTP Authentication March 1999
9. Security Considerations
Security issues are discussed throughout this memo.
If a client uses this extension to get an encrypted tunnel through an
insecure network to a cooperating server, it needs to be configured
to never send mail to that server when the connection is not mutually
authenticated and encrypted. Otherwise, an attacker could steal the
client's mail by hijacking the SMTP connection and either pretending
the server does not support the Authentication extension or causing
all AUTH commands to fail.
Before the SASL negotiation has begun, any protocol interactions are
performed in the clear and may be modified by an active attacker.
For this reason, clients and servers MUST discard any knowledge
obtained prior to the start of the SASL negotiation upon completion
of a SASL negotiation which results in a security layer.
This mechanism does not protect the TCP port, so an active attacker
may redirect a relay connection attempt to the submission port
[SUBMIT]. The AUTH=<> parameter prevents such an attack from causing
an relayed message without an envelope authentication to pick up the
authentication of the relay client.
A message submission client may require the user to authenticate
whenever a suitable SASL mechanism is advertised. Therefore, it may
not be desirable for a submission server [SUBMIT] to advertise a SASL
mechanism when use of that mechanism grants the client no benefits
over anonymous submission.
This extension is not intended to replace or be used instead of end-
to-end message signature and encryption systems such as S/MIME or
PGP. This extension addresses a different problem than end-to-end
systems; it has the following key differences:
(1) it is generally useful only within a trusted enclave
(2) it protects the entire envelope of a message, not just the
message's body.
(3) it authenticates the message submission, not authorship of the
message content
(4) it can give the sender some assurance the message was
delivered to the next hop in the case where the sender
mutually authenticates with the next hop and negotiates an
appropriate security layer.
Myers Standards Track [Page 9]
RFC 2554 SMTP Authentication March 1999
Additional security considerations are mentioned in the SASL
specification [SASL].
10. Author's Address
John Gardiner Myers
Netscape Communications
501 East Middlefield Road
Mail Stop MV-029
Mountain View, CA 94043
EMail: jgmyers@netscape.com
Myers Standards Track [Page 10]
RFC 2554 SMTP Authentication March 1999
11. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Myers Standards Track [Page 11]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+563
Ver Arquivo
@@ -0,0 +1,563 @@
Network Working Group S. Zilles
Request for Comments: 2568 Adobe Systems Inc.
Category: Experimental April 1999
Rationale for the Structure of the Model and Protocol
for the Internet Printing Protocol
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
IESG Note
This document defines an Experimental protocol for the Internet
community. The IESG expects that a revised version of this protocol
will be published as Proposed Standard protocol. The Proposed
Standard, when published, is expected to change from the protocol
defined in this memo. In particular, it is expected that the
standards-track version of the protocol will incorporate strong
authentication and privacy features, and that an "ipp:" URL type will
be defined which supports those security measures. Other changes to
the protocol are also possible. Implementors are warned that future
versions of this protocol may not interoperate with the version of
IPP defined in this document, or if they do interoperate, that some
protocol features may not be available.
The IESG encourages experimentation with this protocol, especially in
combination with Transport Layer Security (TLS) [RFC2246], to help
determine how TLS may effectively be used as a security layer for
IPP.
ABSTRACT
This document is one of a set of documents, which together describe
all aspects of a new Internet Printing Protocol (IPP). IPP is an
application level protocol that can be used for distributed printing
using Internet tools and technologies. This document describes IPP
from a high level view, defines a roadmap for the various documents
that form the suite of IPP specifications, and gives background and
rationale for the IETF working group's major decisions.
Zilles Experimental [Page 1]
RFC 2568 Rationale for IPP April 1999
The full set of IPP documents includes:
Design Goals for an Internet Printing Protocol [RFC2567]
Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol (this document)
Internet Printing Protocol/1.0: Model and Semantics [RFC2566]
Internet Printing Protocol/1.0: Encoding and Transport [RFC2565]
Internet Printing Protocol/1.0: Implementer's Guide [ipp-iig]
Mapping between LPD and IPP Protocols [RFC2569]
The "Design Goals for an Internet Printing Protocol" document takes a
broad look at distributed printing functionality, and it enumerates
real-life scenarios that help to clarify the features that need to be
included in a printing protocol for the Internet. It identifies
requirements for three types of users: end users, operators, and
administrators. The Design Goals document calls out a subset of end
user requirements that are satisfied in IPP/1.0. Operator and
administrator requirements are out of scope for version 1.0.
The "Internet Printing Protocol/1.0: Model and Semantics" document
describes a simplified model consisting of abstract objects, their
attributes, and their operations that is independent of encoding and
transport. The model consists of a Printer and a Job object. The
Job optionally supports multiple documents. This document also
addresses security, internationalization, and directory issues.
The "Internet Printing Protocol/1.0: Encoding and Transport" document
is a formal mapping of the abstract operations and attributes defined
in the model document onto HTTP/1.1. It defines the encoding rules
for a new Internet media type called "application/ipp".
The "Internet Printing Protocol/1.0: Implementer's Guide" document
gives insight and advice to implementers of IPP clients and IPP
objects. It is intended to help them understand IPP/1.0 and some of
the considerations that may assist them in the design of their client
and/or IPP object implementations. For example, a typical order of
processing requests is given, including error checking. Motivation
for some of the specification decisions is also included.
The "Mapping between LPD and IPP Protocols" document gives some
advice to implementers of gateways between IPP and LPD (Line Printer
Daemon) implementations.
1. ARCHITECTURAL OVERVIEW
The Internet Printing Protocol (IPP) is an application level protocol
that can be used for distributed printing on the Internet. This
protocol defines interactions between a client and a server. The
Zilles Experimental [Page 2]
RFC 2568 Rationale for IPP April 1999
protocol allows a client to inquire about capabilities of a printer,
to submit print jobs and to inquire about and cancel print jobs. The
server for these requests is the Printer; the Printer is an
abstraction of a generic document output device and/or a print
service provider. Thus, the Printer could be a real printing device,
such as a computer printer or fax output device, or it could be a
service that interfaced with output devices.
The protocol is heavily influenced by the printing model introduced
in the Document Printing Application (DPA) [ISO10175] standard.
Although DPA specifies both end user and administrative features, IPP
version 1.0 (IPP/1.0) focuses only on end user functionality.
The architecture for IPP defines (in the Model and Semantics document
[RFC2566]) an abstract Model for the data which is used to control
the printing process and to provide information about the process and
the capabilities of the Printer. This abstract Model is hierarchical
in nature and reflects the structure of the Printer and the Jobs that
may be being processed by the Printer.
The Internet provides a channel between the client and the
server/Printer. Use of this channel requires flattening and
sequencing the hierarchical Model data. Therefore, the IPP also
defines (in the Encoding and Transport document [RFC2565]) an
encoding of the data in the model for transfer between the client and
server. This transfer of data may be either a request or the
response to a request.
Finally, the IPP defines (in the Encoding and Transport document
[RFC2565]) a protocol for transferring the encoded request and
response data between the client and the server/Printer.
An example of a typical interaction would be a request from the
client to create a print job. The client would assemble the Model
data to be associated with that job, such as the name of the job, the
media to use, the number of pages to place on each media instance,
etc. This data would then be encoded according to the Protocol and
would be transmitted according to the Protocol. The server/Printer
would receive the encoded Model data, decode it into a form
understood by the server/Printer and, based on that data, do one of
two things: (1) accept the job or (2) reject the job. In either case,
the server must construct a response in terms of the Model data,
encode that response according to the Protocol and transmit that
encoded Model data as the response to the request using the Protocol.
Another part of the IPP architecture is the Directory Schema
described in the model document. The role of a Directory Schema is to
provide a standard set of attributes which might be used to query a
Zilles Experimental [Page 3]
RFC 2568 Rationale for IPP April 1999
directory service for the URI of a Printer that is likely to meet the
needs of the client. The IPP architecture also addresses security
issues such as control of access to server/Printers and secure
transmissions of requests, response and the data to be printed.
2. THE PRINTER
Because the (abstract) server/Printer encompasses a wide range of
implementations, it is necessary to make some assumptions about a
minimal implementation. The most likely minimal implementation is one
that is embedded in an output device running a specialized real time
operating system and with limited processing, memory and storage
capabilities. This printer will be connected to the Internet and will
have at least a TCP/IP capability with (likely) SNMP [RFC1905,
RFC1906] support for the Internet connection. In addition, it is
likely the the Printer will be an HTML/HTTP server to allow direct
user access to information about the printer.
3. RATIONALE FOR THE MODEL
The Model [RFC2566] is defined independently of any encoding of the
Model data both to support the likely uses of IPP and to be robust
with respect to the possibility of alternate encoding.
It is expected that a client or server/Printer would represent the
Model data in some data structure within the applications/servers
that support IPP. Therefore, the Model was designed to make that
representation straightforward. Typically a parser or formatter would
be used to convert from or to the encoded data format. Once in an
internal form suitable to a product, the data can be manipulated by
the product. For example, the data sent with a Print Job can be used
to control the processing of that Print Job.
The semantics of IPP are attached to the (abstract) Model.
Therefore, the application/server is not dependent on the encoding of
the Model data, and it is possible to consider alternative mechanisms
and formats by which the data could be transmitted from a client to a
server; for example, a server could have a direct, client-less GUI
interface that might be used to accept some kinds of Print Jobs. This
independence would also allow a different encoding and/or
transmission mechanism to be used if the ones adopted here were shown
to be overly limiting in the future. Such a change could be migrated
into new products as an alternate protocol stack/parser for the Model
data.
Zilles Experimental [Page 4]
RFC 2568 Rationale for IPP April 1999
Having an abstract Model also allows the Model data to be aligned
with the (abstract) model used in the Printer [RFC1759], Job and Host
Resources MIBs. This provides consistency in interpretation of the
data obtained independently of how the data is accessed, whether via
IPP or via SNMP [RFC1905, RFC1906] and the Printer/Job MIBs.
There is one aspect of the Model that deserves some extra
explanation. There are two ways for identifying a Job object: (a)
with a Job URI and (b) using a combination of the Printer URI and a
Job ID (a 32 bit positive integer). Allowing Job objects to have URIs
allows for flexibility and scalability. For example a job could be
moved from a printer with a large backlog to one with a smaller load
and the job identification, the Job object URI, need not change.
However, many existing printing systems have local models or
interface constraints that force Job objects to be identified using
only a 32-bit positive integer rather than a URI. This numeric Job
ID is only unique within the context of the Printer object to which
the create request was originally submitted. In order to allow both
types of client access to Jobs (either by Job URI or by numeric Job
ID), when the Printer object successfully processes a create request
and creates a new Job, the Printer object generates both a Job URI
and a Job ID for the new Job object. This requirement allows all
clients to access Printer objects and Job objects independent of any
local constraints imposed on the client implementation.
4. RATIONALE FOR THE PROTOCOL
There are two parts to the Protocol: (1) the encoding of the Model
data and (2) the mechanism for transmitting the model data between
client and server.
4.1 The Encoding
To make it simpler to develop embedded printers, a very simple binary
encoding has been chosen. This encoding is adequate to represent the
kinds of data that occur within the Model. It has a simple structure
consisting of sequences of attributes. Each attribute has a name,
prefixed by a name length, and a value. The names are strings
constrained to characters from a subset of ASCII. The values are
either scalars or a sequence of scalars. Each scalar value has a
length specification and a value tag which indicates the type of the
value. The value type has two parts: a major class part, such as
integer or string, and a minor class part which distinguishes the
usage of the major class, such as dateTime string. Tagging of the
values with type information allows for introducing new value types
at some future time.
Zilles Experimental [Page 5]
RFC 2568 Rationale for IPP April 1999
A fully encoded request/response has a version number, an operation
(for a request) or a status and optionally a status message (for a
response), associated parameters and attributes which are encoded
Model data and, optionally (for a request), print data following the
Model data.
4.2 The Transmission Mechanism
The chosen mechanism for transmitting the encoded Model data is HTTP
1.1 Post (and associated response). No modifications to HTTP 1.1 are
proposed or required. The sole role of the Transmission Mechanism is
to provide a transfer of encoded Model data from/to the client
to/from the server. This could be done using any data delivery
mechanism. The key reasons why HTTP 1.1 Post is used are given below.
The most important of these is the first. With perhaps this
exception, these reasons could be satisfied by other mechanisms.
There is no claim that this list uniquely determines a choice of
mechanism.
1. HTTP 1.0 is already widely deployed and, based on the recent
evidence, HTTP 1.1 is being widely deployed as the manufacturers
release new products. The performance benefits of HTTP 1.1 have
been shown and manufactures are reacting positively.
Wide deployment has meant that many of the problems of making a
protocol work in a wide range of environments from local net to
Intranet to Internet have been solved and will stay solved with
HTTP 1.1 deployment.
2. HTTP 1.1 solves most of the problems that might have required a
new protocol to be developed. HTTP 1.1 allows persistent
connections that make a multi-message protocol be more efficient;
for example it is practical to have separate Create-Job and Send-
Document messages. Chunking allows the transmission of large print
files without having to pre-scan the file to determine the file
length. The accept headers allow the client's protocol and
localization desires to be transmitted with the IPP operations and
data. If the Model were to provide for the redirection of Job
requests, such as Cancel-Job, when a Job is moved, the HTTP
redirect response allows a client to be informed when a Job he is
interested in is moved to another server/Printer for any reason.
3. Most network Printers will be implementing HTTP servers for
reasons other than IPP. These network attached Printers want to
provide information on how to use the printer, its current state,
HELP information, etc. in HTML. This requires having an HTTP
server which would be available to do IPP functions as well.
Zilles Experimental [Page 6]
RFC 2568 Rationale for IPP April 1999
4. Most of the complexity of HTTP 1.1 is concerned with the
implementation of HTTP proxies and not the implementation of HTTP
clients and/or servers. Work is proceeding in the HTTP Working
Group to help identify what must be done by a server. As the
Encoding and Transport document shows, that is not very much.
5. HTTP implementations provide support for handling URLs that
would have to be provided if a new protocol were defined.
6. An HTTP based solution fits well with the Internet security
mechanisms that are currently deployed or being deployed. HTTP
will run over SSL3. The digest access authentication mechanism of
HTTP 1.1 provides an adequate level of access control. These
solutions are deployed and in practical use; a new solution would
require extensive use to have the same degree of confidence in its
security. Note: SSL3 is not on the IETF standards track.
7. HTTP provides an extensibility model that a new protocol would
have to develop independently. In particular, the headers,
intent-types (via Internet Media Types) and error codes have wide
acceptance and a useful set of definitions and methods for
extension.
8. Although not strictly a reason why IPP should use HTTP as the
transmission protocol, it is extremely helpful that there are many
prototyping tools that work with HTTP and that CGI scripts can be
used to test and debug parts of the protocol.
9. Finally, the POST method was chosen to carry the print data
because its usage for data transmission has been established, it
works and the results are available via CGI scripts or servlets.
Creating a new method would have better identified the intended
use of the POSTed data, but a new method would be more difficult
to deploy. Assigning a new default port for IPP provided the
necessary identification with minimal impact to installed
infrastructure, so was chosen instead.
5. RATIONALE FOR THE DIRECTORY SCHEMA
Successful use of IPP depends on the client finding a suitable IPP
enabled Printer to which to send a IPP requests, such as print a
job. This task is simplified if there is a Directory Service which
can be queried for a suitable Printer. The purpose of the
Directory Schema is to have a standard description of Printer
attributes that can be associated the URI for the printer. These
attributes are a subset of the Model attributes and can be encoded
in the appropriate query syntax for the Directory Service being
used by the client.
Zilles Experimental [Page 7]
RFC 2568 Rationale for IPP April 1999
6. SECURITY CONSIDERATIONS - RATIONALE FOR SECURITY
Security is an area of active work on the Internet. Complete
solutions to a wide range of security concerns are not yet
available. Therefore, in the design of IPP, the focus has been on
identifying a set of security protocols/features that are
implemented (or currently implementable) and solve real problems
with distributed printing. The two areas that seem appropriate to
support are: (1) authorization to use a Printer and (2) secure
interaction with a printer. The chosen mechanisms are the digest
authentication mechanism of HTTP 1.1 and SSL3 [SSL] secure
communication mechanism.
7. REFERENCES
[ipp-iig] Hastings, T. and C. Manros, "Internet Printing
Protocol/1.0:Implementer's Guide", Work in Progress.
[RFC2569] Herriot, R., Hastings, T., Jacobs, N. and J. Martin,
"Mapping between LPD and IPP Protocols", RFC 2569, April
1999.
[RFC2566] deBry, R., Isaacson, S., Hastings, T., Herriot, R. and P.
Powell, "Internet Printing Protocol/1.0: Model and
Semantics", RFC 2566, April 1999.
[RFC2565] Herriot, R., Butler, S., Moore, P. and R. Tuner, "Internet
Printing Protocol/1.0: Encoding and Transport", RFC 2565,
April 1999.
[RFC2567] Wright, D., "Design Goals for an Internet Printing
Protocol", RFC 2567, April 1999.
[ISO10175] ISO/IEC 10175 "Document Printing Application (DPA)", June
1996.
[RFC1759] Smith, R., Wright, F., Hastings, T., Zilles, S. and J.
Gyllenskog, "Printer MIB", RFC 1759, March 1995.
[RFC1905] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[RFC1906] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
Zilles Experimental [Page 8]
RFC 2568 Rationale for IPP April 1999
[SSL] Netscape, The SSL Protocol, Version 3, (Text version
3.02), November 1996.
8. AUTHOR'S ADDRESS
Stephen Zilles
Adobe Systems Incorporated
345 Park Avenue
MailStop W14
San Jose, CA 95110-2704
Phone: +1 408 536-4766
Fax: +1 408 537-4042
EMail: szilles@adobe.com
Zilles Experimental [Page 9]
RFC 2568 Rationale for IPP April 1999
9. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Zilles Experimental [Page 10]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+843
Ver Arquivo
@@ -0,0 +1,843 @@
Network Working Group C. Newman
Request for Comments: 2595 Innosoft
Category: Standards Track June 1999
Using TLS with IMAP, POP3 and ACAP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
1. Motivation
The TLS protocol (formerly known as SSL) provides a way to secure an
application protocol from tampering and eavesdropping. The option of
using such security is desirable for IMAP, POP and ACAP due to common
connection eavesdropping and hijacking attacks [AUTH]. Although
advanced SASL authentication mechanisms can provide a lightweight
version of this service, TLS is complimentary to simple
authentication-only SASL mechanisms or deployed clear-text password
login commands.
Many sites have a high investment in authentication infrastructure
(e.g., a large database of a one-way-function applied to user
passwords), so a privacy layer which is not tightly bound to user
authentication can protect against network eavesdropping attacks
without requiring a new authentication infrastructure and/or forcing
all users to change their password. Recognizing that such sites will
desire simple password authentication in combination with TLS
encryption, this specification defines the PLAIN SASL mechanism for
use with protocols which lack a simple password authentication
command such as ACAP and SMTP. (Note there is a separate RFC for the
STARTTLS command in SMTP [SMTPTLS].)
There is a strong desire in the IETF to eliminate the transmission of
clear-text passwords over unencrypted channels. While SASL can be
used for this purpose, TLS provides an additional tool with different
deployability characteristics. A server supporting both TLS with
Newman Standards Track [Page 1]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
simple passwords and a challenge/response SASL mechanism is likely to
interoperate with a wide variety of clients without resorting to
unencrypted clear-text passwords.
The STARTTLS command rectifies a number of the problems with using a
separate port for a "secure" protocol variant. Some of these are
mentioned in section 7.
1.1. Conventions Used in this Document
The key words "REQUIRED", "MUST", "MUST NOT", "SHOULD", "SHOULD NOT",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in "Key words for use in RFCs to Indicate Requirement
Levels" [KEYWORDS].
Terms related to authentication are defined in "On Internet
Authentication" [AUTH].
Formal syntax is defined using ABNF [ABNF].
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
2. Basic Interoperability and Security Requirements
The following requirements apply to all implementations of the
STARTTLS extension for IMAP, POP3 and ACAP.
2.1. Cipher Suite Requirements
Implementation of the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [TLS] cipher
suite is REQUIRED. This is important as it assures that any two
compliant implementations can be configured to interoperate.
All other cipher suites are OPTIONAL.
2.2. Privacy Operational Mode Security Requirements
Both clients and servers SHOULD have a privacy operational mode which
refuses authentication unless successful activation of an encryption
layer (such as that provided by TLS) occurs prior to or at the time
of authentication and which will terminate the connection if that
encryption layer is deactivated. Implementations are encouraged to
have flexability with respect to the minimal encryption strength or
cipher suites permitted. A minimalist approach to this
recommendation would be an operational mode where the
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suite is mandatory prior to
permitting authentication.
Newman Standards Track [Page 2]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
Clients MAY have an operational mode which uses encryption only when
it is advertised by the server, but authentication continues
regardless. For backwards compatibility, servers SHOULD have an
operational mode where only the authentication mechanisms required by
the relevant base protocol specification are needed to successfully
authenticate.
2.3. Clear-Text Password Requirements
Clients and servers which implement STARTTLS MUST be configurable to
refuse all clear-text login commands or mechanisms (including both
standards-track and nonstandard mechanisms) unless an encryption
layer of adequate strength is active. Servers which allow
unencrypted clear-text logins SHOULD be configurable to refuse
clear-text logins both for the entire server, and on a per-user
basis.
2.4. Server Identity Check
During the TLS negotiation, the client MUST check its understanding
of the server hostname against the server's identity as presented in
the server Certificate message, in order to prevent man-in-the-middle
attacks. Matching is performed according to these rules:
- The client MUST use the server hostname it used to open the
connection as the value to compare against the server name as
expressed in the server certificate. The client MUST NOT use any
form of the server hostname derived from an insecure remote source
(e.g., insecure DNS lookup). CNAME canonicalization is not done.
- If a subjectAltName extension of type dNSName is present in the
certificate, it SHOULD be used as the source of the server's
identity.
- Matching is case-insensitive.
- A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match
example.com.
- If the certificate contains multiple names (e.g. more than one
dNSName field), then a match with any one of the fields is
considered acceptable.
If the match fails, the client SHOULD either ask for explicit user
confirmation, or terminate the connection and indicate the server's
identity is suspect.
Newman Standards Track [Page 3]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
2.5. TLS Security Policy Check
Both the client and server MUST check the result of the STARTTLS
command and subsequent TLS negotiation to see whether acceptable
authentication or privacy was achieved. Ignoring this step
completely invalidates using TLS for security. The decision about
whether acceptable authentication or privacy was achieved is made
locally, is implementation-dependent, and is beyond the scope of this
document.
3. IMAP STARTTLS extension
When the TLS extension is present in IMAP, "STARTTLS" is listed as a
capability in response to the CAPABILITY command. This extension
adds a single command, "STARTTLS" to the IMAP protocol which is used
to begin a TLS negotiation.
3.1. STARTTLS Command
Arguments: none
Responses: no specific responses for this command
Result: OK - begin TLS negotiation
BAD - command unknown or arguments invalid
A TLS negotiation begins immediately after the CRLF at the end of
the tagged OK response from the server. Once a client issues a
STARTTLS command, it MUST NOT issue further commands until a
server response is seen and the TLS negotiation is complete.
The STARTTLS command is only valid in non-authenticated state.
The server remains in non-authenticated state, even if client
credentials are supplied during the TLS negotiation. The SASL
[SASL] EXTERNAL mechanism MAY be used to authenticate once TLS
client credentials are successfully exchanged, but servers
supporting the STARTTLS command are not required to support the
EXTERNAL mechanism.
Once TLS has been started, the client MUST discard cached
information about server capabilities and SHOULD re-issue the
CAPABILITY command. This is necessary to protect against
man-in-the-middle attacks which alter the capabilities list prior
to STARTTLS. The server MAY advertise different capabilities
after STARTTLS.
The formal syntax for IMAP is amended as follows:
Newman Standards Track [Page 4]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
command_any =/ "STARTTLS"
Example: C: a001 CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED
S: a001 OK CAPABILITY completed
C: a002 STARTTLS
S: a002 OK Begin TLS negotiation now
<TLS negotiation, further commands are under TLS layer>
C: a003 CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=EXTERNAL
S: a003 OK CAPABILITY completed
C: a004 LOGIN joe password
S: a004 OK LOGIN completed
3.2. IMAP LOGINDISABLED capability
The current IMAP protocol specification (RFC 2060) requires the
implementation of the LOGIN command which uses clear-text passwords.
Many sites may choose to disable this command unless encryption is
active for security reasons. An IMAP server MAY advertise that the
LOGIN command is disabled by including the LOGINDISABLED capability
in the capability response. Such a server will respond with a tagged
"NO" response to any attempt to use the LOGIN command.
An IMAP server which implements STARTTLS MUST implement support for
the LOGINDISABLED capability on unencrypted connections.
An IMAP client which complies with this specification MUST NOT issue
the LOGIN command if this capability is present.
This capability is useful to prevent clients compliant with this
specification from sending an unencrypted password in an environment
subject to passive attacks. It has no impact on an environment
subject to active attacks as a man-in-the-middle attacker can remove
this capability. Therefore this does not relieve clients of the need
to follow the privacy mode recommendation in section 2.2.
Servers advertising this capability will fail to interoperate with
many existing compliant IMAP clients and will be unable to prevent
those clients from disclosing the user's password.
4. POP3 STARTTLS extension
The POP3 STARTTLS extension adds the STLS command to POP3 servers.
If this is implemented, the POP3 extension mechanism [POP3EXT] MUST
also be implemented to avoid the need for client probing of multiple
commands. The capability name "STLS" indicates this command is
present and permitted in the current state.
Newman Standards Track [Page 5]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
STLS
Arguments: none
Restrictions:
Only permitted in AUTHORIZATION state.
Discussion:
A TLS negotiation begins immediately after the CRLF at the
end of the +OK response from the server. A -ERR response
MAY result if a security layer is already active. Once a
client issues a STLS command, it MUST NOT issue further
commands until a server response is seen and the TLS
negotiation is complete.
The STLS command is only permitted in AUTHORIZATION state
and the server remains in AUTHORIZATION state, even if
client credentials are supplied during the TLS negotiation.
The AUTH command [POP-AUTH] with the EXTERNAL mechanism
[SASL] MAY be used to authenticate once TLS client
credentials are successfully exchanged, but servers
supporting the STLS command are not required to support the
EXTERNAL mechanism.
Once TLS has been started, the client MUST discard cached
information about server capabilities and SHOULD re-issue
the CAPA command. This is necessary to protect against
man-in-the-middle attacks which alter the capabilities list
prior to STLS. The server MAY advertise different
capabilities after STLS.
Possible Responses:
+OK -ERR
Examples:
C: STLS
S: +OK Begin TLS negotiation
<TLS negotiation, further commands are under TLS layer>
...
C: STLS
S: -ERR Command not permitted when TLS active
Newman Standards Track [Page 6]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
5. ACAP STARTTLS extension
When the TLS extension is present in ACAP, "STARTTLS" is listed as a
capability in the ACAP greeting. No arguments to this capability are
defined at this time. This extension adds a single command,
"STARTTLS" to the ACAP protocol which is used to begin a TLS
negotiation.
5.1. STARTTLS Command
Arguments: none
Responses: no specific responses for this command
Result: OK - begin TLS negotiation
BAD - command unknown or arguments invalid
A TLS negotiation begins immediately after the CRLF at the end of
the tagged OK response from the server. Once a client issues a
STARTTLS command, it MUST NOT issue further commands until a
server response is seen and the TLS negotiation is complete.
The STARTTLS command is only valid in non-authenticated state.
The server remains in non-authenticated state, even if client
credentials are supplied during the TLS negotiation. The SASL
[SASL] EXTERNAL mechanism MAY be used to authenticate once TLS
client credentials are successfully exchanged, but servers
supporting the STARTTLS command are not required to support the
EXTERNAL mechanism.
After the TLS layer is established, the server MUST re-issue an
untagged ACAP greeting. This is necessary to protect against
man-in-the-middle attacks which alter the capabilities list prior
to STARTTLS. The client MUST discard cached capability
information and replace it with the information from the new ACAP
greeting. The server MAY advertise different capabilities after
STARTTLS.
The formal syntax for ACAP is amended as follows:
command_any =/ "STARTTLS"
Example: S: * ACAP (SASL "CRAM-MD5") (STARTTLS)
C: a002 STARTTLS
S: a002 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "CRAM-MD5" "PLAIN" "EXTERNAL")
Newman Standards Track [Page 7]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
6. PLAIN SASL mechanism
Clear-text passwords are simple, interoperate with almost all
existing operating system authentication databases, and are useful
for a smooth transition to a more secure password-based
authentication mechanism. The drawback is that they are unacceptable
for use over an unencrypted network connection.
This defines the "PLAIN" SASL mechanism for use with ACAP and other
protocols with no clear-text login command. The PLAIN SASL mechanism
MUST NOT be advertised or used unless a strong encryption layer (such
as the provided by TLS) is active or backwards compatibility dictates
otherwise.
The mechanism consists of a single message from the client to the
server. The client sends the authorization identity (identity to
login as), followed by a US-ASCII NUL character, followed by the
authentication identity (identity whose password will be used),
followed by a US-ASCII NUL character, followed by the clear-text
password. The client may leave the authorization identity empty to
indicate that it is the same as the authentication identity.
The server will verify the authentication identity and password with
the system authentication database and verify that the authentication
credentials permit the client to login as the authorization identity.
If both steps succeed, the user is logged in.
The server MAY also use the password to initialize any new
authentication database, such as one suitable for CRAM-MD5
[CRAM-MD5].
Non-US-ASCII characters are permitted as long as they are represented
in UTF-8 [UTF-8]. Use of non-visible characters or characters which
a user may be unable to enter on some keyboards is discouraged.
The formal grammar for the client message using Augmented BNF [ABNF]
follows.
message = [authorize-id] NUL authenticate-id NUL password
authenticate-id = 1*UTF8-SAFE ; MUST accept up to 255 octets
authorize-id = 1*UTF8-SAFE ; MUST accept up to 255 octets
password = 1*UTF8-SAFE ; MUST accept up to 255 octets
NUL = %x00
UTF8-SAFE = %x01-09 / %x0B-0C / %x0E-7F / UTF8-2 /
UTF8-3 / UTF8-4 / UTF8-5 / UTF8-6
UTF8-1 = %x80-BF
UTF8-2 = %xC0-DF UTF8-1
UTF8-3 = %xE0-EF 2UTF8-1
Newman Standards Track [Page 8]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
UTF8-4 = %xF0-F7 3UTF8-1
UTF8-5 = %xF8-FB 4UTF8-1
UTF8-6 = %xFC-FD 5UTF8-1
Here is an example of how this might be used to initialize a CRAM-MD5
authentication database for ACAP:
Example: S: * ACAP (SASL "CRAM-MD5") (STARTTLS)
C: a001 AUTHENTICATE "CRAM-MD5"
S: + "<1896.697170952@postoffice.reston.mci.net>"
C: "tim b913a602c7eda7a495b4e6e7334d3890"
S: a001 NO (TRANSITION-NEEDED)
"Please change your password, or use TLS to login"
C: a002 STARTTLS
S: a002 OK "Begin TLS negotiation now"
<TLS negotiation, further commands are under TLS layer>
S: * ACAP (SASL "CRAM-MD5" "PLAIN" "EXTERNAL")
C: a003 AUTHENTICATE "PLAIN" {21+}
C: <NUL>tim<NUL>tanstaaftanstaaf
S: a003 OK CRAM-MD5 password initialized
Note: In this example, <NUL> represents a single ASCII NUL octet.
7. imaps and pop3s ports
Separate "imaps" and "pop3s" ports were registered for use with SSL.
Use of these ports is discouraged in favor of the STARTTLS or STLS
commands.
A number of problems have been observed with separate ports for
"secure" variants of protocols. This is an attempt to enumerate some
of those problems.
- Separate ports lead to a separate URL scheme which intrudes into
the user interface in inappropriate ways. For example, many web
pages use language like "click here if your browser supports SSL."
This is a decision the browser is often more capable of making than
the user.
- Separate ports imply a model of either "secure" or "not secure."
This can be misleading in a number of ways. First, the "secure"
port may not in fact be acceptably secure as an export-crippled
cipher suite might be in use. This can mislead users into a false
sense of security. Second, the normal port might in fact be
secured by using a SASL mechanism which includes a security layer.
Thus the separate port distinction makes the complex topic of
security policy even more confusing. One common result of this
confusion is that firewall administrators are often misled into
Newman Standards Track [Page 9]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
permitting the "secure" port and blocking the standard port. This
could be a poor choice given the common use of SSL with a 40-bit
key encryption layer and plain-text password authentication is less
secure than strong SASL mechanisms such as GSSAPI with Kerberos 5.
- Use of separate ports for SSL has caused clients to implement only
two security policies: use SSL or don't use SSL. The desirable
security policy "use TLS when available" would be cumbersome with
the separate port model, but is simple with STARTTLS.
- Port numbers are a limited resource. While they are not yet in
short supply, it is unwise to set a precedent that could double (or
worse) the speed of their consumption.
8. IANA Considerations
This constitutes registration of the "STARTTLS" and "LOGINDISABLED"
IMAP capabilities as required by section 7.2.1 of RFC 2060 [IMAP].
The registration for the POP3 "STLS" capability follows:
CAPA tag: STLS
Arguments: none
Added commands: STLS
Standard commands affected: May enable USER/PASS as a side-effect.
CAPA command SHOULD be re-issued after successful completion.
Announced states/Valid states: AUTHORIZATION state only.
Specification reference: this memo
The registration for the ACAP "STARTTLS" capability follows:
Capability name: STARTTLS
Capability keyword: STARTTLS
Capability arguments: none
Published Specification(s): this memo
Person and email address for further information:
see author's address section below
The registration for the PLAIN SASL mechanism follows:
SASL mechanism name: PLAIN
Security Considerations: See section 9 of this memo
Published specification: this memo
Person & email address to contact for further information:
see author's address section below
Intended usage: COMMON
Author/Change controller: see author's address section below
Newman Standards Track [Page 10]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
9. Security Considerations
TLS only provides protection for data sent over a network connection.
Messages transferred over IMAP or POP3 are still available to server
administrators and usually subject to eavesdropping, tampering and
forgery when transmitted through SMTP or NNTP. TLS is no substitute
for an end-to-end message security mechanism using MIME security
multiparts [MIME-SEC].
A man-in-the-middle attacker can remove STARTTLS from the capability
list or generate a failure response to the STARTTLS command. In
order to detect such an attack, clients SHOULD warn the user when
session privacy is not active and/or be configurable to refuse to
proceed without an acceptable level of security.
A man-in-the-middle attacker can always cause a down-negotiation to
the weakest authentication mechanism or cipher suite available. For
this reason, implementations SHOULD be configurable to refuse weak
mechanisms or cipher suites.
Any protocol interactions prior to the TLS handshake are performed in
the clear and can be modified by a man-in-the-middle attacker. For
this reason, clients MUST discard cached information about server
capabilities advertised prior to the start of the TLS handshake.
Clients are encouraged to clearly indicate when the level of
encryption active is known to be vulnerable to attack using modern
hardware (such as encryption keys with 56 bits of entropy or less).
The LOGINDISABLED IMAP capability (discussed in section 3.2) only
reduces the potential for passive attacks, it provides no protection
against active attacks. The responsibility remains with the client
to avoid sending a password over a vulnerable channel.
The PLAIN mechanism relies on the TLS encryption layer for security.
When used without TLS, it is vulnerable to a common network
eavesdropping attack. Therefore PLAIN MUST NOT be advertised or used
unless a suitable TLS encryption layer is active or backwards
compatibility dictates otherwise.
When the PLAIN mechanism is used, the server gains the ability to
impersonate the user to all services with the same password
regardless of any encryption provided by TLS or other network privacy
mechanisms. While many other authentication mechanisms have similar
weaknesses, stronger SASL mechanisms such as Kerberos address this
issue. Clients are encouraged to have an operational mode where all
mechanisms which are likely to reveal the user's password to the
server are disabled.
Newman Standards Track [Page 11]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
The security considerations for TLS apply to STARTTLS and the
security considerations for SASL apply to the PLAIN mechanism.
Additional security requirements are discussed in section 2.
10. References
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[ACAP] Newman, C. and J. Myers, "ACAP -- Application
Configuration Access Protocol", RFC 2244, November 1997.
[AUTH] Haller, N. and R. Atkinson, "On Internet Authentication",
RFC 1704, October 1994.
[CRAM-MD5] Klensin, J., Catoe, R. and P. Krumviede, "IMAP/POP
AUTHorize Extension for Simple Challenge/Response", RFC
2195, September 1997.
[IMAP] Crispin, M., "Internet Message Access Protocol - Version
4rev1", RFC 2060, December 1996.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[MIME-SEC] Galvin, J., Murphy, S., Crocker, S. and N. Freed,
"Security Multiparts for MIME: Multipart/Signed and
Multipart/Encrypted", RFC 1847, October 1995.
[POP3] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
STD 53, RFC 1939, May 1996.
[POP3EXT] Gellens, R., Newman, C. and L. Lundblade, "POP3 Extension
Mechanism", RFC 2449, November 1998.
[POP-AUTH] Myers, J., "POP3 AUTHentication command", RFC 1734,
December 1994.
[SASL] Myers, J., "Simple Authentication and Security Layer
(SASL)", RFC 2222, October 1997.
[SMTPTLS] Hoffman, P., "SMTP Service Extension for Secure SMTP over
TLS", RFC 2487, January 1999.
[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
Newman Standards Track [Page 12]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
[UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 2279, January 1998.
11. Author's Address
Chris Newman
Innosoft International, Inc.
1050 Lakes Drive
West Covina, CA 91790 USA
EMail: chris.newman@innosoft.com
A. Appendix -- Compliance Checklist
An implementation is not compliant if it fails to satisfy one or more
of the MUST requirements for the protocols it implements. An
implementation that satisfies all the MUST and all the SHOULD
requirements for its protocols is said to be "unconditionally
compliant"; one that satisfies all the MUST requirements but not all
the SHOULD requirements for its protocols is said to be
"conditionally compliant".
Rules Section
----- -------
Mandatory-to-implement Cipher Suite 2.1
SHOULD have mode where encryption required 2.2
server SHOULD have mode where TLS not required 2.2
MUST be configurable to refuse all clear-text login
commands or mechanisms 2.3
server SHOULD be configurable to refuse clear-text
login commands on entire server and on per-user basis 2.3
client MUST check server identity 2.4
client MUST use hostname used to open connection 2.4
client MUST NOT use hostname from insecure remote lookup 2.4
client SHOULD support subjectAltName of dNSName type 2.4
client SHOULD ask for confirmation or terminate on fail 2.4
MUST check result of STARTTLS for acceptable privacy 2.5
client MUST NOT issue commands after STARTTLS
until server response and negotiation done 3.1,4,5.1
client MUST discard cached information 3.1,4,5.1,9
client SHOULD re-issue CAPABILITY/CAPA command 3.1,4
IMAP server with STARTTLS MUST implement LOGINDISABLED 3.2
IMAP client MUST NOT issue LOGIN if LOGINDISABLED 3.2
POP server MUST implement POP3 extensions 4
ACAP server MUST re-issue ACAP greeting 5.1
Newman Standards Track [Page 13]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
client SHOULD warn when session privacy not active and/or
refuse to proceed without acceptable security level 9
SHOULD be configurable to refuse weak mechanisms or
cipher suites 9
The PLAIN mechanism is an optional part of this specification.
However if it is implemented the following rules apply:
Rules Section
----- -------
MUST NOT use PLAIN unless strong encryption active
or backwards compatibility dictates otherwise 6,9
MUST use UTF-8 encoding for characters in PLAIN 6
Newman Standards Track [Page 14]
RFC 2595 Using TLS with IMAP, POP3 and ACAP June 1999
Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Newman Standards Track [Page 15]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+395
Ver Arquivo
@@ -0,0 +1,395 @@
Network Working Group A. Medvinsky
Request for Comments: 2712 Excite
Category: Standards Track M. Hur
CyberSafe Corporation
October 1999
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
IESG Note:
The 40-bit ciphersuites defined in this memo are included only for
the purpose of documenting the fact that those ciphersuite codes have
already been assigned. 40-bit ciphersuites were designed to comply
with US-centric, and now obsolete, export restrictions. They were
never secure, and nowadays are inadequate even for casual
applications. Implementation and use of the 40-bit ciphersuites
defined in this document, and elsewhere, is strongly discouraged.
1. Abstract
This document proposes the addition of new cipher suites to the TLS
protocol [1] to support Kerberos-based authentication. Kerberos
credentials are used to achieve mutual authentication and to
establish a master secret which is subsequently used to secure
client-server communication.
2. Introduction
Flexibility is one of the main strengths of the TLS protocol.
Clients and servers can negotiate cipher suites to meet specific
security and administrative policies. However, to date,
authentication in TLS is limited only to public key solutions. As a
result, TLS does not fully support organizations with heterogeneous
security deployments that include authentication systems based on
symmetric cryptography. Kerberos, originally developed at MIT, is
Medvinsky & Hur Standards Track [Page 1]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
based on an open standard [2] and is the most widely deployed
symmetric key authentication system. This document proposes a new
option for negotiating Kerberos authentication within the TLS
framework. This achieves mutual authentication and the establishment
of a master secret using Kerberos credentials. The proposed changes
are minimal and, in fact, no different from adding a new public key
algorithm to the TLS framework.
3. Kerberos Authentication Option In TLS
This section describes the addition of the Kerberos authentication
option to the TLS protocol. Throughout this document, we refer to
the basic SSL handshake shown in Figure 1. For a review of the TLS
handshake see [1].
CLIENT SERVER
------ ------
ClientHello
-------------------------------->
ServerHello
Certificate *
ServerKeyExchange*
CertificateRequest*
ServerHelloDone
<-------------------------------
Certificate*
ClientKeyExchange
CertificateVerify*
change cipher spec
Finished
| -------------------------------->
| change cipher spec
| Finished
| |
| |
Application Data <------------------------------->Application Data
FIGURE 1: The TLS protocol. All messages followed by a star are
optional. Note: This figure was taken from an IETF document
[1].
The TLS security context is negotiated in the client and server hello
messages. For example: TLS_RSA_WITH_RC4_MD5 means the initial
authentication will be done using the RSA public key algorithm, RC4
will be used for the session key, and MACs will be based on the MD5
algorithm. Thus, to facilitate the Kerberos authentication option,
we must start by defining new cipher suites including (but not
limited to):
Medvinsky & Hur Standards Track [Page 2]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B };
To establish a Kerberos-based security context, one or more of the
above cipher suites must be specified in the client hello message.
If the TLS server supports the Kerberos authentication option, the
server hello message, sent to the client, will confirm the Kerberos
cipher suite selected by the server. The server's certificate, the
client
CertificateRequest, and the ServerKeyExchange shown in Figure 1 will
be omitted since authentication and the establishment of a master
secret will be done using the client's Kerberos credentials for the
TLS server. The client's certificate will be omitted for the same
reason. Note that these messages are specified as optional in the
TLS protocol; therefore, omitting them is permissible.
The Kerberos option must be added to the ClientKeyExchange message as
shown in Figure 2.
Medvinsky & Hur Standards Track [Page 3]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
struct
{
select (KeyExchangeAlgorithm)
{
case krb5: KerberosWrapper; /* new addition */
case rsa: EncryptedPreMasterSecret;
case diffie_hellman: ClientDiffieHellmanPublic;
} Exchange_keys;
} ClientKeyExchange;
struct
{
opaque Ticket;
opaque authenticator; /* optional */
opaque EncryptedPreMasterSecret; /* encrypted with the session key
which is sealed in the ticket */
} KerberosWrapper; /* new addition */
FIGURE 2: The Kerberos option in the ClientKeyExchange.
To use the Kerberos authentication option, the TLS client must obtain
a service ticket for the TLS server. In TLS, the ClientKeyExchange
message is used to pass a random 48-byte pre-master secret to the
server.
The client and server then use the pre-master secret to independently
derive the master secret, which in turn is used for generating
session keys and for MAC computations. Thus, if the Kerberos option
is selected, the pre-master secret structure is the same as that used
in the RSA case; it is encrypted under the Kerberos session key and
sent to the TLS server along with the Kerberos credentials (see
Figure 2). The ticket and authenticator are encoded per RFC 1510
(ASN.1 encoding). Once the ClientKeyExchange message is received,
the server's secret key is used to unwrap the credentials and extract
the pre-master secret.
Note that a Kerberos authenticator is not required, since the master
secret derived by the client and server is seeded with a random value
passed in the server hello message, thus foiling replay attacks.
However, the authenticator may still prove useful for passing
authorization information and is thus allotted an optional field (see
Figure 2).
Lastly, the client and server exchange the finished messages to
complete the handshake. At this point we have achieved the
following:
Medvinsky & Hur Standards Track [Page 4]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
1) A master secret, used to protect all subsequent communication, is
securely established.
2) Mutual client-server authentication is achieved, since the TLS
server proves knowledge of the master secret in the finished
message.
Note that the Kerberos option fits in seamlessly, without adding any
new messages.
4. Naming Conventions:
To obtain an appropriate service ticket, the TLS client must
determine the principal name of the TLS server. The Kerberos service
naming convention is used for this purpose, as follows:
host/MachineName@Realm
where:
- The literal, "host", follows the Kerberos convention when not
concerned about the protection domain on a particular machine.
- "MachineName" is the particular instance of the service.
- The Kerberos "Realm" is the domain name of the machine.
5. Summary
The proposed Kerberos authentication option is added in exactly the
same manner as a new public key algorithm would be added to TLS.
Furthermore, it establishes the master secret in exactly the same
manner.
6. Security Considerations
Kerberos ciphersuites are subject to the same security considerations
as the TLS protocol. In addition, just as a public key
implementation must take care to protect the private key (for example
the PIN for a smartcard), a Kerberos implementation must take care to
protect the long lived secret that is shared between the principal
and the KDC. In particular, a weak password may be subject to a
dictionary attack. In order to strengthen the initial authentication
to a KDC, an implementor may choose to utilize secondary
authentication via a token card, or one may utilize initial
authentication to the KDC based on public key cryptography (commonly
known as PKINIT - a product of the Common Authentication Technology
working group of the IETF).
Medvinsky & Hur Standards Track [Page 5]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
7. Acknowledgements
We would like to thank Clifford Neuman for his invaluable comments on
earlier versions of this document.
8. References
[1] Dierks, T. and C. Allen, "The TLS Protocol, Version 1.0", RFC
2246, January 1999.
[2] Kohl J. and C. Neuman, "The Kerberos Network Authentication
Service (V5)", RFC 1510, September 1993.
9. Authors' Addresses
Ari Medvinsky
Excite
555 Broadway
Redwood City, CA 94063
Phone: +1 650 569 2119
EMail: amedvins@excitecorp.com
http://www.excite.com
Matthew Hur
CyberSafe Corporation
1605 NW Sammamish Road
Issaquah WA 98027-5378
Phone: +1 425 391 6000
EMail: matt.hur@cybersafe.com
http://www.cybersafe.com
Medvinsky & Hur Standards Track [Page 6]
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
10. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Medvinsky & Hur Standards Track [Page 7]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+731
Ver Arquivo
@@ -0,0 +1,731 @@
Network Working Group R. Khare
Request for Comments: 2817 4K Associates / UC Irvine
Updates: 2616 S. Lawrence
Category: Standards Track Agranat Systems, Inc.
May 2000
Upgrading to TLS Within HTTP/1.1
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This memo explains how to use the Upgrade mechanism in HTTP/1.1 to
initiate Transport Layer Security (TLS) over an existing TCP
connection. This allows unsecured and secured HTTP traffic to share
the same well known port (in this case, http: at 80 rather than
https: at 443). It also enables "virtual hosting", so a single HTTP +
TLS server can disambiguate traffic intended for several hostnames at
a single IP address.
Since HTTP/1.1 [1] defines Upgrade as a hop-by-hop mechanism, this
memo also documents the HTTP CONNECT method for establishing end-to-
end tunnels across HTTP proxies. Finally, this memo establishes new
IANA registries for public HTTP status codes, as well as public or
private Upgrade product tokens.
This memo does NOT affect the current definition of the 'https' URI
scheme, which already defines a separate namespace
(http://example.org/ and https://example.org/ are not equivalent).
Khare & Lawrence Standards Track [Page 1]
RFC 2817 HTTP Upgrade to TLS May 2000
Table of Contents
1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Requirements Terminology . . . . . . . . . . . . . . . . . . . 4
3. Client Requested Upgrade to HTTP over TLS . . . . . . . . . . 4
3.1 Optional Upgrade . . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Mandatory Upgrade . . . . . . . . . . . . . . . . . . . . . . 4
3.3 Server Acceptance of Upgrade Request . . . . . . . . . . . . . 4
4. Server Requested Upgrade to HTTP over TLS . . . . . . . . . . 5
4.1 Optional Advertisement . . . . . . . . . . . . . . . . . . . . 5
4.2 Mandatory Advertisement . . . . . . . . . . . . . . . . . . . 5
5. Upgrade across Proxies . . . . . . . . . . . . . . . . . . . . 6
5.1 Implications of Hop By Hop Upgrade . . . . . . . . . . . . . . 6
5.2 Requesting a Tunnel with CONNECT . . . . . . . . . . . . . . . 6
5.3 Establishing a Tunnel with CONNECT . . . . . . . . . . . . . . 7
6. Rationale for the use of a 4xx (client error) Status Code . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7.1 HTTP Status Code Registry . . . . . . . . . . . . . . . . . . 8
7.2 HTTP Upgrade Token Registry . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8.1 Implications for the https: URI Scheme . . . . . . . . . . . . 10
8.2 Security Considerations for CONNECT . . . . . . . . . . . . . 10
References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 11
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
Full Copyright Statement . . . . . . . . . . . . . . . . . . . 13
1. Motivation
The historical practice of deploying HTTP over SSL3 [3] has
distinguished the combination from HTTP alone by a unique URI scheme
and the TCP port number. The scheme 'http' meant the HTTP protocol
alone on port 80, while 'https' meant the HTTP protocol over SSL on
port 443. Parallel well-known port numbers have similarly been
requested -- and in some cases, granted -- to distinguish between
secured and unsecured use of other application protocols (e.g.
snews, ftps). This approach effectively halves the number of
available well known ports.
At the Washington DC IETF meeting in December 1997, the Applications
Area Directors and the IESG reaffirmed that the practice of issuing
parallel "secure" port numbers should be deprecated. The HTTP/1.1
Upgrade mechanism can apply Transport Layer Security [6] to an open
HTTP connection.
Khare & Lawrence Standards Track [Page 2]
RFC 2817 HTTP Upgrade to TLS May 2000
In the nearly two years since, there has been broad acceptance of the
concept behind this proposal, but little interest in implementing
alternatives to port 443 for generic Web browsing. In fact, nothing
in this memo affects the current interpretation of https: URIs.
However, new application protocols built atop HTTP, such as the
Internet Printing Protocol [7], call for just such a mechanism in
order to move ahead in the IETF standards process.
The Upgrade mechanism also solves the "virtual hosting" problem.
Rather than allocating multiple IP addresses to a single host, an
HTTP/1.1 server will use the Host: header to disambiguate the
intended web service. As HTTP/1.1 usage has grown more prevalent,
more ISPs are offering name-based virtual hosting, thus delaying IP
address space exhaustion.
TLS (and SSL) have been hobbled by the same limitation as earlier
versions of HTTP: the initial handshake does not specify the intended
hostname, relying exclusively on the IP address. Using a cleartext
HTTP/1.1 Upgrade: preamble to the TLS handshake -- choosing the
certificates based on the initial Host: header -- will allow ISPs to
provide secure name-based virtual hosting as well.
2. Introduction
TLS, a.k.a., SSL (Secure Sockets Layer), establishes a private end-
to-end connection, optionally including strong mutual authentication,
using a variety of cryptosystems. Initially, a handshake phase uses
three subprotocols to set up a record layer, authenticate endpoints,
set parameters, as well as report errors. Then, there is an ongoing
layered record protocol that handles encryption, compression, and
reassembly for the remainder of the connection. The latter is
intended to be completely transparent. For example, there is no
dependency between TLS's record markers and or certificates and
HTTP/1.1's chunked encoding or authentication.
Either the client or server can use the HTTP/1.1 [1] Upgrade
mechanism (Section 14.42) to indicate that a TLS-secured connection
is desired or necessary. This memo defines the "TLS/1.0" Upgrade
token, and a new HTTP Status Code, "426 Upgrade Required".
Section 3 and Section 4 describe the operation of a directly
connected client and server. Intermediate proxies must establish an
end-to-end tunnel before applying those operations, as explained in
Section 5.
Khare & Lawrence Standards Track [Page 3]
RFC 2817 HTTP Upgrade to TLS May 2000
2.1 Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
in RFC 2119 [11].
3. Client Requested Upgrade to HTTP over TLS
When the client sends an HTTP/1.1 request with an Upgrade header
field containing the token "TLS/1.0", it is requesting the server to
complete the current HTTP/1.1 request after switching to TLS/1.0.
3.1 Optional Upgrade
A client MAY offer to switch to secured operation during any clear
HTTP request when an unsecured response would be acceptable:
GET http://example.bank.com/acct_stat.html?749394889300 HTTP/1.1
Host: example.bank.com
Upgrade: TLS/1.0
Connection: Upgrade
In this case, the server MAY respond to the clear HTTP operation
normally, OR switch to secured operation (as detailed in the next
section).
Note that HTTP/1.1 [1] specifies "the upgrade keyword MUST be
supplied within a Connection header field (section 14.10) whenever
Upgrade is present in an HTTP/1.1 message".
3.2 Mandatory Upgrade
If an unsecured response would be unacceptable, a client MUST send an
OPTIONS request first to complete the switch to TLS/1.0 (if
possible).
OPTIONS * HTTP/1.1
Host: example.bank.com
Upgrade: TLS/1.0
Connection: Upgrade
3.3 Server Acceptance of Upgrade Request
As specified in HTTP/1.1 [1], if the server is prepared to initiate
the TLS handshake, it MUST send the intermediate "101 Switching
Protocol" and MUST include an Upgrade response header specifying the
tokens of the protocol stack it is switching to:
Khare & Lawrence Standards Track [Page 4]
RFC 2817 HTTP Upgrade to TLS May 2000
HTTP/1.1 101 Switching Protocols
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade
Note that the protocol tokens listed in the Upgrade header of a 101
Switching Protocols response specify an ordered 'bottom-up' stack.
As specified in HTTP/1.1 [1], Section 10.1.2: "The server will
switch protocols to those defined by the response's Upgrade header
field immediately after the empty line which terminates the 101
response".
Once the TLS handshake completes successfully, the server MUST
continue with the response to the original request. Any TLS handshake
failure MUST lead to disconnection, per the TLS error alert
specification.
4. Server Requested Upgrade to HTTP over TLS
The Upgrade response header field advertises possible protocol
upgrades a server MAY accept. In conjunction with the "426 Upgrade
Required" status code, a server can advertise the exact protocol
upgrade(s) that a client MUST accept to complete the request.
4.1 Optional Advertisement
As specified in HTTP/1.1 [1], the server MAY include an Upgrade
header in any response other than 101 or 426 to indicate a
willingness to switch to any (combination) of the protocols listed.
4.2 Mandatory Advertisement
A server MAY indicate that a client request can not be completed
without TLS using the "426 Upgrade Required" status code, which MUST
include an an Upgrade header field specifying the token of the
required TLS version.
HTTP/1.1 426 Upgrade Required
Upgrade: TLS/1.0, HTTP/1.1
Connection: Upgrade
The server SHOULD include a message body in the 426 response which
indicates in human readable form the reason for the error and
describes any alternative courses which may be available to the user.
Note that even if a client is willing to use TLS, it must use the
operations in Section 3 to proceed; the TLS handshake cannot begin
immediately after the 426 response.
Khare & Lawrence Standards Track [Page 5]
RFC 2817 HTTP Upgrade to TLS May 2000
5. Upgrade across Proxies
As a hop-by-hop header, Upgrade is negotiated between each pair of
HTTP counterparties. If a User Agent sends a request with an Upgrade
header to a proxy, it is requesting a change to the protocol between
itself and the proxy, not an end-to-end change.
Since TLS, in particular, requires end-to-end connectivity to provide
authentication and prevent man-in-the-middle attacks, this memo
specifies the CONNECT method to establish a tunnel across proxies.
Once a tunnel is established, any of the operations in Section 3 can
be used to establish a TLS connection.
5.1 Implications of Hop By Hop Upgrade
If an origin server receives an Upgrade header from a proxy and
responds with a 101 Switching Protocols response, it is changing the
protocol only on the connection between the proxy and itself.
Similarly, a proxy might return a 101 response to its client to
change the protocol on that connection independently of the protocols
it is using to communicate toward the origin server.
These scenarios also complicate diagnosis of a 426 response. Since
Upgrade is a hop-by-hop header, a proxy that does not recognize 426
might remove the accompanying Upgrade header and prevent the client
from determining the required protocol switch. If a client receives
a 426 status without an accompanying Upgrade header, it will need to
request an end to end tunnel connection as described in Section 5.2
and repeat the request in order to obtain the required upgrade
information.
This hop-by-hop definition of Upgrade was a deliberate choice. It
allows for incremental deployment on either side of proxies, and for
optimized protocols between cascaded proxies without the knowledge of
the parties that are not a part of the change.
5.2 Requesting a Tunnel with CONNECT
A CONNECT method requests that a proxy establish a tunnel connection
on its behalf. The Request-URI portion of the Request-Line is always
an 'authority' as defined by URI Generic Syntax [2], which is to say
the host name and port number destination of the requested connection
separated by a colon:
CONNECT server.example.com:80 HTTP/1.1
Host: server.example.com:80
Khare & Lawrence Standards Track [Page 6]
RFC 2817 HTTP Upgrade to TLS May 2000
Other HTTP mechanisms can be used normally with the CONNECT method --
except end-to-end protocol Upgrade requests, of course, since the
tunnel must be established first.
For example, proxy authentication might be used to establish the
authority to create a tunnel:
CONNECT server.example.com:80 HTTP/1.1
Host: server.example.com:80
Proxy-Authorization: basic aGVsbG86d29ybGQ=
Like any other pipelined HTTP/1.1 request, data to be tunneled may be
sent immediately after the blank line. The usual caveats also apply:
data may be discarded if the eventual response is negative, and the
connection may be reset with no response if more than one TCP segment
is outstanding.
5.3 Establishing a Tunnel with CONNECT
Any successful (2xx) response to a CONNECT request indicates that the
proxy has established a connection to the requested host and port,
and has switched to tunneling the current connection to that server
connection.
It may be the case that the proxy itself can only reach the requested
origin server through another proxy. In this case, the first proxy
SHOULD make a CONNECT request of that next proxy, requesting a tunnel
to the authority. A proxy MUST NOT respond with any 2xx status code
unless it has either a direct or tunnel connection established to the
authority.
An origin server which receives a CONNECT request for itself MAY
respond with a 2xx status code to indicate that a connection is
established.
If at any point either one of the peers gets disconnected, any
outstanding data that came from that peer will be passed to the other
one, and after that also the other connection will be terminated by
the proxy. If there is outstanding data to that peer undelivered,
that data will be discarded.
6. Rationale for the use of a 4xx (client error) Status Code
Reliable, interoperable negotiation of Upgrade features requires an
unambiguous failure signal. The 426 Upgrade Required status code
allows a server to definitively state the precise protocol extensions
a given resource must be served with.
Khare & Lawrence Standards Track [Page 7]
RFC 2817 HTTP Upgrade to TLS May 2000
It might at first appear that the response should have been some form
of redirection (a 3xx code), by analogy to an old-style redirection
to an https: URI. User agents that do not understand Upgrade:
preclude this.
Suppose that a 3xx code had been assigned for "Upgrade Required"; a
user agent that did not recognize it would treat it as 300. It would
then properly look for a "Location" header in the response and
attempt to repeat the request at the URL in that header field. Since
it did not know to Upgrade to incorporate the TLS layer, it would at
best fail again at the new URL.
7. IANA Considerations
IANA shall create registries for two name spaces, as described in BCP
26 [10]:
o HTTP Status Codes
o HTTP Upgrade Tokens
7.1 HTTP Status Code Registry
The HTTP Status Code Registry defines the name space for the Status-
Code token in the Status line of an HTTP response. The initial
values for this name space are those specified by:
1. Draft Standard for HTTP/1.1 [1]
2. Web Distributed Authoring and Versioning [4] [defines 420-424]
3. WebDAV Advanced Collections [5] (Work in Progress) [defines 425]
4. Section 6 [defines 426]
Values to be added to this name space SHOULD be subject to review in
the form of a standards track document within the IETF Applications
Area. Any such document SHOULD be traceable through statuses of
either 'Obsoletes' or 'Updates' to the Draft Standard for
HTTP/1.1 [1].
7.2 HTTP Upgrade Token Registry
The HTTP Upgrade Token Registry defines the name space for product
tokens used to identify protocols in the Upgrade HTTP header field.
Each registered token should be associated with one or a set of
specifications, and with contact information.
The Draft Standard for HTTP/1.1 [1] specifies that these tokens obey
the production for 'product':
Khare & Lawrence Standards Track [Page 8]
RFC 2817 HTTP Upgrade to TLS May 2000
product = token ["/" product-version]
product-version = token
Registrations should be allowed on a First Come First Served basis as
described in BCP 26 [10]. These specifications need not be IETF
documents or be subject to IESG review, but should obey the following
rules:
1. A token, once registered, stays registered forever.
2. The registration MUST name a responsible party for the
registration.
3. The registration MUST name a point of contact.
4. The registration MAY name the documentation required for the
token.
5. The responsible party MAY change the registration at any time.
The IANA will keep a record of all such changes, and make them
available upon request.
6. The responsible party for the first registration of a "product"
token MUST approve later registrations of a "version" token
together with that "product" token before they can be registered.
7. If absolutely required, the IESG MAY reassign the responsibility
for a token. This will normally only be used in the case when a
responsible party cannot be contacted.
This specification defines the protocol token "TLS/1.0" as the
identifier for the protocol specified by The TLS Protocol [6].
It is NOT required that specifications for upgrade tokens be made
publicly available, but the contact information for the registration
SHOULD be.
8. Security Considerations
The potential for a man-in-the-middle attack (deleting the Upgrade
header) remains the same as current, mixed http/https practice:
o Removing the Upgrade header is similar to rewriting web pages to
change https:// links to http:// links.
o The risk is only present if the server is willing to vend such
information over both a secure and an insecure channel in the
first place.
o If the client knows for a fact that a server is TLS-compliant, it
can insist on it by only sending an Upgrade request with a no-op
method like OPTIONS.
o Finally, as the https: specification warns, "users should
carefully examine the certificate presented by the server to
determine if it meets their expectations".
Khare & Lawrence Standards Track [Page 9]
RFC 2817 HTTP Upgrade to TLS May 2000
Furthermore, for clients that do not explicitly try to invoke TLS,
servers can use the Upgrade header in any response other than 101 or
426 to advertise TLS compliance. Since TLS compliance should be
considered a feature of the server and not the resource at hand, it
should be sufficient to send it once, and let clients cache that
fact.
8.1 Implications for the https: URI Scheme
While nothing in this memo affects the definition of the 'https' URI
scheme, widespread adoption of this mechanism for HyperText content
could use 'http' to identify both secure and non-secure resources.
The choice of what security characteristics are required on the
connection is left to the client and server. This allows either
party to use any information available in making this determination.
For example, user agents may rely on user preference settings or
information about the security of the network such as 'TLS required
on all POST operations not on my local net', or servers may apply
resource access rules such as 'the FORM on this page must be served
and submitted using TLS'.
8.2 Security Considerations for CONNECT
A generic TCP tunnel is fraught with security risks. First, such
authorization should be limited to a small number of known ports.
The Upgrade: mechanism defined here only requires onward tunneling at
port 80. Second, since tunneled data is opaque to the proxy, there
are additional risks to tunneling to other well-known or reserved
ports. A putative HTTP client CONNECTing to port 25 could relay spam
via SMTP, for example.
References
[1] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", RFC 2616, June 1999.
[2] Berners-Lee, T., Fielding, R. and L. Masinter, "URI Generic
Syntax", RFC 2396, August 1998.
[3] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[4] Goland, Y., Whitehead, E., Faizi, A., Carter, S. and D. Jensen,
"Web Distributed Authoring and Versioning", RFC 2518, February
1999.
Khare & Lawrence Standards Track [Page 10]
RFC 2817 HTTP Upgrade to TLS May 2000
[5] Slein, J., Whitehead, E.J., et al., "WebDAV Advanced Collections
Protocol", Work In Progress.
[6] Dierks, T. and C. Allen, "The TLS Protocol", RFC 2246, January
1999.
[7] Herriot, R., Butler, S., Moore, P. and R. Turner, "Internet
Printing Protocol/1.0: Encoding and Transport", RFC 2565, April
1999.
[8] Luotonen, A., "Tunneling TCP based protocols through Web proxy
servers", Work In Progress. (Also available in: Luotonen, Ari.
Web Proxy Servers, Prentice-Hall, 1997 ISBN:0136806120.)
[9] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June
1999.
[10] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[11] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
Authors' Addresses
Rohit Khare
4K Associates / UC Irvine
3207 Palo Verde
Irvine, CA 92612
US
Phone: +1 626 806 7574
EMail: rohit@4K-associates.com
URI: http://www.4K-associates.com/
Scott Lawrence
Agranat Systems, Inc.
5 Clocktower Place
Suite 400
Maynard, MA 01754
US
Phone: +1 978 461 0888
EMail: lawrence@agranat.com
URI: http://www.agranat.com/
Khare & Lawrence Standards Track [Page 11]
RFC 2817 HTTP Upgrade to TLS May 2000
Appendix A. Acknowledgments
The CONNECT method was originally described in a Work in Progress
titled, "Tunneling TCP based protocols through Web proxy servers",
[8] by Ari Luotonen of Netscape Communications Corporation. It was
widely implemented by HTTP proxies, but was never made a part of any
IETF Standards Track document. The method name CONNECT was reserved,
but not defined in [1].
The definition provided here is derived directly from that earlier
memo, with some editorial changes and conformance to the stylistic
conventions since established in other HTTP specifications.
Additional Thanks to:
o Paul Hoffman for his work on the STARTTLS command extension for
ESMTP.
o Roy Fielding for assistance with the rationale behind Upgrade:
and its interaction with OPTIONS.
o Eric Rescorla for his work on standardizing the existing https:
practice to compare with.
o Marshall Rose, for the xml2rfc document type description and tools
[9].
o Jim Whitehead, for sorting out the current range of available HTTP
status codes.
o Henrik Frystyk Nielsen, whose work on the Mandatory extension
mechanism pointed out a hop-by-hop Upgrade still requires
tunneling.
o Harald Alvestrand for improvements to the token registration
rules.
Khare & Lawrence Standards Track [Page 12]
RFC 2817 HTTP Upgrade to TLS May 2000
Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Khare & Lawrence Standards Track [Page 13]
+395
Ver Arquivo
@@ -0,0 +1,395 @@
Network Working Group E. Rescorla
Request for Comments: 2818 RTFM, Inc.
Category: Informational May 2000
HTTP Over TLS
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This memo describes how to use TLS to secure HTTP connections over
the Internet. Current practice is to layer HTTP over SSL (the
predecessor to TLS), distinguishing secured traffic from insecure
traffic by the use of a different server port. This document
documents that practice using TLS. A companion document describes a
method for using HTTP/TLS over the same port as normal HTTP
[RFC2817].
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Terminology . . . . . . . . . . . . . . . 2
2. HTTP Over TLS . . . . . . . . . . . . . . . . . . . . . . 2
2.1. Connection Initiation . . . . . . . . . . . . . . . . . 2
2.2. Connection Closure . . . . . . . . . . . . . . . . . . 2
2.2.1. Client Behavior . . . . . . . . . . . . . . . . . . . 3
2.2.2. Server Behavior . . . . . . . . . . . . . . . . . . . 3
2.3. Port Number . . . . . . . . . . . . . . . . . . . . . . 4
2.4. URI Format . . . . . . . . . . . . . . . . . . . . . . 4
3. Endpoint Identification . . . . . . . . . . . . . . . . . 4
3.1. Server Identity . . . . . . . . . . . . . . . . . . . . 4
3.2. Client Identity . . . . . . . . . . . . . . . . . . . . 5
References . . . . . . . . . . . . . . . . . . . . . . . . . 6
Security Considerations . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . 6
Full Copyright Statement . . . . . . . . . . . . . . . . . . 7
Rescorla Informational [Page 1]
RFC 2818 HTTP Over TLS May 2000
1. Introduction
HTTP [RFC2616] was originally used in the clear on the Internet.
However, increased use of HTTP for sensitive applications has
required security measures. SSL, and its successor TLS [RFC2246] were
designed to provide channel-oriented security. This document
describes how to use HTTP over TLS.
1.1. Requirements Terminology
Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and
"MAY" that appear in this document are to be interpreted as described
in [RFC2119].
2. HTTP Over TLS
Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS
precisely as you would use HTTP over TCP.
2.1. Connection Initiation
The agent acting as the HTTP client should also act as the TLS
client. It should initiate a connection to the server on the
appropriate port and then send the TLS ClientHello to begin the TLS
handshake. When the TLS handshake has finished. The client may then
initiate the first HTTP request. All HTTP data MUST be sent as TLS
"application data". Normal HTTP behavior, including retained
connections should be followed.
2.2. Connection Closure
TLS provides a facility for secure connection closure. When a valid
closure alert is received, an implementation can be assured that no
further data will be received on that connection. TLS
implementations MUST initiate an exchange of closure alerts before
closing a connection. A TLS implementation MAY, after sending a
closure alert, close the connection without waiting for the peer to
send its closure alert, generating an "incomplete close". Note that
an implementation which does this MAY choose to reuse the session.
This SHOULD only be done when the application knows (typically
through detecting HTTP message boundaries) that it has received all
the message data that it cares about.
As specified in [RFC2246], any implementation which receives a
connection close without first receiving a valid closure alert (a
"premature close") MUST NOT reuse that session. Note that a
premature close does not call into question the security of the data
already received, but simply indicates that subsequent data might
Rescorla Informational [Page 2]
RFC 2818 HTTP Over TLS May 2000
have been truncated. Because TLS is oblivious to HTTP
request/response boundaries, it is necessary to examine the HTTP data
itself (specifically the Content-Length header) to determine whether
the truncation occurred inside a message or between messages.
2.2.1. Client Behavior
Because HTTP uses connection closure to signal end of server data,
client implementations MUST treat any premature closes as errors and
the data received as potentially truncated. While in some cases the
HTTP protocol allows the client to find out whether truncation took
place so that, if it received the complete reply, it may tolerate
such errors following the principle to "[be] strict when sending and
tolerant when receiving" [RFC1958], often truncation does not show in
the HTTP protocol data; two cases in particular deserve special note:
A HTTP response without a Content-Length header. Since data length
in this situation is signalled by connection close a premature
close generated by the server cannot be distinguished from a
spurious close generated by an attacker.
A HTTP response with a valid Content-Length header closed before
all data has been read. Because TLS does not provide document
oriented protection, it is impossible to determine whether the
server has miscomputed the Content-Length or an attacker has
truncated the connection.
There is one exception to the above rule. When encountering a
premature close, a client SHOULD treat as completed all requests for
which it has received as much data as specified in the Content-Length
header.
A client detecting an incomplete close SHOULD recover gracefully. It
MAY resume a TLS session closed in this fashion.
Clients MUST send a closure alert before closing the connection.
Clients which are unprepared to receive any more data MAY choose not
to wait for the server's closure alert and simply close the
connection, thus generating an incomplete close on the server side.
2.2.2. Server Behavior
RFC 2616 permits an HTTP client to close the connection at any time,
and requires servers to recover gracefully. In particular, servers
SHOULD be prepared to receive an incomplete close from the client,
since the client can often determine when the end of server data is.
Servers SHOULD be willing to resume TLS sessions closed in this
fashion.
Rescorla Informational [Page 3]
RFC 2818 HTTP Over TLS May 2000
Implementation note: In HTTP implementations which do not use
persistent connections, the server ordinarily expects to be able to
signal end of data by closing the connection. When Content-Length is
used, however, the client may have already sent the closure alert and
dropped the connection.
Servers MUST attempt to initiate an exchange of closure alerts with
the client before closing the connection. Servers MAY close the
connection after sending the closure alert, thus generating an
incomplete close on the client side.
2.3. Port Number
The first data that an HTTP server expects to receive from the client
is the Request-Line production. The first data that a TLS server (and
hence an HTTP/TLS server) expects to receive is the ClientHello.
Consequently, common practice has been to run HTTP/TLS over a
separate port in order to distinguish which protocol is being used.
When HTTP/TLS is being run over a TCP/IP connection, the default port
is 443. This does not preclude HTTP/TLS from being run over another
transport. TLS only presumes a reliable connection-oriented data
stream.
2.4. URI Format
HTTP/TLS is differentiated from HTTP URIs by using the 'https'
protocol identifier in place of the 'http' protocol identifier. An
example URI specifying HTTP/TLS is:
https://www.example.com/~smith/home.html
3. Endpoint Identification
3.1. Server Identity
In general, HTTP/TLS requests are generated by dereferencing a URI.
As a consequence, the hostname for the server is known to the client.
If the hostname is available, the client MUST check it against the
server's identity as presented in the server's Certificate message,
in order to prevent man-in-the-middle attacks.
If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted. (For instance, a
client may be connecting to a machine whose address and hostname are
dynamic but the client knows the certificate that the server will
present.) In such cases, it is important to narrow the scope of
acceptable certificates as much as possible in order to prevent man
Rescorla Informational [Page 4]
RFC 2818 HTTP Over TLS May 2000
in the middle attacks. In special cases, it may be appropriate for
the client to simply ignore the server's identity, but it must be
understood that this leaves the connection open to active attack.
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
If the hostname does not match the identity in the certificate, user
oriented clients MUST either notify the user (clients MAY give the
user the opportunity to continue with the connection in any case) or
terminate the connection with a bad certificate error. Automated
clients MUST log the error to an appropriate audit log (if available)
and SHOULD terminate the connection (with a bad certificate error).
Automated clients MAY provide a configuration setting that disables
this check, but MUST provide a setting which enables it.
Note that in many cases the URI itself comes from an untrusted
source. The above-described check provides no protection against
attacks where this source is compromised. For example, if the URI was
obtained by clicking on an HTML page which was itself obtained
without using HTTP/TLS, a man in the middle could have replaced the
URI. In order to prevent this form of attack, users should carefully
examine the certificate presented by the server to determine if it
meets their expectations.
3.2. Client Identity
Typically, the server has no external knowledge of what the client's
identity ought to be and so checks (other than that the client has a
certificate chain rooted in an appropriate CA) are not possible. If a
server has such knowledge (typically from some source external to
HTTP or TLS) it SHOULD check the identity as described above.
Rescorla Informational [Page 5]
RFC 2818 HTTP Over TLS May 2000
References
[RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
Public Key Infrastructure: Part I: X.509 Certificate and
CRL Profile", RFC 2459, January 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter,
L., Leach, P. and T. Berners-Lee, "Hypertext Transfer
Protocol, HTTP/1.1", RFC 2616, June 1999.
[RFC2119] Bradner, S., "Key Words for use in RFCs to indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol", RFC 2246,
January 1999.
[RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, May 2000.
Security Considerations
This entire document is about security.
Author's Address
Eric Rescorla
RTFM, Inc.
30 Newell Road, #16
East Palo Alto, CA 94303
Phone: (650) 328-8631
EMail: ekr@rtfm.com
Rescorla Informational [Page 6]
RFC 2818 HTTP Over TLS May 2000
Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Rescorla Informational [Page 7]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+843
Ver Arquivo
@@ -0,0 +1,843 @@
Network Working Group C. Kugler
Request for Comments: 3239 H. Lewis
Category: Informational IBM Corporation
T. Hastings
Xerox Corporation
February 2002
Internet Printing Protocol (IPP):
Requirements for Job, Printer, and Device Administrative Operations
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document specifies the requirements and uses cases for some
optional administrative operations for use with the Internet Printing
Protocol (IPP) version 1.0 and version 1.1. Some of these
administrative operations operate on the IPP Job and Printer objects.
The remaining operations operate on a new Device object that more
closely models a single output device.
Table of Contents
1 Introduction.....................................................2
2 Terminology......................................................2
3 Requirements and Use Cases.......................................3
4 IANA Considerations.............................................10
5 Internationalization Considerations.............................10
6 Security Considerations.........................................10
7 References......................................................11
Appendix A: Description of base IPP documents......................12
Authors' Addresses.................................................14
Full Copyright Statement...........................................15
List of Tables
Table 1 - List of Printer Operations and corresponding Device
Operations ..................................................... 9
Kugler, Lewis & Hastings Informational [Page 1]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
1 Introduction
The Internet Printing Protocol (IPP) is an application level protocol
that can be used for distributed printing using Internet tools and
technologies. IPP version 1.1 ([RFC2911, RFC2910]) focuses on end
user functionality with a few administrative operations included (for
a description of the base IPP documents, see Appendix A). This
document defines the requirements and use cases for additional
optional end user, operator, and administrator operations used to
control Job objects, Printer objects (see [RFC2911]) and a new Device
object. The new Device object more closely models a single output
device and has no notion of a job, while the Printer object models a
print service which understands jobs and may represent one or more
output devices.
The scope of IPP is characterized in RFC 2567 [RFC2567] "Design Goals
for an Internet Printing Protocol". It is not the intent of this
document to revise or clarify this scope or conjecture as to the
degree of industry adoption or trends related to IPP within printing
systems. It is the intent of this document to extend the original
set of operations - in a similar fashion to the Set1 extensions which
referred to IPP/1.0 and were later incorporated into IPP/1.1.
2 Terminology
This section defines terminology used throughout this document and
the corresponding documents that define the Administrative operations
on Job, Printer, and Device objects.
This document uses terms such as "client", "Printer", "Job",
"attributes", "keywords", and "support". These terms have special
meaning and are defined in the model terminology [RFC2911] section
12.2.
In addition, the following capitalized terms are defined:
IPP Printer object (or Printer for short) - a software abstraction
defined by [RFC2911].
Printer Operation - an operation whose target is an IPP Printer
object and whose effect is on the Printer object.
Output Device - the physical imaging mechanism that an IPP Printer
controls. Note: while this term is capitalized in this
specification (but not in [RFC2911]), there is no formal object
called an Output Device.
Kugler, Lewis & Hastings Informational [Page 2]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
Device Operation - an operation whose target is an IPP Printer
object and whose defined effect is on an Output Device.
Output Device Fan-Out - a configuration in which an IPP Printer
controls more that one output-device.
Printer fan-out - a configuration in which an IPP Printer object
controls more than one Subordinate IPP Printer object.
Printer fan-in - a configuration in which an IPP Printer object is
controlled by more than one IPP Printer object.
Subordinate Printer - an IPP Printer object that is controlled by
another IPP Printer object. Such a Subordinate Printer may
have one or more Subordinate Printers.
Leaf Printer - a Subordinate Printer that has no Subordinate
Printers.
Non-Leaf Printer - an IPP Printer object that has one or more
Subordinate Printers.
Chained Printer - a Non-Leaf Printer that has exactly one
Subordinate Printer.
Job Creation operations - IPP operations that create a Job object:
Print-Job, Print-URI, and Create-Job.
3 Requirements and Use Cases
The Administrative operations for Job and Printer objects will be
defined in one document [ipp-ops-set2]. The Administrative
operations for Device objects will be defined in a separate document.
The requirements are presented here together to show the parallelism.
1. Have separate operations for affecting the IPP Printer
versus affecting the Output Device, so its clear what the
intent of each is, and implementers can implement one or the
other or both.
2. Support fan-out of Printer objects.
3. Support fan-out of Output Devices.
4. Support fan-in of Printer objects, as long as it doesn't
make the semantics more complicated when not supporting
fan-in.
Kugler, Lewis & Hastings Informational [Page 3]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
5. Support fan-in of output objects, as long as it doesn't make
the semantics more complicated when not supporting fan-in.
6. Instead of having operation attributes that alter the
behavior of the operation significantly, have separate
operations, so that it is simple and clear to a client which
semantics the Printer is supporting (by querying the
"operations-supported" attribute) and it is simple to
describe the capabilities of a Printer implementation in
written documentation (just list the optional operations
supported).
7. Need a Printer Operation to prevent a Printer object from
accepting new IPP jobs, but currently accepted jobs continue
unaffected to be scheduled and processed. Need a companion
one to restore the Printer object to accept new IPP jobs.
Usage: Operator is preparing to take the IPP Printer out of
service or to change the configuration of the IPP Printer.
Suggested name and operations: Disable-Printer and Enable-
Printer
8. Need a Device Operation to prevent an Output Device from
accepting any new jobs from any job submission protocol and
a companion one to restore the Output Device to accepting
any jobs.
Usage: Operator is preparing to take the Output Device out
of service.
Suggested name and operations: Disable-Device and Enable
Device
9. Need a Printer Operation to stop the processing after the
current IPP job completes and not start processing any
additional IPP jobs (either by scheduling the jobs or
sending them to the Output Device), but continue to accept
new IPP jobs. Need a companion operation to start
processing/sending IPP jobs again.
Usage: Operator wants to gracefully stop the IPP Printer at
the next job boundary. The Pause-Printer-After-Current-Job
operation is also invoked implicitly by the Deactivate-
Printer and the Shutdown-Printer Operations.
Suggested name and operations: Pause-Printer-After-
Current-Job, (IPP/1.1) Resume-Printer
Kugler, Lewis & Hastings Informational [Page 4]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
10. Need a Device Operation to stop the processing the current
job "immediately", no matter what protocol. Its like the
Pause button on the Output Device. This operation is for
emergencies. The stop point depends on implementation, but
can be mid page, end of page, end of sheet, or after a few
sheets for Output Devices that can't stop that quickly. The
paper path isn't run out. Need a companion operation to
start processing the current any-protocol job without losing
any thing.
Usage: Operator sees something bad about to happen, such as
the paper is about to jam, or the toner is running out, or
the device is overheating or wants to add more paper.
Suggested name and operations: Pause-Device-Now, Resume-
Device
11. Need a Printer Operation to stop the processing of IPP jobs
after all of the currently accepted jobs have been
processed, but any newly accepted jobs go into the
'processing-held' state.
Usage: This allows an operator to reconfigure the Output
Device in order to let jobs that are held waiting for
resources, such as special media, get a chance. Then the
operator uses another operation after reconfiguring. He
repeats the two operations to restore the Output Device to
its normal media.
Suggested name and operations: Hold-New-Jobs, Release-
Held-New-Jobs
12. Need a Device Operation to stop processing the current any-
protocol job at a convenient point, such as after the
current copy (or end of job if last or only copy). Need a
companion operation to start processing the current any-
protocol job or next job without losing any thing.
Usage: The operator wants to empty the output bin that is
near full. The paper path is run out.
Suggested name and operations: Pause-Device-After-Current-
Copy, Resume-Device
Kugler, Lewis & Hastings Informational [Page 5]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
13. Need a Device Operation that always pauses on a device-
defined boundary, no matter how many copies, in order to not
break up a job. Need a companion operation to start
processing the current any-protocol job or next job without
losing any thing.
Usage: The operator wants to empty the output bin that is
near full, but he doesn't want to break up a job in case it
has multiple copies. The paper path is run out.
Suggested name and operations: Pause-Device-After-Current-
Job, Resume-Device
14. Need a Printer Operation that combines Disable-Printer,
Pause-Printer-After-Current-Job, and rejects all other Job,
Printer, and Device Operations, except Job and Printer
queries, System Administrator Set-Printer-Attributes, and
the companion operation to resume activity. In other words,
this operation makes the Printer a read-only object in a
graceful manner for end-users and the operator.
Usage: The administrator wants to reconfigure the Printer
object using the Set-Printer-Attributes operation without
disturbing the current in process work, but wants to make
sure that the operator isn't also trying to change the
Printer object as part of running the Printer.
Suggested name and operation: Deactivate-Printer,
Activate-Printer
15. Need a Device Operation that combines Disable-Device,
Pause-Device-After-Current-Job, and rejects all other Device
Operations, except Job and Printer queries and the companion
operation to resume activity. In other words, this
operation makes the Output Device a read-only object in a
graceful manner.
Usage: The field service person wants to open up the device
without disturbing the current in process work, perhaps to
replace staples, or replace the toner cartridge.
Suggested name and operation: Deactivate-Device, Activate-
Device
Kugler, Lewis & Hastings Informational [Page 6]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
16. Need a Printer Operation to recover from the IPP Printer
software that has gotten confused (run out of heap memory or
gotten into a state that it doesn't seem to be able to get
out of). This is a condition that shouldn't happen, but
does in real life. Any volatile information is saved if
possible before the software is re-initialized. No
companion operation is needed to undo this. We don't want
to go back to the "confused" state :-).
Usage: The IPP Printer software has gotten confused or
isn't responding properly.
Suggested name and operation: Restart-Printer
17. Need a Device Operation to recover from the Output Device
hardware and software that has gotten confused (gotten into
a state that it doesn't seem to be able to get out of, run
out of heap memory, etc.). This is a condition that
shouldn't happen, but does in real life. This is the same
and has the same options as the Printer MIB reset. No
companion operation is needed to undo this. We don't want
to go back to the "confused" state :-).
Usage: The Output Device has gotten confused or need
resetting to some initial conditions.
Suggested name and operation: Reset-Device
18. Need a Printer Operation to put the IPP Printer object out
of business with no way in the protocol to bring that
instantiation back to life (but see Startup-Printer which
brings up exactly one new instantiation to life with the
same URL). Any volatile information is saved if possible.
Usage: The Printer is being moved or the building's power
is being shut off.
Suggested name and operation: Shutdown-Printer
19. Need a Printer Operation to bring an IPP Printer to life
when there is an already running host.
Usage: After the host is started (by means outside the IPP
protocol), the operator is able to ask the host to bring up
any number of Printer objects (that the host has been
configured in some way) each with distinct URLs.
Suggested name and operation: Startup-Printer
Kugler, Lewis & Hastings Informational [Page 7]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
20. Need a Device Operation to power off the Output Device after
writing out any software state. It is assumed that other
operations have more gracefully prepared the Output Device
for this drastic and immediate. There is no companion
Device Operation to bring the power back on.
Usage: The Output Device is going to be moved, the power in
the building is going to be shutoff, the repair man has
arrived and needs to take the Output Device apart.
Suggested name and operation: Power-Off-Device
21. Need a Device Operation to startup a powered-off device.
Usage: After a Power-Off-Device, if the device can be
powered back up (possibly by an intervening host that
supports the Device Operation).
Suggest name and operation: Power-On-Device
Kugler, Lewis & Hastings Informational [Page 8]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
The tentative list of Printer and the corresponding Device Operations
is shown in Table 1:
Table 1 - List of Printer Operations and corresponding Device
Operations
Printer Operation Corresponding Device Operation
equivalent
Disable-Printer Disable-Device
Enable-Printer Enable-Device
Pause-Printer (IPP/1.1 - [RFC2911] Pause-Device-Now
- one interpretation)
no Pause-Device-After-Current-Copy
Pause-Printer-After-Current-Job Pause-Device-After-Current-Job
Resume-Printer (IPP/1.1 - Resume-Device
[RFC2911])
Hold-New-Jobs no
Release-Held-New-Jobs no
Deactivate-Printer Deactivate-Device
Activate-Printer Activate-Device
Purge-Jobs (IPP/1.1 - [RFC2911]) Purge-Device
Restart-Printer Reset-Device
Shutdown-Printer Power-Off-Device
Startup-Printer Power-On-Device
There are no conformance dependencies between Printer Operations and
Device Operations. Either may be supported without supporting the
corresponding operations.
Kugler, Lewis & Hastings Informational [Page 9]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
4 IANA Considerations
This document does not define anything to be registered. When a
document is produced that defines operations that meet the
requirements in this document, those operations will be registered
according to the procedures in [RFC2911] section 6.4.
5 Internationalization Considerations
This document has the same localization considerations as the
[RFC2911].
6 Security Considerations
This document defines the requirements for operations that are
intended to be used by an operator or system administrator. These
operations, when defined, would affect how the Printer behaves and
establish policy and/or operating behavior that ordinary users
shouldn't be able to perform. Printer implementations that support
such operations should authenticate users and authorized them as
being an operator or a system administrator for the system.
Otherwise, unprivileged users could affect the policy and behavior of
IPP Printers, thereby affecting other users. Similarly clients that
supports such operations should be prepared to provide the necessary
authentication information. See the security provisions in [RFC2911]
for authentication, such as TLS.
Kugler, Lewis & Hastings Informational [Page 10]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
7 References
[ipp-ntfy] Herriot, R., Hastings, T., Isaacson, S., Martin, J.,
deBry, R., Shepherd, M. and R. Bergman, "Internet
Printing Protocol/1.1: IPP Event Notifications and
Subscriptions", Work in Progress.
[ipp-ops-set2] Kugler, C., Hastings, T. and H. Lewis, "Internet
Printing Protocol (IPP): Job and Printer
Administrative Operations", Work in Progress.
[RFC2565] Herriot, R., Butler, S., Moore, P. and R. Tuner,
"Internet Printing Protocol/1.0: Encoding and
Transport", RFC 2565, April 1999.
[RFC2566] deBry, R., Hastings, T., Herriot, R. and S. Isaacson,
P. Powell, "Internet Printing Protocol/1.0: Model and
Semantics", RFC 2566, April 1999.
[RFC2567] Wright, D., "Design Goals for an Internet Printing
Protocol", RFC 2567, April 1999.
[RFC2568] Zilles, S., "Rationale for the Structure and Model and
Protocol for the Internet Printing Protocol", RFC
2568, April 1999.
[RFC2569] Herriot, R., Hastings, T., Jacobs, N. and J. Martin,
"Mapping between LPD and IPP Protocols", RFC 2569,
April 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext
Transfer Protocol - HTTP/1.1", RFC 2616, June 1999.
[RFC2910] Herriot, R., Butler, S., Moore, P. and R. Tuner,
"Internet Printing Protocol/1.1: Encoding and
Transport", RFC 2910, September 2000.
[RFC2911] deBry, R., Hastings, T., Herriot, R., Isaacson, S. and
P. Powell, "Internet Printing Protocol/1.0: Model and
Semantics", RFC 2911, September 2000.
[RFC3196] Hastings, T., Manros, C., Zehler, P., Kuger, C. and H.
Holst, "Internet Printing Protocol/1.1: Implementer's
Guide", RFC 3196, November 2001.
Kugler, Lewis & Hastings Informational [Page 11]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
Appendix A: Description of base IPP documents
The base set of IPP documents includes:
Design Goals for an Internet Printing Protocol [RFC2567]
Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol [RFC2568]
Internet Printing Protocol/1.1: Model and Semantics [RFC2911]
Internet Printing Protocol/1.1: Encoding and Transport [RFC2910]
Internet Printing Protocol/1.1: Implementer's Guide [RFC3196]
Mapping between LPD and IPP Protocols [RFC2569]
Internet Printing Protocol (IPP): IPP Event Notifications and
Subscriptions [ipp-ntfy]
The "Design Goals for an Internet Printing Protocol" document takes a
broad look at distributed printing functionality, and it enumerates
real-life scenarios that help to clarify the features that need to be
included in a printing protocol for the Internet. It identifies
requirements for three types of users: end users, operators, and
administrators. It calls out a subset of end user requirements that
are satisfied in IPP/1.0. A few optional operator operations have
been added to IPP/1.1.
The "Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol" document describes IPP from a high level
view, defines a roadmap for the various documents that form the suite
of IPP specification documents, and gives background and rationale
for the IETF working group's major decisions.
The "Internet Printing Protocol/1.1: Model and Semantics" document
describes a simplified model with abstract objects, their attributes,
and their operations that are independent of encoding and transport.
It introduces a Printer and a Job object. The Job object optionally
supports multiple documents per Job. It also addresses security,
internationalization, and directory issues.
The "Internet Printing Protocol/1.1: Encoding and Transport" document
is a formal mapping of the abstract operations and attributes defined
in the model document onto HTTP/1.1 [RFC2616]. It defines the
encoding rules for a new Internet MIME media type called
"application/ipp". This document also defines the rules for
transporting over HTTP a message body whose Content-Type is
"application/ipp". This document defines the 'ippget' scheme for
identifying IPP printers and jobs.
Kugler, Lewis & Hastings Informational [Page 12]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
The "Internet Printing Protocol/1.1: Implementer's Guide" document
gives insight and advice to implementers of IPP clients and IPP
objects. It is intended to help them understand IPP/1.1 and some of
the considerations that may assist them in the design of their client
and/or IPP object implementations. For example, a typical order of
processing requests is given, including error checking. Motivation
for some of the specification decisions is also included.
The "Mapping between LPD and IPP Protocols" document gives some
advice to implementers of gateways between IPP and LPD (Line Printer
Daemon) implementations.
The "IPP Event Notifications and Subscriptions" document defines an
extension to IPP/1.0 [RFC2566, RFC2565] and IPP/1.1 [RFC2911,
RFC2910]. This extension allows a client to subscribe to printing
related Events and defines the semantics for delivering asynchronous
Event Notifications to the specified Notification Recipient via a
specified Delivery Method (i.e., protocols) defined in (separate)
Delivery Method documents.
Kugler, Lewis & Hastings Informational [Page 13]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
Authors' Addresses
Carl Kugler
IBM
Boulder CO
Phone: (303) 924-5060
EMail: kugler@us.ibm.com
Tom Hastings
Xerox Corporation
737 Hawaii St. ESAE 231
El Segundo, CA 90245
Phone: 310-333-6413
Fax: 310-333-5514
EMail: hastings@cp10.es.xerox.com
Harry Lewis
IBM
Boulder CO
Phone: (303) 924-5337
EMail: harryl@us.ibm.com
IPP Web Page: http://www.pwg.org/ipp/
IPP Mailing List: ipp@pwg.org
To subscribe to the ipp mailing list, send the following email:
1) send it to majordomo@pwg.org
2) leave the subject line blank
3) put the following two lines in the message body:
subscribe ipp
end
Implementers of this specification document are encouraged to join
the IPP Mailing List in order to participate in any discussions of
clarification issues and review of registration proposals for
additional attributes and values. In order to reduce spam the
mailing list rejects mail from non-subscribers, so you must subscribe
to the mailing list in order to send a question or comment to the
mailing list.
Kugler, Lewis & Hastings Informational [Page 14]
RFC 3239 IPP: Req. for Job and Printer Admin Ops February 2002
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Kugler, Lewis & Hastings Informational [Page 15]
+451
Ver Arquivo
@@ -0,0 +1,451 @@
Network Working Group H. Alvestrand
Request for Comments: 3282 Cisco Systems
Obsoletes: 1766 May 2002
Category: Standards Track
Content Language Headers
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document defines a "Content-language:" header, for use in cases
where one desires to indicate the language of something that has RFC
822-like headers, like MIME body parts or Web documents, and an
"Accept-Language:" header for use in cases where one wishes to
indicate one's preferences with regard to language.
1. Introduction
There are a number of languages presently or previously used by human
beings in this world.
A great number of these people would prefer to have information
presented in a language which they understand.
In some contexts, it is possible to have information available in
more than one language, or it might be possible to provide tools
(such as dictionaries) to assist in the understanding of a language.
In other cases, it may be desirable to use a computer program to
convert information from one format (such as plaintext) into another
(such as computer-synthesized speech, or Braille, or high-quality
print renderings).
Alvestrand Standards Track [Page 1]
RFC 3282 Content Language Headers May 2002
A prerequisite for any such function is a means of labelling the
information content with an identifier for the language that is used
in this information content, such as is defined by [TAGS]. This
document specifies a protocol element for use with protocols that use
RFC 822-like headers for carrying language tags as defined in [TAGS].
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119].
2. The Content-language header
The "Content-Language" header is intended for use in the case where
one desires to indicate the language(s) of something that has RFC
822-like headers, such as MIME body parts or Web documents.
The RFC 822 EBNF of the Content-Language header is:
Content-Language = "Content-Language" ":" 1#Language-tag
In the more strict RFC 2234 ABNF:
Content-Language = "Content-Language" ":" [CFWS] Language-List
Language-List = Language-Tag [CFWS]
*("," [CFWS] Language-Tag [CFWS])
The Content-Language header may list several languages in a comma-
separated list.
The CFWS construct is intended to function like the whitespace
convention in RFC 822, which means also that one can place
parenthesized comments anywhere in the language sequence, or use
continuation lines. A formal definition is given in RFC 2822
[RFC2822].
In keeping with the tradition of RFC 2822, a more liberal "obsolete"
grammar is also given:
obs-content-language = "Content-Language" *WSP ":"
[CFWS] Language-List
Like RFC 2822, this specification says that conforming
implementations MUST accept the obs-content-language syntax, but MUST
NOT generate it; all generated headers MUST conform to the Content-
Language syntax.
Alvestrand Standards Track [Page 2]
RFC 3282 Content Language Headers May 2002
2.1 Examples of Content-language values
Voice recording from Liverpool downtown
Content-type: audio/basic
Content-Language: en-scouse
Document in Mingo, an American Indian language which does not have an
ISO 639 code:
Content-type: text/plain
Content-Language: i-mingo
A English-French dictionary
Content-type: application/dictionary
Content-Language: en, fr (This is a dictionary)
An official European Commission document (in a few of its official
languages):
Content-type: multipart/alternative
Content-Language: da, de, el, en, fr, it
An excerpt from Star Trek
Content-type: video/mpeg
Content-Language: i-klingon
3. The Accept-Language header
The "Accept-Language" header is intended for use in cases where a
user or a process desires to identify the preferred language(s) when
RFC 822-like headers, such as MIME body parts or Web documents, are
used.
The RFC 822 EBNF of the Accept-Language header is:
Accept-Language = "Accept-Language" ":"
1#( language-range [ ";" "q" "=" qvalue ] )
A slightly more restrictive RFC 2234 ABNF definition is:
Accept-Language = "Accept-Language:" [CFWS] language-q
*( "," [CFWS] language-q )
language-q = language-range [";" [CFWS] "q=" qvalue ] [CFWS]
qvalue = ( "0" [ "." 0*3DIGIT ] )
/ ( "1" [ "." 0*3("0") ] )
Alvestrand Standards Track [Page 3]
RFC 3282 Content Language Headers May 2002
A more liberal RFC 2234 ABNF definition is:
Obs-accept-language = "Accept-Language" *WSP ":" [CFWS]
obs-language-q *( "," [CFWS] obs-language-q ) [CFWS]
obs-language-q = language-range
[ [CFWS] ";" [CFWS] "q" [CFWS] "=" qvalue ]
Like RFC 2822, this specification says that conforming
implementations MUST accept the obs-accept-language syntax, but MUST
NOT generate it; all generated messages MUST conform to the Accept-
Language syntax.
The syntax and semantics of language-range is defined in [TAGS]. The
Accept-Language header may list several language-ranges in a comma-
separated list, and each may include a quality value Q. If no Q
values are given, the language-ranges are given in priority order,
with the leftmost language-range being the most preferred language;
this is an extension to the HTTP/1.1 rules, but matches current
practice.
If Q values are given, refer to HTTP/1.1 [RFC 2616] for the details
on how to evaluate it.
4. Security Considerations
The only security issue that has been raised with language tags since
the publication of RFC 1766, which stated that "Security issues are
believed to be irrelevant to this memo", is a concern with language
ranges used in content negotiation - that they may be used to infer
the nationality of the sender, and thus identify potential targets
for surveillance.
This is a special case of the general problem that anything you send
is visible to the receiving party; it is useful to be aware that such
concerns can exist in some cases.
The exact magnitude of the threat, and any possible countermeasures,
is left to each application protocol.
5. Character set considerations
This document adds no new considerations beyond what is mentioned in
[TAGS].
Alvestrand Standards Track [Page 4]
RFC 3282 Content Language Headers May 2002
6. Acknowledgements
This document has benefited from many rounds of review and comments
in various fora of the IETF and the Internet working groups.
Any list of contributors is bound to be incomplete; please regard the
following as only a selection from the group of people who have
contributed to make this document what it is today.
In alphabetical order:
Tim Berners-Lee, Nathaniel Borenstein, Sean M. Burke, John Clews, Jim
Conklin, John Cowan, Dave Crocker, Martin Duerst, Michael Everson,
Ned Freed, Tim Goodwin, Dirk-Willem van Gulik, Marion Gunn, Paul
Hoffman, Olle Jarnefors, John Klensin, Bruce Lilly, Keith Moore,
Chris Newman, Masataka Ohta, Keld Jorn Simonsen, Rhys Weatherley,
Misha Wolf, Francois Yergeau and many, many others.
Special thanks must go to Michael Everson, who has served as language
tag reviewer for almost the entire period, since the publication of
RFC 1766, and has provided a great deal of input to this revision.
Bruce Lilly did a special job of reading and commenting on my ABNF
definitions.
7. References
[TAGS] Alvestrand, H., "Tags for the Identification of
Languages", BCP 47, RFC 3066
[ISO 639] ISO 639:1988 (E/F) - Code for the representation of names
of languages - The International Organization for
Standardization, 1st edition, 1988-04-01 Prepared by
ISO/TC 37 - Terminology (principles and coordination).
Note that a new version (ISO 639-1:2000) is in
preparation at the time of this writing.
[ISO 639-2] ISO 639-2:1998 - Codes for the representation of names of
languages -- Part 2: Alpha-3 code - edition 1, 1998-11-
01, 66 pages, prepared by ISO/TC 37/SC 2
[ISO 3166] ISO 3166:1988 (E/F) - Codes for the representation of
names of countries - The International Organization for
Standardization, 3rd edition, 1988-08-15.
[ISO 15924] ISO/DIS 15924 - Codes for the representation of names of
scripts (under development by ISO TC46/SC2)
Alvestrand Standards Track [Page 5]
RFC 3282 Content Language Headers May 2002
[RFC 2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.
[RFC 2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996.
[RFC 2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions)
Part Three: Message Header Extensions for Non-ASCII
Text", RFC 2047, November 1996.
[RFC 2048] Freed, N., Klensin, J. and J. Postel, "Multipurpose
Internet Mail Extensions (MIME) Part Four: Registration
Procedures", RFC 2048, November 1996.
[RFC 2049] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Five: Conformance Criteria and
Examples", RFC 2049, November 1996.
[RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC 2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC 2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC 2822] Resnick, P., "Internet Message Format", RFC 2822, April
2001.
Alvestrand Standards Track [Page 6]
RFC 3282 Content Language Headers May 2002
Appendix A: Changes from RFC 1766
The definition of the language tags has been split, and is now RFC
3066. The differences parameter to multipart/alternative is no
longer part of this standard, because no implementations of the
function were ever found. Consult RFC 1766 if you need the
information.
The ABNF for content-language has been updated to use the RFC 2234
ABNF.
Author's Address
Harald Tveit Alvestrand
Cisco Systems
Weidemanns vei 27
7043 Trondheim
NORWAY
EMail: Harald@Alvestrand.no
Phone: +47 73 50 33 52
Alvestrand Standards Track [Page 7]
RFC 3282 Content Language Headers May 2002
Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Alvestrand Standards Track [Page 8]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+955
Ver Arquivo
@@ -0,0 +1,955 @@
Network Working Group T. Hastings
Request for Comments: 3381 Xerox Corporation
Updates: 2910 H. Lewis
Category: Standards Track IBM Printing Company
R. Bergman
Hitachi Koki Imaging Solutions
September 2002
Internet Printing Protocol (IPP):
Job Progress Attributes
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document defines four new Job Description attributes for
monitoring job progress to be registered as OPTIONAL extensions to
the Internet Printing Protocol (IPP/1.0 and IPP/1.1). These
attributes are drawn from the PWG Job Monitoring MIB. This document
also defines a new "sheet-collate" Job Template attribute to control
sheet collation and to help with the interpretation of the job
progress attributes.
Hastings, et. al. Standards Track [Page 1]
RFC 3381 IPP: Job Progress Attributes September 2002
Table of Contents
1 Introduction.....................................................2
2 Terminology......................................................2
2.1 Conformance Terminology........................................4
2.2 Other terminology..............................................4
3 Job Template attributes..........................................4
3.1 sheet-collate (type2 keyword)..................................4
4 IPP Job Description attributes for monitoring Job Progress.......6
4.1 job-collation-type (type2 enum)................................9
4.2 sheet-completed-copy-number (integer(0:MAX))..................11
4.3 sheet-completed-document-number (integer(0:MAX))..............11
4.4 impressions-completed-current-copy (integer(0:MAX))...........11
5 Conformance Requirements........................................11
6 IANA Considerations.............................................12
6.1 Attributes....................................................
6.2 Keyword Attribute Values......................................
6.3 Enum Attribute Values.........................................
7 Internationalization Considerations.............................12
8 Security Considerations.........................................12
9 References......................................................12
10 Description of the Base IPP Documents..........................13
11 Authors' Addresses.............................................15
12 Full Copyright Statement.......................................16
1 Introduction
This document defines four new Job Description attributes for
monitoring job progress to be registered as OPTIONAL extensions to
IPP/1.0 [RFC2566] and IPP/1.1 [RFC2911]. These attributes are drawn
from the PWG Job Monitoring MIB [RFC2707]. See section 10 for a
description of the base IPP documents. The new Job Description
attributes are:
"job-collation-type" (type2 enum)
"sheet-completed-copy-number" (integer(0:MAX))
"sheet-completed-document-number" (integer(0:MAX))
"impressions-completed-current-copy" (integer(0:MAX))
This document also defines a new "sheet-collate" Job Template
attribute to control sheet collation and to help with the
interpretation of the job progress attributes. These new attributes
may also be used by themselves in combination with the IPP/1.1 "job-
impressions-completed" attribute, as useful job progress monitoring
attributes and/or may be passed in an IPP Notification (see [ipp-
ntfy]).
Hastings, et. al. Standards Track [Page 2]
RFC 3381 IPP: Job Progress Attributes September 2002
2 Terminology
This section defines terminology used throughout this document.
2.1 Conformance Terminology
Capitalized terms, such as MUST, MUST NOT, REQUIRED, SHOULD, SHOULD
NOT, MAY, NEED NOT, and OPTIONAL, have special meaning relating to
conformance, as defined in RFC 2119 [RFC2119] and [RFC2911] section
12.1. If an implementation supports the extension defined in this
document, then these terms apply; otherwise, they do not. These
terms define conformance to this document only; they do not affect
conformance to other documents, unless explicitly stated otherwise.
2.2 Other terminology
This document uses terms such as Job object (or Job), IPP Printer
object (or Printer), "operation", "attribute", "keyword", "support",
and "impression". These terms have special meaning and are defined
in the model terminology [RFC2911], section 12.2.
3 Job Template attributes
3.1 sheet-collate (type2 keyword)
+===================+======================+=====================+
| Job Attribute |Printer: Default Value| Printer: Supported |
| | Attribute | Values Attribute |
+===================+======================+=====================+
| sheet-collate | sheet-collate-default| sheet-collate- |
| (type2 keyword) | (type2 keyword) | supported (1setOf |
| | | type2 keyword) |
+-------------------+----------------------+---------------------+
This attribute specifies whether or not the media sheets of each copy
of each printed document in a job are to be in sequence, when
multiple copies of the document are specified by the 'copies'
attribute.
Standard keyword values are:
'uncollated': each print-stream sheet is printed a number of
times in succession equal to the value of the 'copies'
attribute, followed by the next print-stream sheet.
'collated': each copy of each document is printed with the
print-stream sheets in sequence, followed by the next document
copy.
Hastings, et. al. Standards Track [Page 3]
RFC 3381 IPP: Job Progress Attributes September 2002
For example, suppose a document produces two media sheets as output,
and "copies" is equal to '6'. For the 'uncollated' case, six copies
of the first media sheet are printed, followed by six copies of the
second media sheet. For the 'collated' case, one copy of each of the
six sheets is printed, followed by another copy of each of the six
media sheets.
Whether the effect of sheet collation is achieved by placing copies
of a document in multiple output bins, or in the same output bin with
implementation defined document separation, is implementation
dependent. Also whether it is achieved by making multiple passes
over the job or by using an output sorter, is implementation
dependent.
Note: IPP/1.0 [RFC2566] and IPP/1.1 [RFC2911] are silent on whether
or not sheets within documents are collated. The "sheet-collate-
supported" Printer attribute permits a Printer object to indicate
whether or not it collates sheets with each document and whether it
allows the client to control sheet collation. An implementation is
able to indicate that it supports uncollated sheets, collated sheets,
or both, using the 'uncollated', 'collated', or both 'uncollated' and
'collated' values, respectively.
This attribute is affected by "multiple-document-handling". The
"multiple-document-handling" attribute describes the collation of
documents, and the "sheet-collate" attribute describes the semantics
of collating individual pages within a document. To better explain
the interaction between these two attributes, the term "set" is
introduced. A "set" is a logical boundary between the delivered
media sheets of a printed job. For example, in the case of a ten
page single document with collated pages and a request for 50 copies,
each of the 50 printed copies of the document constitutes a "set".
In the above example if the pages were uncollated, then 50 copies of
each of the individual pages within the document would represent each
"set".
Hastings, et. al. Standards Track [Page 4]
RFC 3381 IPP: Job Progress Attributes September 2002
The following table describes the interaction of "sheet-collate" with
multiple document handling.
"sheet- "multiple- Semantics
collate" document-
handling"
'collated' 'single- Each copy of the concatenated
document' documents, with their pages in
sequence, represents a "set".
'collated' 'single- Each copy of the concatenated
document-new- documents, with their pages in
sheet' sequence, represents a "set".
'collated' 'separate- Each copy of each separate
documents- document, with its pages in
collated- sequence, represents a "set".
copies'
'collated' 'separate- Each copy of each separate
documents- document, with its pages in
uncollated- sequence, represents a "set".
copies
'uncollated' 'single- Each media sheet of the document
document' is printed a number of times equal
to the "copies" attribute; which
constitutes a "set".
'uncollated' 'single- Each media sheet of the
document-new- concatenated documents is printed
sheet' a number of times equal to the
"copies" attribute; which
constitutes a "set".
'uncollated' 'separate- This is a degenerate case, and the
documents- printer object MUST reject the job
collated- and return the status, "client-
copies' error-conflicting-attributes".
'uncollated' 'separate- This is a degenerate case, and the
documents- printer object MUST reject the job
uncollated- and return the status "client-
copies error-conflicting-attributes".
Hastings, et. al. Standards Track [Page 5]
RFC 3381 IPP: Job Progress Attributes September 2002
From the above table it is obvious that the implicit value of the
"sheet-collate" attribute in a printer that does not support the
"sheet-collate" attribute, is 'collated.' The semantics of
"multiple-document-handling" are otherwise nonsensical in the case
of separate documents.
4 IPP Job Description attributes for monitoring Job Progress
The following IPP Job Description attributes are proposed to be added
to IPP through the type2 registration procedures. They are useful
for monitoring the progress of a job. They are also used as
attributes in the notification content in a notification report
[ipp-ntfy].
There are a number of Job Description attributes for monitoring the
progress of a job. These objects and attributes count the number of
K octets, impressions, sheets, and pages requested or completed. For
impressions and sheets, "completed" means stacked, unless the
implementation is unable to detect when each sheet is stacked, in
which case, stacked is approximated when the processing of each sheet
is completed. There are objects and attributes for the overall job
and for the current copy of the document currently being stacked.
For the latter, the rate at which the various objects and attributes
count, depends on the sheet and document collation of the job.
Consider the following four Job Description attributes that are used
to monitor the progress of a job's impressions:
1. "job-impressions-completed" - counts the total number of
impressions stacked for the job (see [RFC2911] section
4.3.18.2).
2. "impressions-completed-current-copy" - counts the number of
impressions stacked for the current document copy.
3. "sheet-completed-copy-number" - identifies the number of the
copy for the current document being stacked, where the first
copy is 1.
4. "sheet-completed-document-number" - identifies the current
document within the job that is being stacked, where the first
document in a job is 1. NOTE: this attribute SHOULD NOT be
implemented for implementations that only support one document
per job.
Hastings, et. al. Standards Track [Page 6]
RFC 3381 IPP: Job Progress Attributes September 2002
For each of the three types of job collation, a job with three copies
of two documents (1, 2), where each document consists of 3
impressions, the four variables have the following values, as each
sheet is stacked for one-sided printing:
"job-collation-type" = 'uncollated-sheets(3)'
"job- "impressions- "sheet- "sheet-
impressions- completed- completed- completed-
completed" current-copy" copy-number" document-
number"
0 0 0 0
1 1 1 1
2 1 2 1
3 1 3 1
4 2 1 1
5 2 2 1
6 2 3 1
7 3 1 1
8 3 2 1
9 3 3 1
10 1 1 2
11 1 2 2
12 1 3 2
13 2 1 2
14 2 2 2
15 2 3 2
16 3 1 2
17 3 2 2
18 3 3 2
Hastings, et. al. Standards Track [Page 7]
RFC 3381 IPP: Job Progress Attributes September 2002
"job-collation-type" = 'collated-documents(4)'
"job- "impressions- "sheet- "sheet-
impressions- completed- completed- completed-
completed" current-copy" copy- document-
number" number"
0 0 0 0
1 1 1 1
2 2 1 1
3 3 1 1
4 1 1 2
5 2 1 2
6 3 1 2
7 1 2 1
8 2 2 1
9 3 2 1
10 1 2 2
11 2 2 2
12 3 2 2
13 1 3 1
14 2 3 1
15 3 3 1
16 1 3 2
17 2 3 2
18 3 3 2
Hastings, et. al. Standards Track [Page 8]
RFC 3381 IPP: Job Progress Attributes September 2002
"job-collation-type" = 'uncollated-documents(5)'
"job- "impressions- "sheet- "sheet-
impressions- completed- completed- completed-
completed" current-copy" copy-t document-
number" number"
0 0 0 0
1 1 1 1
2 2 1 1
3 3 1 1
4 1 2 1
5 2 2 1
6 3 2 1
7 1 3 1
8 2 3 1
9 3 3 1
10 1 1 2
11 2 1 2
12 3 1 2
13 1 2 2
14 2 2 2
15 3 2 2
16 1 3 2
17 2 3 2
18 3 3 2
4.1 job-collation-type (type2 enum)
Job Collation includes sheet collation and document collation. Sheet
collation is defined to be the ordering of sheets within a document
copy. Document collation is defined to be the ordering of document
copies within a multi-document job. The value of the "job-
collation-type" is affected by the value of the "sheet-collate" Job
Template attribute (see section 3.1), if supplied and supported.
The Standard enum values are:
'1' 'other': not one of the defined values
'2' 'unknown': the collation type is unknown
'3' 'uncollated-sheets': No collation of the sheets within each
document copy, i.e., each sheet of a document that
is to produce multiple copies, is replicated before
the next sheet in the document is processed and
stacked. If the device has an output bin collator,
the 'uncollated-sheets(3)' value may actually
Hastings, et. al. Standards Track [Page 9]
RFC 3381 IPP: Job Progress Attributes September 2002
produce collated sheets as far as the user is
concerned (in the output bins). However, when the
job collation is the 'uncollated-sheets(3)' value,
job progress is indistinguishable from a monitoring
application between a device that has an output bin
collator and one that does not.
'4' 'collated-documents': Collation of the sheets within each
document copy is performed within the printing
device by making multiple passes over, either the
source or an intermediate representation of the
document. In addition, when there are multiple
documents per job, the i'th copy of each document is
stacked before the j'th copy of each document, i.e.,
the documents are collated within each job copy.
For example, if a job is submitted with documents, A
and B, the job is made available to the end user as:
A, B, A, B, .... The 'collated-documents(4)' value
corresponds to the IPP [RFC2911] 'separate-
documents-collated-copies' keyword value of the
"multiple-document-handling" attribute.
If the job's "copies" attribute is '1' (or not
supplied), then the "job-collation-type" attribute
is defined to be '4'.
'5' 'uncollated-documents': Collation of the sheets within each
document copy is performed within the printing
device by making multiple passes over either the
source or an intermediate representation of the
document. In addition, when there are multiple
documents per job, all copies of the first document
in the job are stacked before any copied of the next
document in the job, i.e., the documents are
uncollated within the job. For example, if a job is
submitted with documents, A and B, the job is made
available to the end user as: A, A, ..., B, B, ....
The 'uncollated-documents(5)' value corresponds to
the IPP [RFC2911] 'separate-documents-uncollated-
copies' keyword value of the "multiple-document-
handling" attribute.
Hastings, et. al. Standards Track [Page 10]
RFC 3381 IPP: Job Progress Attributes September 2002
4.2 sheet-completed-copy-number (integer(0:MAX))
The number of the copy being stacked for the current document. This
number starts at 0, is set to 1 when the first sheet of the first
copy for each document is being stacked and is equal to n where n is
the nth sheet stacked in the current document copy. If the value is
unknown, the Printer MUST return the 'unknown' out-of-band value (see
[RFC2911] section 4.1), rather than the -2 value used in some MIBs
[RFC2707].
4.3 sheet-completed-document-number (integer(0:MAX))
The ordinal number of the document in the job that is currently being
stacked. This number starts at 0, increments to 1 when the first
sheet of the first document in the job is being stacked, and is equal
to n where n is the nth document in the job, starting with 1. If the
value is unknown, the Printer MUST return the 'unknown' out-of-band
value (see [RFC2911] section 4.1), rather than the -2 value used in
some MIBs [RFC2707].
Implementations that only support one document job SHOULD NOT
implement this attribute.
4.4 impressions-completed-current-copy (integer(0:MAX))
The number of impressions completed by the device for the current
copy of the current document so far. For printing, the impressions
completed includes interpreting, marking, and stacking the output.
For other types of job services, the number of impressions completed
includes the number of impressions processed. If the value is
unknown, the Printer MUST return the 'unknown' out-of-band value (see
[RFC2911] section 4.1), rather than the -2 value used in some MIBs
[RFC2707].
This value MUST be reset to 0 for each document in the job and for
each document copy.
5 Conformance Requirements
This section summarizes the Conformance Requirements detailed in the
definitions in this document. In general each of the attributes
defined in this document are OPTIONAL for a client and/or a Printer
to support, so that client and Printer implementers MAY implement any
combination of these attributes.
Hastings, et. al. Standards Track [Page 11]
RFC 3381 IPP: Job Progress Attributes September 2002
6 IANA Considerations
This section contains registration information for IANA to add to the
IPP Registry according to the procedures defined in RFC 2911
[RFC2911], section 6. The resulting registrations will be published
in the http://www.iana.org/assignments/ipp-registrations registry.
6.1 Attributes
Job Template attributes: Ref. Section:
sheet-collate (type2 keyword) RFC 3381 3.1
sheet-default (type2 keyword) RFC 3381 3.1
sheet-supported (1setOf type2 keyword) RFC 3381 3.1
Job Description attributes: Ref. Section:
job-collation-type (type2 enum) RFC 3381 4.1
sheet-completed-copy-number (integer(0:MAX)) RFC 3381 4.2
sheet-completed-document-number (integer(0:MAX))RFC 3381 4.3
impressions-completed-current-copy (integer(0:MAX))
RFC 3381 4.4
6.2 Keyword Attribute Values
The following table provides registration information for all of the
attributes defined in this document that have keyword values. These
keywords are to be registered according to the procedures defined in
RFC 2911 [RFC2911] section 6.1.
sheet-collate (type2 keyword) RFC 3381 3.1
'uncollated' RFC 3381 3.1
'collated' RFC 3381 3.1
sheet-collate-default (type2 keyword) RFC 3381 3.1
See "sheet-collate" attribute
sheet-collate-supported (1setOf type2 keyword) RFC 3381 3.1
See "sheet-collate" attribute
6.3 Enum Attribute Values
The following table provides registration information for all of the
attributes defined in this document that have enum values. These
enums are to be registered according to the procedures defined in RFC
2911 [RFC2911] section 6.1.
job-collation-type (type2 enum) RFC 3381 4.1
'1' 'other' RFC 3381 4.1
'2' 'unknown' RFC 3381 4.1
'3' 'uncollated-sheets' RFC 3381 4.1
'4' 'collated-documents' RFC 3381 4.1
'5' 'uncollated-documents' RFC 3381 4.1
Hastings, et. al. Standards Track [Page 12]
RFC 3381 IPP: Job Progress Attributes September 2002
7 Internationalization Considerations
The IPP extensions defined in this document require the same
internationalization considerations as any of the Job Template and
Job Description attributes defined in IPP/1.1 [RFC2911].
8 Security Considerations
The IPP extensions defined in this document require the same security
considerations as any of the Job Template attributes and Job
Description attributes defined in IPP/1.1 [RFC2911].
9 References
9.1 Normative References
[RFC2910] Herriot, R., Butler, S., Moore, P. and R. Turner,
"Internet Printing Protocol/1.1: Encoding and Transport",
RFC 2910, September 2000.
[RFC2911] Hastings, T., Herriot, R., deBry, R., Isaacson, S. and P.
Powell, "Internet Printing Protocol/1.1: Model and
Semantics", RFC 2911, September 2000.
9.2 Informative References
[RFC2565] Herriot, R., Butler, S., Moore, P. and R. Turner,
"Internet Printing Protocol/1.0: Encoding and Transport",
RFC 2565, April 1999.
[RFC2566] deBry, R., Hastings, T., Herriot, R., Isaacson, S. and P.
Powell, "Internet Printing Protocol/1.0: Model and
Semantics", RFC 2566, April 1999.
[RFC2567] Wright, F.D., "Design Goals for an Internet Printing
Protocol", RFC 2567, April 1999.
[RFC2568] Zilles, S., "Rationale for the Structure and Model and
Protocol for the Internet Printing Protocol", RFC 2568,
April 1999.
[RFC2569] Herriot, R., Hastings, T., Jacobs, N. and J. Martin,
"Mapping between LPD and IPP Protocols", RFC 2569, April
1999.
[RFC2707] Bergman, R., Hastings, T., Isaacson, S. and H. Lewis, "PWG
Job Monitoring MIB - V1", RFC 2707, November 1999.
Hastings, et. al. Standards Track [Page 13]
RFC 3381 IPP: Job Progress Attributes September 2002
[RFC3196] Hastings, T., Manros, C., Zehler, P., Kugler, C. and H.
Holst, "Internet Printing Protocol/1.1: Implementor's
Guide", RFC 3196, November 2001.
[ipp-ntfy] Herriot, R., Hastings, T., et. al., "Internet Printing
Protocol (IPP): Event Notification and Subscriptions",
Work in Progress.
10 Description of the Base IPP Documents
The base set of IPP documents includes:
Design Goals for an Internet Printing Protocol [RFC2567]
Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol [RFC2568]
Internet Printing Protocol/1.1: Model and Semantics [RFC2911]
Internet Printing Protocol/1.1: Encoding and Transport [RFC2910]
Internet Printing Protocol/1.1: Implementer's Guide [RFC3196]
Mapping between LPD and IPP Protocols [RFC2569]
The "Design Goals for an Internet Printing Protocol" document takes a
broad look at distributed printing functionality, and enumerates
real-life scenarios that help to clarify the features that need to be
included in a printing protocol for the Internet. It identifies
requirements for three types of users: end users, operators, and
administrators. It calls out a subset of end user requirements that
are satisfied in IPP/1.0 [RFC2566, RFC2565]. A few OPTIONAL operator
operations have been added to IPP/1.1 [RFC2911, RFC2910].
The "Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol" document describes IPP from a high level
view, defines a roadmap for the various documents that form the suite
of IPP specification documents, and gives background and rationale
for the IETF IPP working group's major decisions.
The "Internet Printing Protocol/1.1: Model and Semantics" document
describes a simplified model with abstract objects, their attributes,
and their operations. The model introduces a Printer and a Job. The
Job supports multiple documents per Job. The model document also
addresses how security, internationalization, and directory issues
are addressed.
The "Internet Printing Protocol/1.1: Encoding and Transport" document
is a formal mapping of the abstract operations and attributes defined
in the model document onto HTTP/1.1 [RFC2616]. It also defines the
encoding rules for a new Internet MIME media type called
"application/ipp". This document also defines the rules for
transporting over HTTP a message body whose Content-Type is
Hastings, et. al. Standards Track [Page 14]
RFC 3381 IPP: Job Progress Attributes September 2002
"application/ipp". This document defines the 'ipp' scheme for
identifying IPP printers and jobs.
The "Internet Printing Protocol/1.1: Implementer's Guide" document
gives insight and advice to implementers of IPP clients and IPP
objects. It is intended to help them understand IPP/1.1 and some of
the considerations that may assist them in the design of their client
and/or IPP object implementations. For example, a typical order of
processing requests is given, including error checking. Motivation
for some of the specification decisions is also included.
The "Mapping between LPD and IPP Protocols" document gives some
advice to implementers of gateways between IPP and LPD (Line Printer
Daemon) implementations.
In addition to the base IPP documents, the "Event Notification
Specification" document [ipp-ntfy] defines OPTIONAL operations that
allow a client to subscribe to printing related events.
Subscriptions include "Per-Job subscriptions" and "Per-Printer
subscriptions". Subscriptions are modeled as Subscription objects.
Four other operations are defined for subscription objects: get
attributes, get subscriptions, renew a subscription, and cancel a
subscription.
Hastings, et. al. Standards Track [Page 15]
RFC 3381 IPP: Job Progress Attributes September 2002
11 Authors' Addresses
Tom Hastings
Xerox Corporation
737 Hawaii St. ESAE 231
El Segundo, CA 90245
Phone: 310-333-6413
Fax: 310-333-5514
EMail: hastings@cp10.es.xerox.com
Harry Lewis
IBM
6300 Diagonal Hwy
Boulder, CO 80301-9191
Phone: (303) 924-5337
EMail: harryl@us.ibm.com
Ron Bergman (Editor)
Hitachi Koki Imaging Solutions
1757 Tapo Canyon Road
Simi Valley, CA 93063-3394
Phone: 805-578-4421
Fax: 805-578-4001
EMail: rbergma@hitachi-hkis.com
IPP Web Page: http://www.pwg.org/ipp/
IPP Mailing List: ipp@pwg.org
To subscribe to the ipp mailing list, send the following email:
1) send it to majordomo@pwg.org
2) leave the subject line blank
3) put the following two lines in the message body:
subscribe ipp
end
Implementers of this specification document are encouraged to join
the IPP Mailing List in order to participate in any discussions of
clarification issues and review of registration proposals for
additional attributes and values. In order to reduce spam, the
mailing list rejects mail from non-subscribers, so you must subscribe
to the mailing list in order to send a question or comment to the
mailing list.
Hastings, et. al. Standards Track [Page 16]
RFC 3381 IPP: Job Progress Attributes September 2002
12 Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Hastings, et. al. Standards Track [Page 17]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+899
Ver Arquivo
@@ -0,0 +1,899 @@
Network Working Group R. Herriot
Request for Comments: 3510 I. McDonald
Updates: 2910 High North Inc.
Category: Standards Track April 2003
Internet Printing Protocol/1.1:
IPP URL Scheme
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This memo defines the "ipp" URL (Uniform Resource Locator) scheme.
This memo updates IPP/1.1: Encoding and Transport (RFC 2910), by
expanding and clarifying Section 5, "IPP URL Scheme", of RFC 2910.
An "ipp" URL is used to specify the network location of a print
service that supports the IPP Protocol (RFC 2910), or of a network
resource (for example, a print job) managed by such a print service.
Table of Contents
1. Introduction ............................................... 2
2. Terminology ................................................ 3
2.1. Conformance Terminology .............................. 3
2.2. Model Terminology .................................... 3
3. IPP Model for Printers and Jobs ............................ 3
4. IPP URL Scheme ............................................. 4
4.1. IPP URL Scheme Applicability ......................... 4
4.2. IPP URL Scheme Associated Port ....................... 4
4.3. IPP URL Scheme Associated MIME Type .................. 5
4.4. IPP URL Scheme Character Encoding .................... 5
4.5. IPP URL Scheme Syntax ................................ 5
4.6. IPP URL Examples ..................................... 6
4.6.1. IPP Printer URL Examples ..................... 6
4.6.2. IPP Job URL Examples ......................... 6
4.7. IPP URL Comparisons .................................. 7
Herriot & McDonald Standards Track [Page 1]
RFC 3510 IPP URL Scheme April 2003
5. Conformance Requirements ................................... 8
5.1. IPP Client Conformance Requirements .................. 8
5.2. IPP Printer Conformance Requirements ................. 8
6. IANA Considerations ........................................ 9
7. Internationalization Considerations ........................ 9
8. Security Considerations .................................... 9
9. Intellectual Property Rights ............................... 10
10. Normative References ....................................... 11
11. Informative References ..................................... 11
12. Acknowledgments ............................................ 12
Appendix A - Registration of "ipp" URL Scheme .................. 13
Authors' Addresses ............................................. 15
Full Copyright Statement ....................................... 16
1. Introduction
This memo conforms to all of the requirements in Registration
Procedures for URL Scheme Names [RFC2717]. This memo also follows
all of the recommendations in Guidelines for new URL Schemes
[RFC2718].
See section 1, "Introduction", of [RFC2911] and section 1,
"Introduction", of [RFC3196] for overview information about IPP. See
section 10, "Description of the Base IPP Documents", of [RFC3196] for
a full description of the IPP document set.
This memo updates IPP/1.1: Encoding and Transport (RFC 2910), by
expanding and clarifying Section 5, "IPP URL Scheme", of RFC 2910,
but does not define any new parameters or other new extensions to the
syntax of IPP URLs.
The IPP URL scheme defined in this document is based on the ABNF for
the HTTP URL scheme defined in HTTP [RFC2616], which in turn is
derived from the URI Generic Syntax [RFC2396] and further updated for
IPv6 by [RFC2732]. An IPP URL is transformed into an HTTP URL
according to the rules specified in section 5 of IPP Protocol
[RFC2910].
This document defines IPP URL scheme applicability, associated port
(631), associated MIME type ("application/ipp"), character encoding,
and syntax.
This document is laid out as follows:
- Section 2 defines the terminology used throughout the document.
- Section 3 supplies references to the IPP Printer and IPP Job
object model defined in IPP Model [RFC2911].
Herriot & McDonald Standards Track [Page 2]
RFC 3510 IPP URL Scheme April 2003
- Section 4 specifies the IPP URL scheme.
- Section 5 specifies the conformance requirements for IPP Clients
and IPP Printers that claim conformance to this document.
- Sections 6, 7, and 8 specify IANA, internationalization, and
security considerations.
- Sections 9, 10, 11, 12, and 13 specify normative references,
informative references, acknowledgements, authors' addresses, and
full IETF copyright statement.
- Section 14 (Appendix A) is a completed registration template for
the IPP URL Scheme (see section 6.0 of [RFC2717]).
2. Terminology
This specification document uses the terminology defined in this
section.
2.1. Conformance Terminology
The uppercase terms "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT" "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. These terms are used to specify conformance
requirements for all implementations (both print clients and print
services) of this specification.
2.2. Model Terminology
See section 12.2, "Model Terminology", in IPP Model [RFC2911].
3. IPP Model for Printers and Jobs
See section 2, "IPP Objects", section 2.1, "Printer Object", and
section 2.2, "Job Object", in [RFC2911] for a full description of
the IPP object model and terminology.
In this document, "IPP Client" means the software (on some
hardware platform) that submits, monitors, and/or manages print
jobs via the IPP Protocol [RFC2910] to a print spooler, print
gateway, or physical printing device.
Herriot & McDonald Standards Track [Page 3]
RFC 3510 IPP URL Scheme April 2003
In this document, "IPP Printer object" means the software (on some
hardware platform) that receives print jobs and/or printer/job
operations via the IPP Protocol [RFC2910] from an "IPP Client".
In this document, "IPP Printer" is a synonym for "IPP Printer
object".
In this document, "IPP Job object" means the set of attributes and
documents for one print job instantiated on an "IPP Printer".
In this document, "IPP Job" is a synonym for "IPP Job object".
In this document, "IPP URL" means a URL with the "ipp" scheme.
Note: In this document, "IPP URL" is a synonym for "ipp-URL" (in
section 4, "IPP URL Scheme", of this document) and "ipp-URL" (in
section 5, "IPP URL Scheme", of [RFC2910]).
4. IPP URL Scheme
4.1. IPP URL Scheme Applicability
The "ipp" URL scheme MUST only be used to specify absolute URLs
(relative IPP URLs are not allowed) for IPP print services and
their associated network resources. The "ipp" URL scheme MUST
only be used to specify the use of the abstract protocol defined
in IPP Model [RFC2911] over an HTTP [RFC2616] transport, as
defined in IPP Protocol [RFC2910]. Any other transport binding
for the abstract protocol defined in IPP Model [RFC2911] would
require a different URL scheme.
The "ipp" URL scheme allows an IPP client to choose an appropriate
IPP print service (for example, from a directory). The IPP client
can establish an HTTP connection to the specified IPP print
service. The IPP client can send IPP protocol requests (for
example, a "Print-Job" request) and receive IPP protocol responses
over that HTTP connection.
4.2. IPP URL Scheme Associated Port
All IPP URLs which do NOT explicitly specify a port MUST be
resolved to IANA-assigned well-known port 631, as registered in
[IANA-PORTREG].
See: IANA Port Numbers Registry [IANA-PORTREG].
See: IPP Protocol [RFC2910].
Herriot & McDonald Standards Track [Page 4]
RFC 3510 IPP URL Scheme April 2003
4.3. IPP URL Scheme Associated MIME Type
All IPP URLs MUST be used to specify network print services which
support the "application/ipp" MIME media type as registered in
[IANA-MIMEREG] for IPP protocol requests and responses.
See: IANA MIME Media Types Registry [IANA-MIMEREG].
See: IPP Protocol [RFC2910].
4.4. IPP URL Scheme Character Encoding
IPP URLs MUST use [RFC2396] encoding, as do their equivalent HTTP
URLs. Characters other than those in the "reserved" and "unsafe"
sets [RFC2396] are equivalent to their ""%" HEX HEX" encoding.
4.5. IPP URL Scheme Syntax
The abstract protocol defined in IPP Model [RFC2911] places a
limit of 1023 octets (NOT characters) on the length of a URI (see
section 4.1.5, "uri", in [RFC2911]).
Note: IPP Printers ought to be cautious about depending on URI
lengths above 255 bytes, because some older client implementations
might not properly support these lengths.
IPP URLs MUST be represented in absolute form. Absolute URLs MUST
always begin with a scheme name followed by a colon. For definitive
information on URL syntax and semantics, see "Uniform Resource
Identifiers (URI): Generic Syntax and Semantics" [RFC2396]. This
specification adopts the definitions of "host", "port", "abs_path",
and "query" from [RFC2396], as updated for IPv6 by [RFC2732].
The IPP URL scheme syntax in ABNF is as follows:
ipp-URL = "ipp:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
If the port is empty or not given, port 631 is assumed. The
semantics are that the identified resource (see section 5.1.2 of
[RFC2616]) is located at the IPP print service listening for HTTP
connections on that port of that host, and the Request-URI for the
identified resource is 'abs_path'.
If the 'abs_path' is not present in the URL, it MUST be given as "/"
when used as a Request-URI for a resource (see section 5.1.2 of
[RFC2616]).
Herriot & McDonald Standards Track [Page 5]
RFC 3510 IPP URL Scheme April 2003
4.6. IPP URL Examples
Note: Literal IPv4 or IPv6 addresses SHOULD NOT be used in IPP URLs.
4.6.1. IPP Printer URL Examples
The following are examples of well-formed IPP URLs for IPP Printers
(for example, to be used as protocol elements in 'printer-uri'
operation attributes of 'Print-Job' request messages):
ipp://example.com
ipp://example.com/printer
ipp://example.com/printer/tiger
ipp://example.com/printer/fox
ipp://example.com/printer/tiger/bob
ipp://example.com/printer/tiger/ira
Each of the above URLs are well-formed URLs for IPP Printers and each
would reference a logically different IPP Printer, even though some
of those IPP Printers might share the same host system. The 'bob' or
'ira' last path components might represent two different physical
printer devices, while 'tiger' might represent some grouping of IPP
Printers (for example, a load-balancing spooler). Or the 'bob' and
'ira' last path components might represent separate human recipients
on the same physical printer device (for example, a physical printer
supporting two job queues). In either case, both 'bob' and 'ira'
would behave as different and independent IPP Printers.
The following are examples of well-formed IPP URLs for IPP Printers
with (optional) ports and paths:
ipp://example.com
ipp://example.com/~smith/printer
ipp://example.com:631/~smith/printer
The first and second IPP URLs above MUST be resolved to port 631
(IANA assigned well-known port for IPP). The second and third IPP
URLs above are equivalent (see section 4.7 below).
4.6.2. IPP Job URL Examples
The following are examples of well-formed IPP URLs for IPP Jobs (for
example, to be used as protocol elements in 'job-uri' attributes of
'Print-Job' response messages):
ipp://example.com/printer/123
ipp://example.com/printer/tiger/job123
Herriot & McDonald Standards Track [Page 6]
RFC 3510 IPP URL Scheme April 2003
IPP Job URLs are valid and meaningful only until Job completion and
possibly an implementation defined optional period of persistence
after Job completion (see IPP Model [RFC2911]).
Ambiguously, section 4.3.1 'job-uri' of IPP Model [RFC2911] states
that:
"the precise format of a Job URI is implementation dependent."
Thus, the relationship between the value of the "printer-uri"
operation attribute used in a 'Print-Job' request and the value of
the "job-uri" attribute returned in the corresponding 'Print-Job'
response is implementation dependent. Also, section 4.3.3 'job-
printer-uri' of IPP Model [RFC2911] states that the 'job-printer-uri'
attribute of a Job object:
"permits a client to identify the Printer object that created this
Job object when only the Job object's URI is available to the
client."
However, the above statement is false, because the transform from an
IPP Job URL to the corresponding IPP Printer URL is unspecified in
either IPP Model [RFC2911] or IPP Protocol [RFC2910].
IPP Printers that conform to this specification SHOULD only generate
IPP Job URLs (for example, in the "job-uri" attribute in a 'Print-
Job' response) by appending exactly one path component to the
corresponding IPP Printer URL (for interoperability).
4.7. IPP URL Comparisons
When comparing two IPP URLs to decide if they match or not, an IPP
Client MUST use the same rules as those defined for HTTP URI
comparisons in [RFC2616], with the sole following exception:
- A port that is empty or not given MUST be treated as equivalent to
the well-known port for that IPP URL (port 631);
See: Section 3.2.3, "URI Comparison", in [RFC2616].
Herriot & McDonald Standards Track [Page 7]
RFC 3510 IPP URL Scheme April 2003
5. Conformance Requirements
5.1. IPP Client Conformance Requirements
IPP Clients that conform to this specification:
a) MUST only send IPP protocol connections to the port specified in
each given IPP URL (if present) or otherwise to IANA assigned
well-known port 631;
b) MUST only send IPP URLs used as protocol elements in outgoing IPP
protocol request messages (for example, in the "printer-uri"
operation attribute in a 'Print-Job' request) that conform to the
ABNF specified in section 4.5, "IPP URL Scheme Syntax, of this
document;
c) MUST only convert IPP URLs to their corresponding HTTP URL forms
according to the rules in section 5, "IPP URL Scheme", in
[RFC2910].
5.2. IPP Printer Conformance Requirements
IPP Printers that conform to this specification:
a) MUST listen for incoming IPP protocol connections on IANA-assigned
well-known port 631, unless explicitly configured by system
administrators or site policies;
b) SHOULD NOT listen for incoming IPP protocol connections on any
other port, unless explicitly configured by system administrators
or site policies;
c) SHOULD only accept IPP URLs used as protocol elements in incoming
IPP protocol request messages (for example, in the "printer-uri"
operation attribute in a 'Print-Job' request) that conform to the
ABNF specified in section 4.5, "IPP URL Scheme Syntax", of this
document;
d) SHOULD only send IPP URLs used as protocol elements in outgoing
IPP protocol response messages (for example, in the "job-uri"
attribute in a 'Print-Job' response) that conform to the ABNF
specified in section 4.5, "IPP URL Scheme Syntax", of this
document;
e) SHOULD only generate IPP Job URLs (for example, in the "job-uri"
attribute in a 'Print-Job' response) by appending exactly one path
component to the corresponding IPP Printer URL (for
interoperability);
Herriot & McDonald Standards Track [Page 8]
RFC 3510 IPP URL Scheme April 2003
f) SHOULD NOT use literal IPv6 or IPv4 addresses in configured or
locally generated IPP URLs.
6. IANA Considerations
This IPP URL Scheme specification does not introduce any additional
IANA considerations, beyond those described in [RFC2910] and
[RFC2911].
See: Section 6, "IANA Considerations" in [RFC2910]
See: Section 6, "IANA Considerations" in [RFC2911].
7. Internationalization Considerations
This IPP URL Scheme specification does not introduce any additional
internationalization considerations, beyond those described in
[RFC2910] and [RFC2911].
See: Section 7, "Internationalization Considerations", in [RFC2910].
See: Section 7, "Internationalization Considerations", in [RFC2911].
8. Security Considerations
This IPP URL Scheme specification does not introduce any additional
security considerations, beyond those described in [RFC2910] and
[RFC2911], except the following:
a) An IPP URL might be faked to point to a rogue IPP print service,
thus collecting confidential document contents from IPP clients.
Server authentication mechanisms and security mechanisms specified
in the IPP Protocol [RFC2910] are sufficient to address this
threat.
b) An IPP URL might be used to access an IPP print service by an
unauthorized IPP client. Client authentication mechanisms and
security mechanisms specified in the IPP Protocol [RFC2910] are
sufficient to address this threat.
c) An IPP URL might be used to access an IPP print service at a print
protocol application layer gateway (for example, an IPP to LPD
gateway [RFC2569]) causing silent compromise of IPP security
mechanisms. There is no practical defense against this threat by
a client system. System administrators should avoid such
compromising configurations.
d) An IPP URL does not have parameters to specify the required client
authentication mechanism (for example, 'certificate' as defined in
section 4.4.2, "uri-authentication-supported", of IPP Model
Herriot & McDonald Standards Track [Page 9]
RFC 3510 IPP URL Scheme April 2003
[RFC2911]) and required security mechanism (for example, 'tls' as
defined in section 4.4.3, "uri-security-supported", of IPP Model
[RFC2911]). Service discovery or directory protocols might be
used to discover the required client authentication and security
mechanisms associated with given IPP URLs.
Historical Note: During the development of this document,
consideration was given to the addition of standard IPP URL
parameters for the client authentication and security mechanisms.
However, based on a strong IETF IPP Working Group consensus, no
parameters were added to the "ipp" URL scheme as originally defined
in IPP Protocol [RFC2910] in September 2000, for reasons of backwards
compatibility with the many currently shipping implementations of
IPP/1.1.
See: Section 8, "Security Considerations", in [RFC2910].
See: Section 8, "Security Considerations", in [RFC2911].
9. Intellectual Property Rights
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Herriot & McDonald Standards Track [Page 10]
RFC 3510 IPP URL Scheme April 2003
10. Normative References
[RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[RFC2396] Berners-Lee, T., Fielding, R. and L. Masinter,
"Uniform Resource Identifiers (URI): Generic Syntax",
RFC 2396, August 1998.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P. and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2732] Hinden, R., Carpenter, B. and L. Masinter, "Format for
Literal IPv6 Addresses in URL's", RFC 2732, December
1999.
[RFC2910] Herriot, R., Butler, S., Moore, P., Turner, R. and J.
Wenn, "IPP/1.1 Encoding and Transport [IPP Protocol]",
RFC 2910, September 2000.
[RFC2911] Hastings, T., Herriot, R., deBry, R., Isaacson, S. and
P. Powell, "IPP/1.1 Model and Semantics [IPP Model]",
RFC 2911, September 2000.
[US-ASCII] Coded Character Set -- 7-bit American Standard Code
for Information Interchange, ANSI X3.4-1986.
11. Informative References
[IANA-MIMEREG] IANA MIME Media Types Registry.
ftp://ftp.iana.org/in-notes/iana/assignments/media-
types/...
[IANA-PORTREG] IANA Port Numbers Registry. ftp://ftp.iana.org/in-
notes/iana/assignments/port-numbers
[RFC2569] Herriot, R., Hastings, T., Jacobs, N. and J. Martin,
"Mapping between LPD and IPP Protocols", RFC 2569,
April 1999.
[RFC2717] Petke, R. and I. King, "Registration Procedures for
URL Scheme Names", RFC 2717, November 1999.
[RFC2718] Masinter, L., Alvestrand, H., Zigmond, D. and R.
Petke, "Guidelines for new URL Schemes", RFC 2718,
November 1999.
Herriot & McDonald Standards Track [Page 11]
RFC 3510 IPP URL Scheme April 2003
[RFC3196] Hastings, T., Manros, C., Zehler, P., Kugler, C. and
H. Holst, "Internet Printing Protocol/1.1:
Implementor's Guide", RFC 3196, November 2001.
12. Acknowledgments
This document is a product of the Internet Printing Protocol Working
Group of the Internet Engineering Task Force (IETF).
Thanks to Pat Fleming (IBM), Tom Hastings (Xerox), Harry Lewis (IBM),
Hugo Parra (Novell), Don Wright (Lexmark), and all the members of the
IETF IPP WG.
Section 5, "IPP URL Scheme", in IPP Protocol [RFC2910] was the
primary input to this IPP URL Scheme specification.
Herriot & McDonald Standards Track [Page 12]
RFC 3510 IPP URL Scheme April 2003
Appendix A - Registration of "ipp" URL Scheme
Note: The following registration obsoletes section 5, "IPP URL
Scheme", of IPP Protocol [RFC2911].
URL Scheme Name: ipp
URL Scheme Syntax:
ipp-URL = "ipp:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
Character Encoding Considerations:
IPP URLs MUST use [RFC2396] encoding, as do their equivalent HTTP
URLs. Characters other than those in the "reserved" and "unsafe"
sets [RFC2396] are equivalent to their ""%" HEX HEX" encoding.
Intended Usage:
The intended usage of the "ipp" URL scheme is COMMON.
An "ipp" URL is used to specify the network location of a print
service that supports the IPP Protocol [RFC2910], or of a network
resource (for example, a print job) managed by such a print
service. An IPP client can choose to establish an HTTP connection
to the specified print service for transmission of IPP protocol
requests (for example, IPP print job submission requests).
Applications or Protocols which use this URL scheme:
See: Section 5, "IPP URL Scheme", in IPP Protocol [RFC2910].
Interoperability Considerations:
See: Section 9, "Interoperability with IPP/1.0 Implementations",
in IPP Protocol [RFC2910].
Security Considerations:
See: Section 8, "Security Considerations", in IPP Protocol
[RFC2910].
Relevant Publications:
[RFC2910] Herriot, R., Butler, S., Moore, P., Turner, R. and J. Wenn,
"IPP/1.1 Encoding and Transport [IPP Protocol]", RFC 2910,
September 2000.
Herriot & McDonald Standards Track [Page 13]
RFC 3510 IPP URL Scheme April 2003
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter,
L., Leach, P. and T. Berners-Lee, "Hypertext Transfer
Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC3510] Herriot, R. and I. McDonald, "IPP/1.1: IPP URL Scheme", RFC
3510, April 2003.
Person & email address to contact for further information:
Robert Herriot
Consultant
706 Colorado Ave
Palo Alto, CA 94303
Phone: +1 650-327-4466
EMail: bob@herriot.com
Ira McDonald
High North Inc
221 Ridge Ave
Grand Marais, MI 49839
Phone: +1 906-494-2434
EMail: imcdonald@sharplabs.com
Herriot & McDonald Standards Track [Page 14]
RFC 3510 IPP URL Scheme April 2003
Authors' Addresses
Robert Herriot
Consultant
706 Colorado Ave
Palo Alto, CA 94303
Phone: +1 650-327-4466
EMail: bob@herriot.com
Ira McDonald
High North Inc
221 Ridge Ave
Grand Marais, MI 49839
Phone: +1 906-494-2434
EMail: imcdonald@sharplabs.com
Usage questions and comments on this IPP URL Scheme should be sent
directly to the editors at their above addresses (and to the IPP
mailing list, if you are a subscriber - see below).
IPP Web Page: http://www.pwg.org/ipp/
IPP Mailing List: ipp@pwg.org
To subscribe to the IPP mailing list, send the following email:
1) send it to majordomo@pwg.org
2) leave the subject line blank
3) put the following two lines in the message body: subscribe ipp
Implementers of this specification are encouraged to join the IPP
Mailing List in order to participate in any discussions of
clarification issues and comments. In order to reduce spam the
mailing list rejects mail from non-subscribers, so you must subscribe
to the mailing list in order to send a question or comment to the IPP
mailing list.
Herriot & McDonald Standards Track [Page 15]
RFC 3510 IPP URL Scheme April 2003
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Herriot & McDonald Standards Track [Page 16]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+787
Ver Arquivo
@@ -0,0 +1,787 @@
Network Working Group I. McDonald
Request for Comments: 3808 High North
Category: Informational June 2004
IANA Charset MIB
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
This IANA Charset MIB is now an IANA registry. In particular, a
single textual convention 'IANACharset' is defined that may be used
to specify charset labels in MIB objects. 'IANACharset' was
extracted from Printer MIB v2 (RFC 3805). 'IANACharset' was
originally defined (and mis-named) as 'CodedCharSet' in Printer MIB
v1 (RFC 1759). A tool has been written in C, that may be used by
IANA to regenerate this IANA Charset MIB, when future charsets are
registered in accordance with the IANA Charset Registration
Procedures (RFC 2978).
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conformance Terminology . . . . . . . . . . . . . . . . 2
1.2. Charset Terminology . . . . . . . . . . . . . . . . . . 2
2. The Internet-Standard Management Framework. . . . . . . . . . 2
3. Generation of IANA Charset MIB. . . . . . . . . . . . . . . . 3
4. Definition of IANA Charset MIB. . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Internationalization Considerations . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 11
9. References. . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References. . . . . . . . . . . . . . . . . . 11
9.2. Informative References. . . . . . . . . . . . . . . . . 12
10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 13
11. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 14
McDonald Informational [Page 1]
RFC 3808 IANA Charset MIB June 2004
1. Introduction
This IANA Charset MIB [CHARMIB] module defines the single textual
convention 'IANACharset'. Once adopted, all future versions of the
IANA Charset MIB [CHARMIB] may be machine-generated whenever the IANA
Charset Registry [CHARSET] is updated by IANA staff according to the
procedures defined in [RFC2978], using the utility [CHARGEN]
described in section 3 of this document or any other machine-
generation method.
It is strongly recommended that future updates to the IANA Charset
MIB [CHARMIB] be machine-generated (rather than hand-edited) to avoid
asynchrony between the IANA Charset Registry [CHARSET] and the IANA
Charset MIB [CHARMIB].
Note: Questions and comments on this IANA Charset MIB [CHARMIB]
should be sent to the editor (imcdonald@sharplabs.com) and IANA
(iana@iana.org) with a copy to the IETF Charsets mailing list (ietf-
charset@iana.org).
1.1. Conformance Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
1.2. Charset Terminology
The following terms are used in this specification, exactly as
defined in section 1 'Definitions and Notation' of the IANA Charset
Registration Procedures [RFC2978]: "character", "charset", "coded
character set (CCS)", and "character encoding scheme (CES)".
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
[RFC2580].
McDonald Informational [Page 2]
RFC 3808 IANA Charset MIB June 2004
3. Generation of IANA Charset MIB
Intellectual Property: The C language utility 'ianachar.c' [CHARGEN]
and the IANA Charset MIB template file [CHARTEMP] are hereby donated
by the author (Ira McDonald) to IANA, in perpetuity, free of license
or any other restraint.
The [CHARGEN] utility may be used to generate an updated version of
the 'IANACharset' textual convention by reading and parsing the
(currently plaintext) IANA Charset Registry [CHARSET].
This utility parses each charset registration, finding (in order):
1) The 'Name' field (which is saved for a fallback - see below);
2) The 'MIBenum' field (which contains the IANA-assigned positive
decimal enum value); and
3) The (usually present) 'Alias' field that begins with 'cs' (that
contains the IANA-assigned enum label). If an 'Alias' field is
not found, the utility constructs one from the 'Name' field by:
- Beginning the enum label with a lowercase 'cs' prefix;
- Copying _only_ alpha/numeric characters from the 'Name' field
to the enum label (ignoring punctuation, whitespace, etc.).
4. Definition of IANA Charset MIB
IANA-CHARSET-MIB DEFINITIONS ::= BEGIN
-- http://www.iana.org/assignments/ianacharset-mib
IMPORTS
MODULE-IDENTITY,
mib-2
FROM SNMPv2-SMI -- [RFC2578]
TEXTUAL-CONVENTION
FROM SNMPv2-TC; -- [RFC2579]
ianaCharsetMIB MODULE-IDENTITY
LAST-UPDATED "200406080000Z"
ORGANIZATION "IANA"
CONTACT-INFO " Internet Assigned Numbers Authority
Postal: ICANN
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
McDonald Informational [Page 3]
RFC 3808 IANA Charset MIB June 2004
Tel: +1 310 823 9358
E-Mail: iana@iana.org"
DESCRIPTION "This MIB module defines the IANACharset
TEXTUAL-CONVENTION. The IANACharset TC is used to
specify the encoding of string objects defined in
a MIB.
Each version of this MIB will be released based on
the IANA Charset Registry file (see RFC 2978) at
http://www.iana.org/assignments/character-sets.
Note: The IANACharset TC, originally defined in
RFC 1759, was inaccurately named CodedCharSet.
Note: Best practice is to define new MIB string
objects with invariant UTF-8 (RFC 3629) syntax
using the SnmpAdminString TC (defined in RFC 3411)
in accordance with IETF Policy on Character Sets and
Languages (RFC 2277).
Copyright (C) The Internet Society (2004). The
initial version of this MIB module was published
in RFC 3808; for full legal notices see the RFC
itself. Supplementary information may be
available on
http://www.ietf.org/copyrights/ianamib.html."
-- revision history
REVISION "200406080000Z"
DESCRIPTION "Original version transferred from Printer MIB,
generated from the IANA maintained assignments
http://www.iana.org/assignments/character-sets."
::= { mib-2 106 }
IANACharset ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Specifies an IANA registered 'charset' - coded character set
(CCS) plus optional character encoding scheme (CES) - terms
defined in 'IANA Charset Registration Procedures' (RFC 2978).
Objects of this syntax are used to specify the encoding for
string objects defined in one or more MIBs. For example, the
prtLocalizationCharacterSet, prtInterpreterDefaultCharSetIn, and
prtInterpreterDefaultCharSetOut objects defined in Printer MIB.
McDonald Informational [Page 4]
RFC 3808 IANA Charset MIB June 2004
The current list of 'charset' names and enumerated values
is contained in the IANA Character Set Registry at:
http://www.iana.org/assignments/character-sets
Enum names are derived from the IANA Charset Registry 'Alias'
fields that begin with 'cs' (for character set).
Enum values are derived from the parallel 'MIBenum' fields."
SYNTAX INTEGER {
other(1), -- used if the designated
-- character set is not currently
-- registered by IANA
unknown(2), -- used as a default value
csASCII(3),
csISOLatin1(4),
csISOLatin2(5),
csISOLatin3(6),
csISOLatin4(7),
csISOLatinCyrillic(8),
csISOLatinArabic(9),
csISOLatinGreek(10),
csISOLatinHebrew(11),
csISOLatin5(12),
csISOLatin6(13),
csISOTextComm(14),
csHalfWidthKatakana(15),
csJISEncoding(16),
csShiftJIS(17),
csEUCPkdFmtJapanese(18),
csEUCFixWidJapanese(19),
csISO4UnitedKingdom(20),
csISO11SwedishForNames(21),
csISO15Italian(22),
csISO17Spanish(23),
csISO21German(24),
csISO60DanishNorwegian(25),
csISO69French(26),
csISO10646UTF1(27),
csISO646basic1983(28),
csINVARIANT(29),
csISO2IntlRefVersion(30),
csNATSSEFI(31),
csNATSSEFIADD(32),
csNATSDANO(33),
csNATSDANOADD(34),
csISO10Swedish(35),
csKSC56011987(36),
csISO2022KR(37),
McDonald Informational [Page 5]
RFC 3808 IANA Charset MIB June 2004
csEUCKR(38),
csISO2022JP(39),
csISO2022JP2(40),
csISO13JISC6220jp(41),
csISO14JISC6220ro(42),
csISO16Portuguese(43),
csISO18Greek7Old(44),
csISO19LatinGreek(45),
csISO25French(46),
csISO27LatinGreek1(47),
csISO5427Cyrillic(48),
csISO42JISC62261978(49),
csISO47BSViewdata(50),
csISO49INIS(51),
csISO50INIS8(52),
csISO51INISCyrillic(53),
csISO54271981(54),
csISO5428Greek(55),
csISO57GB1988(56),
csISO58GB231280(57),
csISO61Norwegian2(58),
csISO70VideotexSupp1(59),
csISO84Portuguese2(60),
csISO85Spanish2(61),
csISO86Hungarian(62),
csISO87JISX0208(63),
csISO88Greek7(64),
csISO89ASMO449(65),
csISO90(66),
csISO91JISC62291984a(67),
csISO92JISC62991984b(68),
csISO93JIS62291984badd(69),
csISO94JIS62291984hand(70),
csISO95JIS62291984handadd(71),
csISO96JISC62291984kana(72),
csISO2033(73),
csISO99NAPLPS(74),
csISO102T617bit(75),
csISO103T618bit(76),
csISO111ECMACyrillic(77),
csa71(78),
csa72(79),
csISO123CSAZ24341985gr(80),
csISO88596E(81),
csISO88596I(82),
csISO128T101G2(83),
csISO88598E(84),
csISO88598I(85),
McDonald Informational [Page 6]
RFC 3808 IANA Charset MIB June 2004
csISO139CSN369103(86),
csISO141JUSIB1002(87),
csISO143IECP271(88),
csISO146Serbian(89),
csISO147Macedonian(90),
csISO150(91),
csISO151Cuba(92),
csISO6937Add(93),
csISO153GOST1976874(94),
csISO8859Supp(95),
csISO10367Box(96),
csISO158Lap(97),
csISO159JISX02121990(98),
csISO646Danish(99),
csUSDK(100),
csDKUS(101),
csKSC5636(102),
csUnicode11UTF7(103),
csISO2022CN(104),
csISO2022CNEXT(105),
csUTF8(106),
csISO885913(109),
csISO885914(110),
csISO885915(111),
csISO885916(112),
csGBK(113),
csGB18030(114),
csOSDEBCDICDF0415(115),
csOSDEBCDICDF03IRV(116),
csOSDEBCDICDF041(117),
csUnicode(1000),
csUCS4(1001),
csUnicodeASCII(1002),
csUnicodeLatin1(1003),
csUnicodeIBM1261(1005),
csUnicodeIBM1268(1006),
csUnicodeIBM1276(1007),
csUnicodeIBM1264(1008),
csUnicodeIBM1265(1009),
csUnicode11(1010),
csSCSU(1011),
csUTF7(1012),
csUTF16BE(1013),
csUTF16LE(1014),
csUTF16(1015),
csCESU8(1016),
csUTF32(1017),
csUTF32BE(1018),
McDonald Informational [Page 7]
RFC 3808 IANA Charset MIB June 2004
csUTF32LE(1019),
csBOCU1(1020),
csWindows30Latin1(2000),
csWindows31Latin1(2001),
csWindows31Latin2(2002),
csWindows31Latin5(2003),
csHPRoman8(2004),
csAdobeStandardEncoding(2005),
csVenturaUS(2006),
csVenturaInternational(2007),
csDECMCS(2008),
csPC850Multilingual(2009),
csPCp852(2010),
csPC8CodePage437(2011),
csPC8DanishNorwegian(2012),
csPC862LatinHebrew(2013),
csPC8Turkish(2014),
csIBMSymbols(2015),
csIBMThai(2016),
csHPLegal(2017),
csHPPiFont(2018),
csHPMath8(2019),
csHPPSMath(2020),
csHPDesktop(2021),
csVenturaMath(2022),
csMicrosoftPublishing(2023),
csWindows31J(2024),
csGB2312(2025),
csBig5(2026),
csMacintosh(2027),
csIBM037(2028),
csIBM038(2029),
csIBM273(2030),
csIBM274(2031),
csIBM275(2032),
csIBM277(2033),
csIBM278(2034),
csIBM280(2035),
csIBM281(2036),
csIBM284(2037),
csIBM285(2038),
csIBM290(2039),
csIBM297(2040),
csIBM420(2041),
csIBM423(2042),
csIBM424(2043),
csIBM500(2044),
csIBM851(2045),
McDonald Informational [Page 8]
RFC 3808 IANA Charset MIB June 2004
csIBM855(2046),
csIBM857(2047),
csIBM860(2048),
csIBM861(2049),
csIBM863(2050),
csIBM864(2051),
csIBM865(2052),
csIBM868(2053),
csIBM869(2054),
csIBM870(2055),
csIBM871(2056),
csIBM880(2057),
csIBM891(2058),
csIBM903(2059),
csIBBM904(2060),
csIBM905(2061),
csIBM918(2062),
csIBM1026(2063),
csIBMEBCDICATDE(2064),
csEBCDICATDEA(2065),
csEBCDICCAFR(2066),
csEBCDICDKNO(2067),
csEBCDICDKNOA(2068),
csEBCDICFISE(2069),
csEBCDICFISEA(2070),
csEBCDICFR(2071),
csEBCDICIT(2072),
csEBCDICPT(2073),
csEBCDICES(2074),
csEBCDICESA(2075),
csEBCDICESS(2076),
csEBCDICUK(2077),
csEBCDICUS(2078),
csUnknown8BiT(2079),
csMnemonic(2080),
csMnem(2081),
csVISCII(2082),
csVIQR(2083),
csKOI8R(2084),
csHZGB2312(2085),
csIBM866(2086),
csPC775Baltic(2087),
csKOI8U(2088),
csIBM00858(2089),
csIBM00924(2090),
csIBM01140(2091),
csIBM01141(2092),
csIBM01142(2093),
McDonald Informational [Page 9]
RFC 3808 IANA Charset MIB June 2004
csIBM01143(2094),
csIBM01144(2095),
csIBM01145(2096),
csIBM01146(2097),
csIBM01147(2098),
csIBM01148(2099),
csIBM01149(2100),
csBig5HKSCS(2101),
csIBM1047(2102),
csPTCP154(2103),
csAmiga1251(2104),
csKOI7switched(2105),
cswindows1250(2250),
cswindows1251(2251),
cswindows1252(2252),
cswindows1253(2253),
cswindows1254(2254),
cswindows1255(2255),
cswindows1256(2256),
cswindows1257(2257),
cswindows1258(2258),
csTIS620(2259),
reserved(3000)
}
END
5. IANA Considerations
IANA has assigned a base arc in the 'mgmt' (standards track) OID tree
for the 'ianaCharset' MODULE-IDENTITY defined in the IANA Charset MIB
[CHARMIB].
Whenever any 'charset' is added to the IANA Charset Registry
[CHARSET], a new version of the IANA Charset MIB [CHARMIB] may be
machine-generated using the C language utility [CHARGEN], described
in section 3 of this document or some other utility.
6. Internationalization Considerations
The IANA Charset MIB [CHARMIB] defines the 'IANACharset' textual
convention that may be used in a given MIB module to supply explicit
character set labels for one or more text string objects defined in
that MIB module.
For example, the Printer MIB [RFC1759] defines the three character
set label objects 'prtLocalizationCharacterSet' (for description and
console strings), 'prtInterpreterDefaultCharSetIn' (for received
McDonald Informational [Page 10]
RFC 3808 IANA Charset MIB June 2004
print job input data), and 'prtIntpreterDefaultCharSetOut' (for
processed print job output data).
The IANA Charset MIB [CHARMIB] supports implementation of the best
practices specified in "IETF Policy on Character Sets and Languages"
[RFC2277].
Note: The use of the 'SnmpAdminString' textual convention defined in
[RFC3411], which has a fixed character set of UTF-8 [RFC3629], is
STRONGLY RECOMMENDED in defining new MIB modules. The IANA Charset
MIB [CHARMIB] supports locale-specific MIB objects with variable
character sets.
7. Security Considerations
This MIB module does not define any management objects. Instead, it
defines a (set of) textual convention(s) which may be used by other
MIB modules to define management objects.
Meaningful security considerations can only be written in the MIB
modules that define management objects. Therefore, this document has
no impact on the security of the Internet.
8. Acknowledgements
The editor would like to thank: Bert Wijnen (Lucent) for his
original suggestion that the 'IANACharset' textual convention should
be extracted from Printer MIB v2 [RFC3805]; Ron Bergman (Hitachi
Printing Solutions) and Harry Lewis (IBM) for their many years of
effort as editors of Printer MIB v2 [RFC3805].
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2277] Alvestrand, H., "IETF Policy on Character Sets and
Languages", RFC 2277, January 1998.
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)",
STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Textual Conventions for SMIv2", STD 58, RFC 2579, April
1999.
McDonald Informational [Page 11]
RFC 3808 IANA Charset MIB June 2004
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", STD 58, RFC 2580,
April 1999.
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 19, RFC 2978, October 2000.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing SNMP Network Management
Frameworks", STD 62, RFC 3411, December 2002.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 3629, November 2003.
9.2. Informative References
[CHARGEN] IANA Charset MIB Generation Utility (archived at):
ftp://www.pwg.org/pub/pwg/pmp/tools/ianachar.c
[CHARMIB] IANA Charset MIB (in the future, to be archived at):
http://www.iana.org/assignments/ianacharset-mib
[CHARSET] IANA Charset Registry (archived at):
http://www.iana.org/assignments/character-sets
[CHARTEMP] IANA Charset MIB template file (archived at):
ftp://www.pwg.org/pub/pwg/pmp/tools/ianachar.dat
[RFC1759] Smith, R., Wright, F., Hastings, T., Zilles, S., and J.
Gyllenskog. "Printer MIB", RFC 1759, March 1995.
[RFC3805] Bergman, R., Lewis, H., and I. McDonald, "Printer MIB
v2", RFC 3805, June 2004.
[RFC3410] Case, J., Mundy, P., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for
Internet-Standard Network Management Framework", RFC
3410, December 2002.
McDonald Informational [Page 12]
RFC 3808 IANA Charset MIB June 2004
10. Authors' Addresses
Ira McDonald
High North Inc
221 Ridge Ave
Grand Marais, MI 49839
USA
Phone: +1 906 494 2434
EMail: imcdonald@sharplabs.com
Internet Assigned Numbers Authority (IANA)
ICANN
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
USA
Phone: +1 310 823 9358
EMail: iana@iana.org
Note: Questions and comments on this IANA Charset MIB [CHARMIB]
should be sent to the editor (imcdonald@sharplabs.com) and IANA
(iana@iana.org) with a copy to the IETF Charsets mailing list
(ietf-charset@iana.org).
McDonald Informational [Page 13]
RFC 3808 IANA Charset MIB June 2004
11. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
McDonald Informational [Page 14]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+955
Ver Arquivo
@@ -0,0 +1,955 @@
Network Working Group T. Hastings, Ed.
Request for Comments: 3997 Xerox Corporation
Category: Informational R. K. deBry
Utah Valley State College
H. Lewis
IBM Corporation
March 2005
Internet Printing Protocol (IPP):
Requirements for IPP Notifications
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document is one of a set of documents that together describe all
aspects of the Internet Printing Protocol (IPP). IPP is an
application-level protocol that can be used for distributed printing
on the Internet. There are multiple parts to IPP, but the primary
architectural components are the Model, the Protocol, and an
interface to Directory Services. This document provides a statement
of the requirements for notifications as an optional part of an IPP
Service.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Requirements. . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations for IPP Notifications Requirements. . 12
6. Internationalization Considerations . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
8. References. . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References. . . . . . . . . . . . . . . . . . 14
8.2. Informative References. . . . . . . . . . . . . . . . . 14
9. Appendix A: Description of the Base IPP Documents . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 17
Hastings, et al. Informational [Page 1]
RFC 3997 IPP: Notification Requirements March 2005
1. Introduction
This document is one of a set of documents that together describe all
aspects of the Internet Printing Protocol (IPP). IPP is an
application level protocol that can be used for distributed printing
on the Internet. There are multiple parts to IPP, but the primary
architectural components are the Model, the Protocol, and an
interface to Directory Services. This document provides a statement
of the requirements for notifications as an optional part of an IPP
Service. See section 10 for a description of the base IPP documents.
The scope of this requirements document covers functionality used by
the following kinds of IPP Users: End Users, Print Administrators,
and Operators. See [RFC3995] for the extensions to the Internet
Printing Protocol/1.0 (IPP) [RFC2565], [RFC2566], IPP/1.1 [RFC2911],
[RFC2910], and future versions.
2. Terminology
It is necessary to define a set of terms to be able to clearly
express the requirements for notification services in an IPP System.
2.1. Job-Submitting End User
A human end user who submits a print job to an IPP Printer. This
person may or may not be within the same security domain as the
Printer. This person may or may not be geographically near the
printer.
2.2. Administrator
A human user who established policy for and configures the print
system.
2.3. Operator
A human user who carries out the policy established by the
Administrator and controls the day-to-day running of the print
system.
2.4. Job-Submitting Application
An application (for example, a batch application), acting on behalf
of a Job Submitting End User, that submits a print job to an IPP
Printer. The application may or may not be within the same security
domain as the Printer. This application may or may not be
geographically near the printer.
Hastings, et al. Informational [Page 2]
RFC 3997 IPP: Notification Requirements March 2005
2.5. Security Domain
For the purposes of this discussion, the set of network components
that can communicate without going through a proxy or firewall. A
security domain may be geographically very large; for example,
anywhere within example.com.
2.6. IPP Client
The software component that sends IPP requests to an IPP Printer
object and accepts IPP responses from an IPP Printer.
2.7. Job Recipient
A human who is the ultimate consumer of the print job. In many cases
this will be the same person as the Job-Submitting End User, but this
need not always be the case. For example, if I use IPP to print a
document on a printer in a business partner's office, I am the Job-
Submitting End User, and the person whom I intend the document for in
my business partner's office is the Job Recipient. Since one of the
goals of IPP is to be able to print near the Job Recipient, we would
normally expect that person to be in the same security domain as, and
geographically near, the Printer. However, this may not always be
the case. For example, I submit a print job across the Internet to a
XYZ's print shop. I am both the Submitting End User and the Job
Recipient, but I am neither near nor in the same security domain as
the Printer.
2.8. Job Recipient Proxy
A person acting on behalf of the Job Recipient. The Job Recipient
Proxy physically picks up the printed document from the Printer if
the Job Recipient cannot do so. The Proxy is by definition
geographically near and in the same security domain as the printer.
For example, I submit a print job from home to be printed on a
printer at work. I'd like my secretary to pick up the print job and
put it on my desk. In this case, I am acting as both a Job-
Submitting End User and a Job Recipient. My secretary is acting as a
Job Recipient Proxy.
2.9. Notification Subscriber
A client that requests the IPP Printer to send Event Notifications to
one or more Notification Recipients. A Notification Subscriber may
be a Job-Submitting End User or an End User, an Operator, or an
Administrator that is not submitting a job.
Hastings, et al. Informational [Page 3]
RFC 3997 IPP: Notification Requirements March 2005
2.10. Notification Source
The entity that sends Event Notifications.
2.11. Notification Recipient
The entity that receives IPP Notifications about Job and/or Printer
events. A Notification Recipient may be a Job Submitting End User, a
Job-Submitting Application, a Job Recipient, a Job Recipient Proxy,
an Operator, an Administrator, etc., and his or her representative,
log file, usage statistics-gathering application, or other active or
passive entities.
2.12. Notification Recipient Agent
A program that receives Event Notifications on behalf of the
Notification Recipient. The agent may take some action on behalf of
the recipient, forward the notification to the recipient via some
alternative means (for example, page the recipient), or queue the
notification for later retrieval by the recipient.
2.13. Event
An Event is an occurrence (either expected or unexpected) within the
printing system of a change of state, condition, or configuration of
a Job or Printer object.
2.14. Event Notification
When an event occurs, an Event Notification is generated that fully
describes the event (what the event was, where it occurred, when it
occurred, etc.). Event Notifications are delivered to all the
Notification Recipients that are subscribed to that Event, if any.
The Event Notification is delivered to the address of the
Notification Recipient by using the notification delivery method
defined in the subscription. However, an Event Notification is sent
ONLY if there is a corresponding subscription.
2.15. Notification Subscription
A Notification Subscription is a request by a Notification Subscriber
to the IPP Printer to send Event Notifications to specified
Notification Recipient(s) when an event occurs.
Hastings, et al. Informational [Page 4]
RFC 3997 IPP: Notification Requirements March 2005
2.16. Notification Attributes
IPP Objects (for example, a print job) from which notification are
being sent may have associated attributes. A user may want to have
one or more of these returned along with a particular notification.
In general, these may include any attribute associated with the
object emitting the notification. Examples include the following:
number-of-intervening jobs
job-k-octets
job-k-octets processed
job impressions
job-impressions-interpreted
job-impressions-completed
impressionsCompletedCurrentCopy (job MIB)
sheetCompletedCopyNumber (job MIB)
sheetsCompletedDocumentNumber (job MIB)
Copies-requested
Copy-type
Output-destination
Job-state-reasons
Job ID
Printer URI
Subscription ID (for job independent subscription)
2.17. Notification Delivery Method (or Delivery Method for Short)
Event Notifications are delivered by using a Delivery Method. An
example of a Delivery Method is email.
2.18. Immediate Notification
Notifications sent to the Notification Recipient or the Notification
Recipient's agent in such a way that the notification arrives
immediately, within the limits of common addressing, routing, network
congestion, and quality of service.
2.19. Store-and-Forward Notification
Notifications that are not necessarily delivered to Notification
Recipients immediately but are queued for delivery by an intermediate
network application, for later retrieval. Email is an example of a
store-and-forward notification delivery method.
Hastings, et al. Informational [Page 5]
RFC 3997 IPP: Notification Requirements March 2005
2.20. Reliable Delivery of Notifications
Notifications that are delivered by a reliable delivery of packets or
character stream, with acknowledgement and retry, so that delivery of
the notification is guaranteed within determinate time limits. For
example, if the Notification Recipient has logged off and gone home
for the day, an immediate notification cannot be guaranteed, even
when sent over a reliable transport, because there is nothing there
to catch it. Guaranteed delivery requires both store-and-forward
notification and a reliable transport.
2.21. Notification over Unreliable Transport
Notifications are delivered via the fundamental transport address and
routing framework, but no acknowledgement or retry is required.
Process-to-process communications, if involved, are unconstrained.
2.22. Human-Consumable Notification
Notifications intended to be consumed by human end users only. Email
would be an example of a Human-Consumable Notification, though it
could also contain Machine-Consumable Notification.
2.23. Machine-Consumable Notification
Notifications that are intended for consumption by a program only,
such as an IPP Client. Machine-Consumable Notifications may not
contain human-readable information. Do we need both human and
machine? Machine readable is intended for application-to-application
only. The Notification Recipient could process the machine-readable
Event Notification into human-readable format.
2.24. Mixed Notification
A mixed notification contains both Human-Consumable and Machine-
Consumable information.
3. Scenarios
1. Sitting in my office, I submit a print job to the printer down
the hall. I am in the same security domain as the printer and,
of course, geographically near. I want to know immediately when
my print job will be completed (or if there is a problem)
because the document I am working on is urgent. I submit the
print job with the following attributes:
Hastings, et al. Informational [Page 6]
RFC 3997 IPP: Notification Requirements March 2005
- Notification Recipient: Me
- Notification Events: All
- Notification Attributes: Job-state-reason
- Notification Type: Immediate
2. Working from home, I submit a print job to the same printer as
in the previous example. However, I am not at work, I cannot
physically get the print file or do anything with it. It can
wait until I get to work this afternoon. However, I'd like my
secretary to pick up the output and put it on my desk so that it
doesn't get lost or misfiled. I'd also like a store-and-forward
notification sent to my email so that when I get to work I can
tell whether there was a problem with the print job. I submit a
print job with the following attributes:
- Notification Recipient: My secretary
- Notification Events: Print complete
- Notification Type: Immediate
- Notification Recipient: Me
- Notification Events: Print complete
- Notification Attributes: Impressions completed
- Notification Type: Store and forward
3. Sitting in my office, I submit a print job to a client at an
engineering firm my company works with on a daily basis. The
engineering firm is in Belgium. I would like my client to know
when the print job is complete so that she can pick it up from
the printer in her building. It is important that she review it
right away and send her comments back to me. I submit the print
job with the following attributes:
- Notification Recipient: Client at engineering firm
- Notification Events: Print complete
- Notification Type: Immediate
- Notification Language: French
4. From a hotel room, I send a print job to a Kinko's store in the
town I am working in, in order to get a printed report for the
meeting I am attending in the morning. As I'm going out to
dinner after I get this job submitted, an immediate notification
won't do me much good. However, I'd like to check in the
morning before I drive to the Kinko's store to see whether the
file has been printed. An email notification is sufficient for
this purpose. I submit the print job with the following
attributes:
Hastings, et al. Informational [Page 7]
RFC 3997 IPP: Notification Requirements March 2005
- Notification Recipient: Me
- Notification Events: Print complete
- Notification Type: Store and forward
5. I am printing a large, complex print file. I want to have some
immediate feedback on the progress of the print job as it
prints. I submit the print job with the following attributes:
- Notification Recipient: Me
- Notification Type: Immediate
- Notification Events: All state transitions
- Notification Attributes: Impression completed
6. I am an operator and one of my duties is to keep the printer
running. I subscribe independently from a job submission so
that my subscription outlasts any particular job. I subscribe
with the following attributes:
- Notification Recipient: Me
- Notification Type: Immediate
- Notification Events: All Printer state transitions
- Notification Attributes: Printer state, printer state
reasons, device powering up, device powering down
7. I am a usage statistics gathering application. I subscribe
independently from a job submission so that my subscription
outlasts any particular job. My subscription may persist across
power cycles. I subscribe with the following attributes:
- Notification Recipient: Me
- Notification Type: Immediate
- Notification Events: Job completion
- Notification Attributes: Impression completed, sheets
completed, time submitted, time started, time completed, job
owner, job size in octets, etc.
8. I am a client application program that displays a list of jobs
currently queued for printing on a printer. I display the
"job-name", "job-state", "job-state-reasons", "page-count", and
"intervening-jobs", either for the user's jobs or for all jobs.
The window displaying the job list remains open for an
independent amount of time, and it is desired that it represent
the current state of the queue. It is desired that the
application only perform a slow poll in order to recover from
any missed notifications. So the event delivery mechanism
provides the means to update the screen on all needed changes,
including querying for some attributes that may not be delivered
in the Notification.
Hastings, et al. Informational [Page 8]
RFC 3997 IPP: Notification Requirements March 2005
9. I am a client application program that displays a list of
printers. For each Printer, I display the current state and
configuration. The window displaying the printer list remains
open for an independent amount of time, and it is desired that
it represent the current state of each printer. It is desired
that the application only need to perform a slow poll in order
to recover from any missed notifications. So the event delivery
mechanism provides the means to update the screen on all needed
changes, including querying for some attributes that may not be
delivered in the Notification.
10. I am an IPP Server that controls one or more devices and that
implements an IPP Printer object to represent each device. I
want to support IPP Notification for each of the IPP Printer
objects that I implement. Many of these devices do not support
notification (or IPP). So I need to support the IPP
Notification semantics specified for each IPP Printer object
myself on behalf of each of the devices that each of the IPP
Printer objects represents. When I accept an IPP job creation
requests, I convert it to what the device will accept. In some
cases, I must poll the devices in order to be informed of their
job and device state and state changes to be able to send IPP
Notifications to subscribed Notification Recipients.
11. I am an IPP Server that controls one or more devices and that
implements an IPP Printer object to represent each device. I
want to support IPP Notification for each of the IPP Printer
objects that I implement. These devices all support IPP,
including IPP Notification. I would like the design choice for
supporting IPP Notification for these objects either (1) by
forwarding the notification to the IPP Printers that I, alone,
control and have them send the notifications to the intended
Notification Recipients without my involvement, or (2) by
replacing the notification submitted with the Job to indicate me
as the Notification Recipient; in turn I will forward
Notifications to the Notification Recipients requested by my
clients. Most of the rest of the contents of the IPP Job I send
to the IPP Printers I control will be the same as those that I
receive from my IPP clients.
12. I am an IPP Server that controls one or more devices and that
implements an IPP Printer object to represent each device. I
want to support IPP Notification for each of the IPP Printer
objects that I implement. These devices all support IPP,
including IPP Notification. Because these IPP Printers MAY also
be controlled by other servers (using IPP or other protocols), I
only want job events for the jobs that I send, but I do want
Printer events all the time, so that I can show proper Printer
Hastings, et al. Informational [Page 9]
RFC 3997 IPP: Notification Requirements March 2005
state to my clients. So I subscribe to these IPP Printers for
Printer events with a long-standing subscription, with myself as
the Notification Recipient. When I get a Job Creation request,
I decide to which IPP Printer to send the job. When I do so, I
also add a job subscription for Job events, with me as the
Notification Recipient to the job's job subscriptions supplied
by my clients (this usage is called "piggybacking"). These IPP
Printers automatically remove their job subscriptions when the
job finishes, as for all job subscriptions, so that I no longer
get Job events when my jobs are completed.
4. Requirements
The following requirements are intended to be met by the IPP
Notification specification (not the implementation). The following
are true for the resulting IPP Notification Specification document:
1. It must indicate which of these requirements are REQUIRED and
which are OPTIONAL for a conforming implementation to support.
See [RFC2911], section 12.1, for the definition of these
important conformance terms.
2. It must be designed so that an IPP Printer can transparently
support the IPP Notification semantics by using third-party
notification services that exist today or that may be
standardized in the future.
3. It must define a means for a Job-Submitting End User to specify
zero or more Notification Recipients when submitting a print job.
A Submitter will not be able to prevent out-of-band subscriptions
from authorized persons, such as Operators.
4. It must define a means, when specifying a Notification Recipient,
for a Notification Subscriber to specify one or more notification
events for that Notification Recipient, subject to administrative
and security policy restrictions. Any of the following
constitute Job or Printer Events for which a Job Submitting End
User can specify that notifications be sent:
- Any standard Printer MIB alert
- Job Received (transition from Unknown to Pending)
- Job Started (transition from Pending to Processing)
- Page Complete (page is stacked)
- Collated Copy Complete (last sheet of collated copy is
stacked)
Hastings, et al. Informational [Page 10]
RFC 3997 IPP: Notification Requirements March 2005
- Job Complete (transition from Processing or Processing-stopped
to Completed)
- Job Aborted (transition from Pending, Pending-held,
- Processing, or Processing-stopped to Aborted)
- Job Canceled (transition from Pending, Pending-held,
- Processing, or Processing-held to Canceled)
- Other job state changes, such as paused, purged
- Device problems for which the job is destined
- Job (interpreter) issues
5. It must define how an End User or Operator subscribes for
- any set of Job Events for a specific job, or
- any set of Printer Events while a specific job is not
complete.
6. It must define how an End User or Operator subscribes for the
following without having to submit a Job:
- Any set of Printer Events for a defined period.
- Any set of Job Events for all jobs, with no control over
which jobs.
7. It must define how the Notification Subscriber is able to
specify either immediate or store-and-forward notification
independently for each Notification Recipient. The means may be
explicit, or implied by the method of delivery chosen by the Job
Submitting End User.
8. It must define common delivery methods: e.g., email.
9. It must define how an IPP Printer validates its ability to
deliver an Event by using the specified delivery scheme. If it
does not support the specified scheme, or if the specified
scheme is invalid for some reason, then the IPP Printer accepts
and performs the request anyway and indicates the unsupported
attribute values. There is no requirement for the IPP Printer
receiving the print request to validate the identity of a
Notification Recipient, or the ability of the system to deliver
an event to that recipient as requested (for example, if the
Notification Recipient is not at work today).
10. It must define a class of IPP event notification delivery
methods that can flow through corporate firewalls. However, an
IPP printer need not test to guarantee delivery of the
notification through a firewall before accepting a print job.
Hastings, et al. Informational [Page 11]
RFC 3997 IPP: Notification Requirements March 2005
11. It may define a means to deliver a notification to the
submitting client when the delivery of an event notification to
a specified Notification Recipient fails. A fallback means of
subscribers to determine whether notifications have failed
(i.e., polling) may be provided.
12. It must define a mechanism for localizing Human-Consumable
Notifications by the Notification Source.
13. It may define a way to specify whether event delivery requires
acknowledgement back to the Notification Source.
14. There must be a mechanism defined so that job-independent
subscriptions do not become stale and do not require human
intervention to be removed. However, a subscription must not be
deemed stale only if it is unable to deliver an Event
Notification, as temporary Notification delivery problems must
be tolerated.
15. A mechanism must be defined so that an Event Subscriber is able
to add an Event Subscription to a Job after the Job has been
submitted.
16. A mechanism must be defined so that a client is able to cancel
an Event Subscription on a job or printer after the job has been
submitted.
17. A mechanism must be defined so that a client can obtain the set
of current Subscriptions.
5. Security Considerations for IPP Notifications Requirements
By far the biggest security concern is the abuse of notification:
sending unwanted notifications sent to third parties (i.e., spam).
The problem is made worse by notification addresses that may be
redistributed to multiple parties (e.g., mailing lists). Scenarios
exist in which third-party notification is required (see scenarios 2
and 3). The fully secure solution would require active agreement of
all recipients before anything is sent out. However, requirement 9
("There is no requirement for an IPP Printer receiving the print
request to validate the identity of an event recipient") argues
against this. Certain systems may decide to disallow third-party
notifications (a traditional fax model).
The same security issues are present when Clients submit notification
requests to the IPP Printer as when they submit an IPP/1.1 print job
request. The same mechanisms used by IPP/1.1 can therefore be used
Hastings, et al. Informational [Page 12]
RFC 3997 IPP: Notification Requirements March 2005
by the client notification submission. Operations that require
authentication can use the HTTP authentication. Operations that
require privacy can use the HTTP/TLS privacy.
The notification access control model should be similar to the IPP
access control model. Creating a notification subscription is
associated with a user. Only the creator or an operator can cancel
the subscription. The system may limit the listing of items to items
owned by the user. Some subscriptions (e.g., those that have a
lifetime longer than a job) can be done only by privileged users
(operators and/or administrators), if that is the authorization
policy.
The standard security concerns (delivery to the right user, privacy
of content, tamper-proof content) apply to the notification delivery.
IPP should use the security mechanism of the delivery method used.
Some delivery mechanisms are more secure than others. Therefore,
sensitive notifications should use the delivery method that has the
strongest security.
6. Internationalization Considerations
The Human-Consumable Notification must be localized to the natural
language and charset that Notification Subscriber specifies within
the choice of natural languages and charsets that the IPP Printer
supports.
The Machine-Consumable Notification data uses the "application/ipp"
MIME media type. It contains attributes whose text values are
required to be in the natural language and charset that the
Notification Subscriber specifies within the choice of natural
languages and charsets that the IPP Printer supports. See [RFC2566].
7. IANA Considerations
Some notification delivery methods have been registered with IANA for
use in URLs. These will be defined in other documents.
Hastings, et al. Informational [Page 13]
RFC 3997 IPP: Notification Requirements March 2005
8. References
8.1. Normative References
[RFC2910] Herriot, R., Butler, S., Moore, P., Turner, R., and J.
Wenn, "Internet Printing Protocol/1.1: Encoding and
Transport", RFC 2910, September 2000.
[RFC2911] Hastings, T., Herriot, R., deBry, R., Isaacson, S., and
P. Powell, "Internet Printing Protocol/1.1: Model and
Semantics", RFC 2911, September 2000.
[RFC3995] Herriot, R. and T. Hastings, "Internet Printing Protocol
(IPP): Event Notifications and Subscriptions", RFC 3995,
March 2005.
8.2. Informative References
[RFC2565] Herriot, R., Butler, S., Moore, P., and R. Turner,
"Internet Printing Protocol/1.0: Encoding and Transport",
RFC 2565, April 1999.
[RFC2566] deBry, R., Hastings, T., Herriot, R., Isaacson, S., and
P. Powell, "Internet Printing Protocol/1.0: Model and
Semantics", RFC 2566, April 1999.
[RFC2567] Wright, F., "Design Goals for an Internet Printing
Protocol", RFC 2567, April 1999.
[RFC2568] Zilles, S., "Rationale for the Structure of the Model and
Protocol for the Internet Printing Protocol", RFC 2568,
April 1999.
[RFC2569] Herriot, R., Hastings, T., Jacobs, N., and J. Martin,
"Mapping between LPD and IPP Protocols", RFC 2569, April
1999.
[RFC2639] Hastings, T., Manros, C., Zehler, P., Kugler, C., and H.
Holst, "Internet Printing Protocol/1.1: Implementor's
Guide", RFC 3196, November 2001.
Hastings, et al. Informational [Page 14]
RFC 3997 IPP: Notification Requirements March 2005
9. Appendix A: Description of the Base IPP Documents
The base set of IPP documents includes the following:
Design Goals for an Internet Printing Protocol [RFC2567]
Rationale for the Structure and Model and Protocol for the
Internet Printing Protocol [RFC2568]
Internet Printing Protocol/1.1: Model and Semantics [RFC2911]
Internet Printing Protocol/1.1: Encoding and Transport [RFC2910]
Internet Printing Protocol/1.1: Implementer's Guide [RFC3196]
Mapping between LPD and IPP Protocols [RFC2569]
"Design Goals for an Internet Printing Protocol" takes a broad look
at distributed printing functionality, and it enumerates real-life
scenarios that help clarify the features that need to be included in
a printing protocol for the Internet. It identifies requirements for
three types of users: end users, operators, and administrators. It
calls out a subset of end-user requirements that are satisfied in
IPP/1.0 [RFC2566], [RFC2565]. A few OPTIONAL operator operations
have been added to IPP/1.1 [RFC2911], [RFC2910].
"Rationale for the Structure and Model and Protocol for the Internet
Printing Protocol" describes IPP from a high-level view, defines a
roadmap for the various documents that form the suite of IPP
specification documents, and gives background and rationale for the
IETF IPP working group's major decisions.
"Internet Printing Protocol/1.1: Model and Semantics" describes a
simplified model with abstract objects, their attributes, and their
operations. The model introduces a Printer and a Job. The Job
supports multiple documents per Job. The model document also
addresses security, internationalization, and directory issues.
"Internet Printing Protocol/1.1: Encoding and Transport" is a formal
mapping of the abstract operations and attributes defined in the
model document onto HTTP/1.1 [RFC2616]. It also defines the encoding
rules for a new Internet MIME media type called "application/ipp".
This document also defines the rules for transporting over HTTP a
message body whose Content-Type is "application/ipp". This document
defines the "ipp" scheme for identifying IPP printers and jobs.
"Internet Printing Protocol/1.1: Implementer's Guide" gives insight
and advice to implementers of IPP clients and IPP objects. It is
intended to help them understand IPP/1.1 and some of the
considerations that may assist them in the design of their client
and/or IPP object implementations. For example, a typical order of
processing requests is given, including error checking. Motivation
for some of the specification decisions is also included.
Hastings, et al. Informational [Page 15]
RFC 3997 IPP: Notification Requirements March 2005
"Mapping between LPD and IPP Protocols" gives some advice to
implementers of gateways between IPP and LPD (Line Printer Daemon )
implementations.
Authors' Addresses
Tom Hastings (editor)
Xerox Corporation
701 S Aviation Blvd, ESAE 242
El Segundo, CA 90245
Phone: 310-333-6413
Fax: 310-333-6342
EMail: hastings@cp10.es.xerox.com
Roger deBry
Utah Valley State College
Phone: (801) 863-8848
EMail: debryro@uvsc.edu
Harry Lewis
IBM Corporation
6300 Diagonal Hwy
Boulder, CO 80301
Phone: (303) 924-5337
EMail: harryl@us.ibm.com
Hastings, et al. Informational [Page 16]
RFC 3997 IPP: Notification Requirements March 2005
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Hastings, et al. Informational [Page 17]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+899
Ver Arquivo
@@ -0,0 +1,899 @@
Network Working Group D. Crocker, Ed.
Request for Comments: 4234 Brandenburg InternetWorking
Obsoletes: 2234 P. Overell
Category: Standards Track THUS plc.
October 2005
Augmented BNF for Syntax Specifications: ABNF
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
Internet technical specifications often need to define a formal
syntax. Over the years, a modified version of Backus-Naur Form
(BNF), called Augmented BNF (ABNF), has been popular among many
Internet specifications. The current specification documents ABNF.
It balances compactness and simplicity, with reasonable
representational power. The differences between standard BNF and
ABNF involve naming rules, repetition, alternatives, order-
independence, and value ranges. This specification also supplies
additional rule definitions and encoding for a core lexical analyzer
of the type common to several Internet specifications.
Crocker & Overell Standards Track [Page 1]
RFC 4234 ABNF October 2005
Table of Contents
1. INTRODUCTION ....................................................2
2. RULE DEFINITION .................................................3
2.1. Rule Naming ................................................3
2.2. Rule Form ..................................................3
2.3. Terminal Values ............................................4
2.4. External Encodings .........................................5
3. OPERATORS .......................................................6
3.1. Concatenation: Rule1 Rule2 ................................6
3.2. Alternatives: Rule1 / Rule2 ...............................6
3.3. Incremental Alternatives: Rule1 =/ Rule2 ...................7
3.4. Value Range Alternatives: %c##-## .........................7
3.5. Sequence Group: (Rule1 Rule2) .............................8
3.6. Variable Repetition: *Rule ................................8
3.7. Specific Repetition: nRule ................................9
3.8. Optional Sequence: [RULE] .................................9
3.9. Comment: ; Comment ........................................9
3.10. Operator Precedence .......................................9
4. ABNF DEFINITION OF ABNF ........................................10
5. SECURITY CONSIDERATIONS ........................................11
6. References .....................................................11
6.1. Normative References ......................................11
6.2. Informative References ....................................11
Appendix A. ACKNOWLEDGEMENTS .....................................13
Appendix B. APPENDIX - CORE ABNF OF ABNF .........................13
B.1. Core Rules ...............................................13
B.2. Common Encoding ..........................................14
1. INTRODUCTION
Internet technical specifications often need to define a formal
syntax and are free to employ whatever notation their authors deem
useful. Over the years, a modified version of Backus-Naur Form
(BNF), called Augmented BNF (ABNF), has been popular among many
Internet specifications. It balances compactness and simplicity,
with reasonable representational power. In the early days of the
Arpanet, each specification contained its own definition of ABNF.
This included the email specifications, [RFC733] and then [RFC822],
which came to be the common citations for defining ABNF. The current
document separates those definitions to permit selective reference.
Predictably, it also provides some modifications and enhancements.
The differences between standard BNF and ABNF involve naming rules,
repetition, alternatives, order-independence, and value ranges.
Appendix B supplies rule definitions and encoding for a core lexical
analyzer of the type common to several Internet specifications. It
is provided as a convenience and is otherwise separate from the meta
Crocker & Overell Standards Track [Page 2]
RFC 4234 ABNF October 2005
language defined in the body of this document, and separate from its
formal status.
Changes since [RFC2234]:
In Section 3.7, the phrase: "That is, exactly <N> occurrences of
<element>." was corrected to: "That is, exactly <n> occurrences of
<element>."
Some continuation comment lines needed to be corrected to begin
with comment character (";").
2. RULE DEFINITION
2.1. Rule Naming
The name of a rule is simply the name itself; that is, a sequence of
characters, beginning with an alphabetic character, and followed by a
combination of alphabetics, digits, and hyphens (dashes).
NOTE:
Rule names are case-insensitive
The names <rulename>, <Rulename>, <RULENAME>, and <rUlENamE> all
refer to the same rule.
Unlike original BNF, angle brackets ("<", ">") are not required.
However, angle brackets may be used around a rule name whenever their
presence facilitates in discerning the use of a rule name. This is
typically restricted to rule name references in free-form prose, or
to distinguish partial rules that combine into a string not separated
by white space, such as shown in the discussion about repetition,
below.
2.2. Rule Form
A rule is defined by the following sequence:
name = elements crlf
where <name> is the name of the rule, <elements> is one or more rule
names or terminal specifications, and <crlf> is the end-of-line
indicator (carriage return followed by line feed). The equal sign
separates the name from the definition of the rule. The elements
form a sequence of one or more rule names and/or value definitions,
combined according to the various operators defined in this document,
such as alternative and repetition.
Crocker & Overell Standards Track [Page 3]
RFC 4234 ABNF October 2005
For visual ease, rule definitions are left aligned. When a rule
requires multiple lines, the continuation lines are indented. The
left alignment and indentation are relative to the first lines of the
ABNF rules and need not match the left margin of the document.
2.3. Terminal Values
Rules resolve into a string of terminal values, sometimes called
characters. In ABNF, a character is merely a non-negative integer.
In certain contexts, a specific mapping (encoding) of values into a
character set (such as ASCII) will be specified.
Terminals are specified by one or more numeric characters, with the
base interpretation of those characters indicated explicitly. The
following bases are currently defined:
b = binary
d = decimal
x = hexadecimal
Hence:
CR = %d13
CR = %x0D
respectively specify the decimal and hexadecimal representation of
[US-ASCII] for carriage return.
A concatenated string of such values is specified compactly, using a
period (".") to indicate a separation of characters within that
value. Hence:
CRLF = %d13.10
ABNF permits the specification of literal text strings directly,
enclosed in quotation-marks. Hence:
command = "command string"
Literal text strings are interpreted as a concatenated set of
printable characters.
Crocker & Overell Standards Track [Page 4]
RFC 4234 ABNF October 2005
NOTE:
ABNF strings are case-insensitive and the character set for these
strings is us-ascii.
Hence:
rulename = "abc"
and:
rulename = "aBc"
will match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
"ABC".
To specify a rule that IS case SENSITIVE, specify the characters
individually.
For example:
rulename = %d97 %d98 %d99
or
rulename = %d97.98.99
will match only the string that comprises only the lowercased
characters, abc.
2.4. External Encodings
External representations of terminal value characters will vary
according to constraints in the storage or transmission environment.
Hence, the same ABNF-based grammar may have multiple external
encodings, such as one for a 7-bit US-ASCII environment, another for
a binary octet environment, and still a different one when 16-bit
Unicode is used. Encoding details are beyond the scope of ABNF,
although Appendix A (Core) provides definitions for a 7-bit US-ASCII
environment as has been common to much of the Internet.
By separating external encoding from the syntax, it is intended that
alternate encoding environments can be used for the same syntax.
Crocker & Overell Standards Track [Page 5]
RFC 4234 ABNF October 2005
3. OPERATORS
3.1. Concatenation: Rule1 Rule2
A rule can define a simple, ordered string of values (i.e., a
concatenation of contiguous characters) by listing a sequence of rule
names. For example:
foo = %x61 ; a
bar = %x62 ; b
mumble = foo bar foo
So that the rule <mumble> matches the lowercase string "aba".
LINEAR WHITE SPACE: Concatenation is at the core of the ABNF parsing
model. A string of contiguous characters (values) is parsed
according to the rules defined in ABNF. For Internet specifications,
there is some history of permitting linear white space (space and
horizontal tab) to be freely and implicitly interspersed around major
constructs, such as delimiting special characters or atomic strings.
NOTE:
This specification for ABNF does not provide for implicit
specification of linear white space.
Any grammar that wishes to permit linear white space around
delimiters or string segments must specify it explicitly. It is
often useful to provide for such white space in "core" rules that are
then used variously among higher-level rules. The "core" rules might
be formed into a lexical analyzer or simply be part of the main
ruleset.
3.2. Alternatives: Rule1 / Rule2
Elements separated by a forward slash ("/") are alternatives.
Therefore,
foo / bar
will accept <foo> or <bar>.
Crocker & Overell Standards Track [Page 6]
RFC 4234 ABNF October 2005
NOTE:
A quoted string containing alphabetic characters is a special form
for specifying alternative characters and is interpreted as a
non-terminal representing the set of combinatorial strings with
the contained characters, in the specified order but with any
mixture of upper and lower case.
3.3. Incremental Alternatives: Rule1 =/ Rule2
It is sometimes convenient to specify a list of alternatives in
fragments. That is, an initial rule may match one or more
alternatives, with later rule definitions adding to the set of
alternatives. This is particularly useful for otherwise, independent
specifications that derive from the same parent rule set, such as
often occurs with parameter lists. ABNF permits this incremental
definition through the construct:
oldrule =/ additional-alternatives
So that the rule set
ruleset = alt1 / alt2
ruleset =/ alt3
ruleset =/ alt4 / alt5
is the same as specifying
ruleset = alt1 / alt2 / alt3 / alt4 / alt5
3.4. Value Range Alternatives: %c##-##
A range of alternative numeric values can be specified compactly,
using dash ("-") to indicate the range of alternative values. Hence:
DIGIT = %x30-39
is equivalent to:
DIGIT = "0" / "1" / "2" / "3" / "4" / "5" / "6" /
"7" / "8" / "9"
Concatenated numeric values and numeric value ranges cannot be
specified in the same string. A numeric value may use the dotted
notation for concatenation or it may use the dash notation to specify
Crocker & Overell Standards Track [Page 7]
RFC 4234 ABNF October 2005
one value range. Hence, to specify one printable character between
end of line sequences, the specification could be:
char-line = %x0D.0A %x20-7E %x0D.0A
3.5. Sequence Group: (Rule1 Rule2)
Elements enclosed in parentheses are treated as a single element,
whose contents are STRICTLY ORDERED. Thus,
elem (foo / bar) blat
matches (elem foo blat) or (elem bar blat), and
elem foo / bar blat
matches (elem foo) or (bar blat).
NOTE:
It is strongly advised that grouping notation be used, rather than
relying on the proper reading of "bare" alternations, when
alternatives consist of multiple rule names or literals.
Hence, it is recommended that the following form be used:
(elem foo) / (bar blat)
It will avoid misinterpretation by casual readers.
The sequence group notation is also used within free text to set off
an element sequence from the prose.
3.6. Variable Repetition: *Rule
The operator "*" preceding an element indicates repetition. The full
form is:
<a>*<b>element
where <a> and <b> are optional decimal values, indicating at least
<a> and at most <b> occurrences of the element.
Default values are 0 and infinity so that *<element> allows any
number, including zero; 1*<element> requires at least one;
3*3<element> allows exactly 3 and 1*2<element> allows one or two.
Crocker & Overell Standards Track [Page 8]
RFC 4234 ABNF October 2005
3.7. Specific Repetition: nRule
A rule of the form:
<n>element
is equivalent to
<n>*<n>element
That is, exactly <n> occurrences of <element>. Thus, 2DIGIT is a 2-
digit number, and 3ALPHA is a string of three alphabetic characters.
3.8. Optional Sequence: [RULE]
Square brackets enclose an optional element sequence:
[foo bar]
is equivalent to
*1(foo bar).
3.9. Comment: ; Comment
A semi-colon starts a comment that continues to the end of line.
This is a simple way of including useful notes in parallel with the
specifications.
3.10. Operator Precedence
The various mechanisms described above have the following precedence,
from highest (binding tightest) at the top, to lowest (loosest) at
the bottom:
Strings, Names formation
Comment
Value range
Repetition
Grouping, Optional
Concatenation
Alternative
Crocker & Overell Standards Track [Page 9]
RFC 4234 ABNF October 2005
Use of the alternative operator, freely mixed with concatenations,
can be confusing.
Again, it is recommended that the grouping operator be used to
make explicit concatenation groups.
4. ABNF DEFINITION OF ABNF
NOTES:
1. This syntax requires a formatting of rules that is relatively
strict. Hence, the version of a ruleset included in a
specification might need preprocessing to ensure that it can be
interpreted by an ABNF parser.
2. This syntax uses the rules provided in Appendix B (Core).
rulelist = 1*( rule / (*c-wsp c-nl) )
rule = rulename defined-as elements c-nl
; continues if next line starts
; with white space
rulename = ALPHA *(ALPHA / DIGIT / "-")
defined-as = *c-wsp ("=" / "=/") *c-wsp
; basic rules definition and
; incremental alternatives
elements = alternation *c-wsp
c-wsp = WSP / (c-nl WSP)
c-nl = comment / CRLF
; comment or newline
comment = ";" *(WSP / VCHAR) CRLF
alternation = concatenation
*(*c-wsp "/" *c-wsp concatenation)
concatenation = repetition *(1*c-wsp repetition)
repetition = [repeat] element
repeat = 1*DIGIT / (*DIGIT "*" *DIGIT)
Crocker & Overell Standards Track [Page 10]
RFC 4234 ABNF October 2005
element = rulename / group / option /
char-val / num-val / prose-val
group = "(" *c-wsp alternation *c-wsp ")"
option = "[" *c-wsp alternation *c-wsp "]"
char-val = DQUOTE *(%x20-21 / %x23-7E) DQUOTE
; quoted string of SP and VCHAR
; without DQUOTE
num-val = "%" (bin-val / dec-val / hex-val)
bin-val = "b" 1*BIT
[ 1*("." 1*BIT) / ("-" 1*BIT) ]
; series of concatenated bit values
; or single ONEOF range
dec-val = "d" 1*DIGIT
[ 1*("." 1*DIGIT) / ("-" 1*DIGIT) ]
hex-val = "x" 1*HEXDIG
[ 1*("." 1*HEXDIG) / ("-" 1*HEXDIG) ]
prose-val = "<" *(%x20-3D / %x3F-7E) ">"
; bracketed string of SP and VCHAR
; without angles
; prose description, to be used as
; last resort
5. SECURITY CONSIDERATIONS
Security is truly believed to be irrelevant to this document.
6. References
6.1. Normative References
[US-ASCII] American National Standards Institute, "Coded Character
Set -- 7-bit American Standard Code for Information
Interchange", ANSI X3.4, 1986.
6.2. Informative References
[RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
Crocker & Overell Standards Track [Page 11]
RFC 4234 ABNF October 2005
[RFC733] Crocker, D., Vittal, J., Pogran, K., and D. Henderson,
"Standard for the format of ARPA network text messages",
RFC 733, November 1977.
[RFC822] Crocker, D., "Standard for the format of ARPA Internet
text messages", STD 11, RFC 822, August 1982.
Crocker & Overell Standards Track [Page 12]
RFC 4234 ABNF October 2005
Appendix A. ACKNOWLEDGEMENTS
The syntax for ABNF was originally specified in RFC 733. Ken L.
Harrenstien, of SRI International, was responsible for re-coding the
BNF into an augmented BNF that makes the representation smaller and
easier to understand.
This recent project began as a simple effort to cull out the portion
of RFC 822 that has been repeatedly cited by non-email specification
writers, namely the description of augmented BNF. Rather than simply
and blindly converting the existing text into a separate document,
the working group chose to give careful consideration to the
deficiencies, as well as benefits, of the existing specification and
related specifications made available over the last 15 years, and
therefore to pursue enhancement. This turned the project into
something rather more ambitious than was first intended.
Interestingly, the result is not massively different from that
original, although decisions, such as removing the list notation,
came as a surprise.
This "separated" version of the specification was part of the DRUMS
working group, with significant contributions from Jerome Abela,
Harald Alvestrand, Robert Elz, Roger Fajman, Aviva Garrett, Tom
Harsch, Dan Kohn, Bill McQuillan, Keith Moore, Chris Newman, Pete
Resnick, and Henning Schulzrinne.
Julian Reschke warrants a special thanks for converting the Draft
Standard version to XML source form.
Appendix B. APPENDIX - CORE ABNF OF ABNF
This Appendix is provided as a convenient core for specific grammars.
The definitions may be used as a core set of rules.
B.1. Core Rules
Certain basic rules are in uppercase, such as SP, HTAB, CRLF, DIGIT,
ALPHA, etc.
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
BIT = "0" / "1"
CHAR = %x01-7F
; any 7-bit US-ASCII character,
; excluding NUL
Crocker & Overell Standards Track [Page 13]
RFC 4234 ABNF October 2005
CR = %x0D
; carriage return
CRLF = CR LF
; Internet standard newline
CTL = %x00-1F / %x7F
; controls
DIGIT = %x30-39
; 0-9
DQUOTE = %x22
; " (Double Quote)
HEXDIG = DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
HTAB = %x09
; horizontal tab
LF = %x0A
; linefeed
LWSP = *(WSP / CRLF WSP)
; linear white space (past newline)
OCTET = %x00-FF
; 8 bits of data
SP = %x20
VCHAR = %x21-7E
; visible (printing) characters
WSP = SP / HTAB
; white space
B.2. Common Encoding
Externally, data are represented as "network virtual ASCII" (namely,
7-bit US-ASCII in an 8-bit field), with the high (8th) bit set to
zero. A string of values is in "network byte order", in which the
higher-valued bytes are represented on the left-hand side and are
sent over the network first.
Crocker & Overell Standards Track [Page 14]
RFC 4234 ABNF October 2005
Authors' Addresses
Dave Crocker (editor)
Brandenburg InternetWorking
675 Spruce Dr.
Sunnyvale, CA 94086
US
Phone: +1.408.246.8253
EMail: dcrocker@bbiw.net
Paul Overell
THUS plc.
1/2 Berkeley Square
99 Berkeley Street
Glasgow
G3 7HR
UK
EMail: paul.overell@thus.net
Crocker & Overell Standards Track [Page 15]
RFC 4234 ABNF October 2005
Full Copyright Statement
Copyright (C) The Internet Society (2005).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Crocker & Overell Standards Track [Page 16]
Diferenças do arquivo suprimidas por serem muito extensas Carregar Diff
+504
Ver Arquivo
@@ -0,0 +1,504 @@
/*
* "$Id$"
*
* RFC file to HTML conversion program.
*
* Copyright 2007-2011 by Apple Inc.
* Copyright 2006 by Easy Software Products.
*
* These coded instructions, statements, and computer programs are the
* property of Apple Inc. and are protected by Federal copyright
* law. Distribution and use rights are outlined in the file "LICENSE.txt"
* which should have been included with this file. If this file is
* file is missing or damaged, see the license at "http://www.cups.org/".
*
* Contents:
*
* main() - Convert a man page to HTML.
* put_entity() - Put a single character, using entities as needed.
* put_line() - Put a whole string for a line.
*/
/*
* Include necessary headers.
*/
#include <cups/string-private.h>
#include <stdlib.h>
#include <cups/file.h>
/*
* Local functions...
*/
void put_entity(cups_file_t *fp, int ch);
void put_line(cups_file_t *fp, const char *line);
/*
* 'main()' - Convert a man page to HTML.
*/
int /* O - Exit status */
main(int argc, /* I - Number of command-line args */
char *argv[]) /* I - Command-line arguments */
{
cups_file_t *infile, /* Input file */
*outfile; /* Output file */
char line[1024], /* Line from file */
*lineptr, /* Pointer into line */
title[2048], /* Title string */
*titleptr, /* Pointer into title */
name[1024], /* Heading anchor name */
*nameptr; /* Pointer into anchor name */
int rfc, /* RFC # */
inheading, /* Inside a heading? */
inpre, /* Inside preformatted text? */
intoc, /* Inside table-of-contents? */
toclevel, /* Current table-of-contents level */
linenum; /* Current line on page */
/*
* Check arguments...
*/
if (argc > 3)
{
fputs("Usage: rfctohtml [rfcNNNN.txt [rfcNNNN.html]]\n", stderr);
return (1);
}
/*
* Open files as needed...
*/
if (argc > 1)
{
if ((infile = cupsFileOpen(argv[1], "r")) == NULL)
{
perror(argv[1]);
return (1);
}
}
else
infile = cupsFileOpenFd(0, "r");
if (argc > 2)
{
if ((outfile = cupsFileOpen(argv[2], "w")) == NULL)
{
perror(argv[2]);
cupsFileClose(infile);
return (1);
}
}
else
outfile = cupsFileOpenFd(1, "w");
/*
* Read from input and write the output...
*/
cupsFilePuts(outfile,
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" "
"\"http://www.w3.org/TR/html4/loose.dtd\">\n"
"<html>\n"
"<!-- SECTION: Specifications -->\n"
"<head>\n"
"\t<link rel=\"stylesheet\" type=\"text/css\" "
"href=\"../cups-printable.css\">\n");
/*
* Skip the initial header stuff (working group ID, RFC #, authors, and
* copyright...
*/
linenum = 0;
rfc = 0;
while (cupsFileGets(infile, line, sizeof(line)))
{
linenum ++;
if (line[0])
break;
}
while (cupsFileGets(infile, line, sizeof(line)))
{
linenum ++;
if (!line[0])
break;
else if (!_cups_strncasecmp(line, "Request for Comments:", 21))
rfc = atoi(line + 21);
}
/*
* Read the document title...
*/
while (cupsFileGets(infile, line, sizeof(line)))
{
linenum ++;
if (line[0])
break;
}
for (lineptr = line; isspace(*lineptr & 255); lineptr ++);
snprintf(title, sizeof(title), "RFC %d: %s", rfc, lineptr);
titleptr = title + strlen(title);
while (cupsFileGets(infile, line, sizeof(line)))
{
linenum ++;
if (!line[0])
break;
else
{
for (lineptr = line; isspace(*lineptr & 255); lineptr ++);
snprintf(titleptr, sizeof(title) - (titleptr - title), " %s", lineptr);
titleptr += strlen(titleptr);
}
}
cupsFilePrintf(outfile, "\t<title>%s</title>\n"
"</head>\n"
"<body>\n"
"<h1 class='title'>%s</h1>\n", title, title);
/*
* Read the rest of the file...
*/
inheading = 0;
inpre = 0;
intoc = 0;
toclevel = 0;
while (cupsFileGets(infile, line, sizeof(line)))
{
linenum ++;
if (!line[0])
{
if (linenum > 50)
continue;
if (inpre)
{
cupsFilePuts(outfile, "</pre>\n");
inpre = 0;
}
if (inheading)
{
if (inheading < 0)
cupsFilePuts(outfile, "</h2>\n");
else
cupsFilePrintf(outfile, "</a></h%d>\n", inheading);
inheading = 0;
}
}
else if ((line[0] == ' ' ||
(!isupper(line[0] & 255) && !isdigit(line[0] & 255) &&
!strstr(line, "[Page "))) && !inheading)
{
if (inheading)
{
if (inheading < 0)
cupsFilePuts(outfile, "</h2>\n");
else
cupsFilePrintf(outfile, "</a></h%d>\n", inheading);
inheading = 0;
}
for (lineptr = line; *lineptr == ' '; lineptr ++);
if (intoc)
{
char *temp; /* Temporary pointer into line */
int level; /* Heading level */
if (isdigit(*lineptr & 255))
{
strlcpy(name, lineptr, sizeof(name));
for (nameptr = name, level = -1; *nameptr;)
if (isdigit(*nameptr & 255))
{
while (isdigit(*nameptr & 255))
nameptr ++;
level ++;
}
else if (*nameptr == ' ')
{
*nameptr = '\0';
break;
}
else
nameptr ++;
while (toclevel > level)
{
cupsFilePuts(outfile, "\n</ul>");
toclevel --;
}
while (toclevel < level)
{
cupsFilePuts(outfile, "\n<ul style=\"list-style-type: none;\">\n");
toclevel ++;
}
cupsFilePrintf(outfile, "\n<%s><a href=\"#s%s\">", toclevel ? "li" : "p",
name);
}
temp = lineptr + strlen(lineptr) - 1;
while (temp > lineptr)
if (*temp == ' ' || !isdigit(*temp & 255))
break;
else
temp --;
if (*temp == ' ')
{
while (temp > lineptr)
if (*temp != ' ' && *temp != '.')
break;
else
*temp-- = '\0';
}
else
temp = NULL;
if (isdigit(*lineptr & 255))
put_line(outfile, lineptr);
else
put_line(outfile, lineptr - 1);
if (temp)
cupsFilePuts(outfile, "</a>");
}
else if (!inpre)
{
cupsFilePuts(outfile, "\n<pre>");
put_line(outfile, line);
inpre = 1;
}
else
{
cupsFilePutChar(outfile, '\n');
put_line(outfile, line);
}
}
else if (strstr(line, "[Page "))
{
/*
* Skip page footer and header...
*/
cupsFileGets(infile, line, sizeof(line));
cupsFileGets(infile, line, sizeof(line));
cupsFileGets(infile, line, sizeof(line));
cupsFileGets(infile, line, sizeof(line));
linenum = 3;
}
else if (isdigit(line[0] & 255) && !inheading)
{
int level; /* Heading level */
if (intoc)
{
while (toclevel > 0)
{
cupsFilePuts(outfile, "\n</ul>");
toclevel --;
}
cupsFilePutChar(outfile, '\n');
intoc = 0;
}
if (inpre)
{
cupsFilePuts(outfile, "</pre>\n");
inpre = 0;
}
strlcpy(name, line, sizeof(name));
for (nameptr = name, level = 1; *nameptr;)
if (isdigit(*nameptr & 255))
{
while (isdigit(*nameptr & 255))
nameptr ++;
level ++;
}
else if (*nameptr == ' ')
{
*nameptr = '\0';
break;
}
else
nameptr ++;
cupsFilePrintf(outfile, "\n<h%d class='title'><a name='s%s'>", level,
name);
put_line(outfile, line);
intoc = 0;
inheading = level;
}
else
{
if (intoc)
{
while (toclevel > 0)
{
cupsFilePuts(outfile, "\n</ul>");
toclevel --;
}
cupsFilePutChar(outfile, '\n');
intoc = 0;
}
if (!inheading)
{
cupsFilePuts(outfile, "\n<h2 class='title'>");
inheading = -1;
}
put_line(outfile, line);
intoc = !_cups_strcasecmp(line, "Table of Contents");
toclevel = 0;
}
}
if (inpre)
cupsFilePuts(outfile, "</pre>\n");
if (inheading)
{
if (inheading < 0)
cupsFilePuts(outfile, "</h2>\n");
else
cupsFilePrintf(outfile, "</a></h%d>\n", inheading);
}
cupsFilePuts(outfile, "</body>\n"
"</html>\n");
/*
* Close files...
*/
cupsFileClose(infile);
cupsFileClose(outfile);
/*
* Return with no errors...
*/
return (0);
}
/*
* 'put_entity()' - Put a single character, using entities as needed.
*/
void
put_entity(cups_file_t *fp, /* I - File */
int ch) /* I - Character */
{
if (ch == '&')
cupsFilePuts(fp, "&amp;");
else if (ch == '<')
cupsFilePuts(fp, "&lt;");
else
cupsFilePutChar(fp, ch);
}
/*
* 'put_line()' - Put a whole string for a line.
*/
void
put_line(cups_file_t *fp, /* I - File */
const char *s) /* I - String */
{
int whitespace, /* Saw whitespace */
i, /* Looping var */
len; /* Length of keyword */
static const char * const keywords[] =/* Special keywords to boldface */
{
"MAY",
"MUST",
"NEED",
"NOT",
"OPTIONAL",
"OPTIONALLY",
"RECOMMENDED",
"REQUIRED",
"SHALL",
"SHOULD"
};
whitespace = 1;
while (*s)
{
if (*s == ' ')
whitespace = 1;
if (whitespace && isupper(*s & 255))
{
whitespace = 0;
for (i = 0; i < (int)(sizeof(keywords) / sizeof(sizeof(keywords[0]))); i ++)
{
len = strlen(keywords[i]);
if (!strncmp(s, keywords[i], len) &&
(isspace(s[len] & 255) || ispunct(s[len] & 255) || !*s))
{
cupsFilePrintf(fp, "<b>%s</b>", keywords[i]);
s += len;
break;
}
}
if (i >= (int)(sizeof(keywords) / sizeof(sizeof(keywords[0]))))
put_entity(fp, *s++);
}
else
{
if (*s != ' ')
whitespace = 0;
put_entity(fp, *s++);
}
}
}
/*
* End of "$Id$".
*/
Arquivo binário não exibido.
Arquivo binário não exibido.
+14 -18
Ver Arquivo
@@ -1,9 +1,9 @@
#
# "$Id: ipp-1.1.test 9830 2011-06-14 21:11:17Z mike $"
# "$Id: ipp-1.1.test 9405 2010-12-08 07:13:22Z mike $"
#
# IPP/1.1 test suite.
#
# Copyright 2007-2011 by Apple Inc.
# Copyright 2007-2010 by Apple Inc.
# Copyright 2001-2006 by Easy Software Products. All rights reserved.
#
# These coded instructions, statements, and computer programs are the
@@ -17,10 +17,6 @@
# ./ipptool -f filename -t printer-uri ipp-1.1.test
#
# Regular expression for IPP URI schemes
# Matches strings beginning with ipp:// or ipps://
DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
# Test that a request-id value of 0 is not accepted.
#
# Required by: RFC 2911 section 3.1.1
@@ -91,7 +87,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
ATTR uri printer-uri $uri
STATUS successful-ok
EXPECT printer-uri-supported OF-TYPE uri WITH-VALUE "$IPP_URI_SCHEME"
EXPECT printer-uri-supported OF-TYPE uri
}
@@ -148,7 +144,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
STATUS client-error-document-format-not-supported
EXPECT job-uri OF-TYPE uri COUNT 1 IN-GROUP job-attributes-tag WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri COUNT 1 IN-GROUP job-attributes-tag
EXPECT job-id OF-TYPE integer COUNT 1 IN-GROUP job-attributes-tag
WITH-VALUE >0
EXPECT job-state OF-TYPE enum COUNT 1 IN-GROUP job-attributes-tag
@@ -241,7 +237,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
EXPECT printer-state OF-TYPE enum IN-GROUP printer-attributes-tag COUNT 1 WITH-VALUE 3,4,5
EXPECT printer-state-reasons OF-TYPE keyword IN-GROUP printer-attributes-tag
EXPECT printer-up-time OF-TYPE integer IN-GROUP printer-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT printer-uri-supported OF-TYPE uri IN-GROUP printer-attributes-tag SAME-COUNT-AS uri-security-supported WITH-VALUE "$IPP_URI_SCHEME"
EXPECT printer-uri-supported OF-TYPE uri IN-GROUP printer-attributes-tag SAME-COUNT-AS uri-security-supported
EXPECT queued-job-count OF-TYPE integer IN-GROUP printer-attributes-tag COUNT 1
EXPECT uri-authentication-supported OF-TYPE keyword IN-GROUP printer-attributes-tag
EXPECT uri-security-supported OF-TYPE keyword IN-GROUP printer-attributes-tag SAME-COUNT-AS uri-authentication-supported
@@ -264,7 +260,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT printer-uri-supported OF-TYPE uri IN-GROUP printer-attributes-tag WITH-VALUE "$IPP_URI_SCHEME"
EXPECT printer-uri-supported OF-TYPE uri IN-GROUP printer-attributes-tag
EXPECT !printer-name
}
@@ -283,7 +279,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT !job-printer-uri
EXPECT !job-more-info
EXPECT !job-name
@@ -341,7 +337,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT job-printer-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT ?job-more-info OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT job-name OF-TYPE name IN-GROUP job-attributes-tag COUNT 1
@@ -399,7 +395,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT !job-printer-uri
EXPECT !job-more-info
EXPECT !job-name
@@ -519,7 +515,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT !job-printer-uri
EXPECT !job-more-info
EXPECT !job-name
@@ -579,7 +575,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT !job-printer-uri
EXPECT !job-more-info
EXPECT !job-name
@@ -659,7 +655,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
STATUS client-error-document-format-not-supported
EXPECT job-uri OF-TYPE uri COUNT 1 IN-GROUP job-attributes-tag WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri COUNT 1 IN-GROUP job-attributes-tag
EXPECT job-id OF-TYPE integer COUNT 1 IN-GROUP job-attributes-tag
WITH-VALUE >0
EXPECT job-state OF-TYPE enum COUNT 1 IN-GROUP job-attributes-tag
@@ -704,7 +700,7 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
STATUS successful-ok
EXPECT job-id OF-TYPE integer IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE >0
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1 WITH-VALUE "$IPP_URI_SCHEME"
EXPECT job-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT job-printer-uri OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT ?job-more-info OF-TYPE uri IN-GROUP job-attributes-tag COUNT 1
EXPECT job-name OF-TYPE name IN-GROUP job-attributes-tag COUNT 1
@@ -748,5 +744,5 @@ DEFINE IPP_URI_SCHEME "/^ipps?://.+$$/"
#
# End of "$Id: ipp-1.1.test 9830 2011-06-14 21:11:17Z mike $".
# End of "$Id: ipp-1.1.test 9405 2010-12-08 07:13:22Z mike $".
#
+2 -2
Ver Arquivo
@@ -2569,11 +2569,11 @@ do_tests(_cups_vars_t *vars, /* I - Variables */
puts("</array>");
}
skip_error:
if (Output == _CUPS_OUTPUT_PLIST)
puts("</dict>");
skip_error:
ippDelete(response);
response = NULL;
+3 -2
Ver Arquivo
@@ -1,6 +1,6 @@
#!/bin/sh
#
# "$Id: makesrcdist 9852 2011-07-06 20:14:24Z mike $"
# "$Id: makesrcdist 9086 2010-04-07 18:46:04Z mike $"
#
# makesrcdist - make a source distribution of CUPS.
#
@@ -54,6 +54,7 @@ cd ..
echo Configuring...
autoconf -f
rm -rf autom4te*.cache
rm -rf standards
rm -rf tools
cd ..
@@ -86,5 +87,5 @@ rm -rf cups-$version
echo "Done!"
#
# End of "$Id: makesrcdist 9852 2011-07-06 20:14:24Z mike $".
# End of "$Id: makesrcdist 9086 2010-04-07 18:46:04Z mike $".
#