RFC 8010
Internet Printing Protocol/1.1: Encoding and Transport
3.4. Required Parameters
Some operation elements are called parameters in the Model. They MUST be encoded in a special position and they MUST NOT appear as operation attributes. These parameters are described in the subsections below.3.4.1. "version-number"
The "version-number" field consists of a major and minor version- number, each of which is represented by a SIGNED-BYTE. The major version-number is the first byte of the encoding and the minor version-number is the second byte of the encoding. The protocol described in [RFC8011] has a major version-number of 1 (0x01) and a minor version-number of 1 (0x01). The ABNF for these two bytes is %x01.01. Note: See Section 9 for more information on the "version-number" field and IPP version numbers.3.4.2. "operation-id"
The "operation-id" field contains an operation-id value as defined in the Model. The value is encoded as a SIGNED-SHORT and is located in the third and fourth bytes of the encoding of an operation request.
3.4.3. "status-code"
The "status-code" field contains a status-code value as defined in the Model. The value is encoded as a SIGNED-SHORT and is located in the third and fourth bytes of the encoding of an operation response. If an IPP status-code is returned, then the HTTP status-code MUST be 200 (OK). With any other HTTP status-code value, the HTTP response MUST NOT contain an IPP message body, and thus no IPP status-code is returned.3.4.4. "request-id"
The "request-id" field contains the request-id value as defined in the Model. The value is encoded as a SIGNED-INTEGER and is located in the fifth through eighth bytes of the encoding.3.5. Tags
There are two kinds of tags: o delimiter tags: delimit major sections of the protocol, namely attribute groups and data o value tags: specify the type of each attribute value Tags are part of the IANA IPP registry [IANA-IPP]3.5.1. "delimiter-tag" Values
Table 2 specifies the values for the delimiter tags defined in this document. These tags are registered, along with tags defined in other documents, in the "Attribute Group Tags" registry. +-----------------+------------------------------+ | Tag Value (Hex) | Meaning | +-----------------+------------------------------+ | 0x00 | Reserved | | 0x01 | "operation-attributes-tag" | | 0x02 | "job-attributes-tag" | | 0x03 | "end-of-attributes-tag" | | 0x04 | "printer-attributes-tag" | | 0x05 | "unsupported-attributes-tag" | +-----------------+------------------------------+ Table 2: "delimiter-tag" Values
When a "begin-attribute-group-tag" field occurs in the protocol, it means that zero or more following attributes up to the next group tag are attributes belonging to the attribute group specified by the value of the "begin-attribute-group-tag". For example, if the value of "begin-attribute-group-tag" is 0x01, the following attributes are members of the Operations Attributes group. The "end-of-attributes-tag" (value 0x03) MUST occur exactly once in an operation and MUST be the last "delimiter-tag". If the operation has a document-data group, the Document data in that group follows the "end-of-attributes-tag". The order and presence of "attribute-group" fields (whose beginning is marked by the "begin-attribute-group-tag" subfield) for each operation request and each operation response MUST be that defined in the Model. A Printer MUST treat a "delimiter-tag" (values from 0x00 through 0x0f) differently from a "value-tag" (values from 0x10 through 0xff) so that the Printer knows there is an entire attribute group as opposed to a single value.3.5.2. "value-tag" Values
The remaining tables show values for the "value-tag" field, which is the first octet of an attribute. The "value-tag" field specifies the type of the value of the attribute. Table 3 specifies the "out-of-band" values for the "value-tag" field defined in this document. These tags are registered, along with tags defined in other documents, in the "Out-of-Band Attribute Value Tags" registry. +-----------------+-------------+ | Tag Value (Hex) | Meaning | +-----------------+-------------+ | 0x10 | unsupported | | 0x12 | unknown | | 0x13 | no-value | +-----------------+-------------+ Table 3: Out-of-Band Values
Table 4 specifies the integer values defined in this document for the "value-tag" field; they are registered in the "Attribute Syntaxes" registry. +----------------+--------------------------------------------------+ | Tag Value | Meaning | | (Hex) | | +----------------+--------------------------------------------------+ | 0x20 | Unassigned integer data type (see IANA IPP | | | registry) | | 0x21 | integer | | 0x22 | boolean | | 0x23 | enum | | 0x24-0x2f | Unassigned integer data types (see IANA IPP | | | registry) | +----------------+--------------------------------------------------+ Table 4: Integer Tags Table 5 specifies the octetString values defined in this document for the "value-tag" field; they are registered in the "Attribute Syntaxes" registry. +---------------+---------------------------------------------------+ | Tag Value | Meaning | | (Hex) | | +---------------+---------------------------------------------------+ | 0x30 | octetString with an unspecified format | | 0x31 | dateTime | | 0x32 | resolution | | 0x33 | rangeOfInteger | | 0x34 | begCollection | | 0x35 | textWithLanguage | | 0x36 | nameWithLanguage | | 0x37 | endCollection | | 0x38-0x3f | Unassigned octetString data types (see IANA IPP | | | registry) | +---------------+---------------------------------------------------+ Table 5: octetString Tags
Table 6 specifies the character-string values defined in this document for the "value-tag" field; they are registered in the "Attribute Syntaxes" registry. +---------------+---------------------------------------------------+ | Tag Value | Meaning | | (Hex) | | +---------------+---------------------------------------------------+ | 0x40 | Unassigned character-string data type (see IANA | | | IPP registry) | | 0x41 | textWithoutLanguage | | 0x42 | nameWithoutLanguage | | 0x43 | Unassigned character-string data type (see IANA | | | IPP registry) | | 0x44 | keyword | | 0x45 | uri | | 0x46 | uriScheme | | 0x47 | charset | | 0x48 | naturalLanguage | | 0x49 | mimeMediaType | | 0x4a | memberAttrName | | 0x4b-0x5f | Unassigned character-string data types (see IANA | | | IPP registry) | +---------------+---------------------------------------------------+ Table 6: String Tags Note: An attribute value always has a type, which is explicitly specified by its tag; one such tag value is "nameWithoutLanguage". An attribute's name has an implicit type, which is keyword. The values 0x60-0xff are reserved for future type definitions in Standards Track documents. The tag 0x7f is reserved for extending types beyond the 255 values available with a single byte. A tag value of 0x7f MUST signify that the first four bytes of the value field are interpreted as the tag value. Note this future extension doesn't affect parsers that are unaware of this special tag. The tag is like any other unknown tag, and the value length specifies the length of a value, which contains a value that the parser treats atomically. Values from 0x00000000 to 0x3fffffff are reserved for definition in future Standards Track documents. The values 0x40000000 to 0x7fffffff are reserved for vendor extensions.
3.6. "name-length"
The "name-length" field consists of a SIGNED-SHORT and specifies the number of octets in the immediately following "name" field. The value of this field excludes the two bytes of the "name-length" field. For example, if the "name" field contains 'sides', the value of this field is 5. If a "name-length" field has a value of zero, the following "name" field is empty and the following value is treated as an additional value for the attribute encoded in the nearest preceding "attribute- with-one-value" field. Within an attribute group, if two or more attributes have the same name, the attribute group is malformed (see [RFC8011]). The zero-length name is the only mechanism for multi- valued attributes.3.7. (Attribute) "name"
The "name" field contains the name of an attribute. The Model specifies such names.3.8. "value-length"
The "value-length" field consists of a SIGNED-SHORT, which specifies the number of octets in the immediately following "value" field. The value of this field excludes the two bytes of the "value-length" field. For example, if the "value" field contains the keyword (string) value 'one-sided', the value of this field is 9. For any of the types represented by binary signed integers, the sender MUST encode the value in exactly four octets. For any of the types represented by binary signed bytes, e.g., the boolean type, the sender MUST encode the value in exactly one octet. For any of the types represented by character strings, the sender MUST encode the value with all the characters of the string and without any padding characters. For "out-of-band" values for the "value-tag" field defined in this document, such as 'unsupported', the "value-length" MUST be 0 and the "value" empty; the "value" has no meaning when the "value-tag" has one of these "out-of-band" values. For future "out-of-band" "value- tag" fields, the same rule holds unless the definition explicitly states that the "value-length" MAY be non-zero and the "value" non- empty
3.9. (Attribute) "value"
The syntax types (specified by the "value-tag" field) and most of the details of the representation of attribute values are defined in the Model. Table 7 augments the information in the Model and defines the syntax types from the Model in terms of the five basic types defined in Section 3. The five types are US-ASCII-STRING, LOCALIZED-STRING, SIGNED-INTEGER, SIGNED-SHORT, SIGNED-BYTE, and OCTET-STRING. +----------------------+--------------------------------------------+ | Syntax of Attribute | Encoding | | Value | | +----------------------+--------------------------------------------+ | textWithoutLanguage, | LOCALIZED-STRING | | nameWithoutLanguage | | +----------------------+--------------------------------------------+ | textWithLanguage | OCTET-STRING consisting of four fields: a | | | SIGNED-SHORT, which is the number of | | | octets in the following field; a value of | | | type natural-language; a SIGNED-SHORT, | | | which is the number of octets in the | | | following field; and a value of type | | | textWithoutLanguage. The length of a | | | textWithLanguage value MUST be 4 + the | | | value of field a + the value of field c. | +----------------------+--------------------------------------------+ | nameWithLanguage | OCTET-STRING consisting of four fields: a | | | SIGNED-SHORT, which is the number of | | | octets in the following field; a value of | | | type natural-language; a SIGNED-SHORT, | | | which is the number of octets in the | | | following field; and a value of type | | | nameWithoutLanguage. The length of a | | | nameWithLanguage value MUST be 4 + the | | | value of field a + the value of field c. | +----------------------+--------------------------------------------+ | charset, | US-ASCII-STRING | | naturalLanguage, | | | mimeMediaType, | | | keyword, uri, and | | | uriScheme | | +----------------------+--------------------------------------------+ | boolean | SIGNED-BYTE where 0x00 is 'false' and 0x01 | | | is 'true' | +----------------------+--------------------------------------------+ | integer and enum | a SIGNED-INTEGER |
+----------------------+--------------------------------------------+ | dateTime | OCTET-STRING consisting of eleven octets | | | whose contents are defined by | | | "DateAndTime" in RFC 2579 [RFC2579] | +----------------------+--------------------------------------------+ | resolution | OCTET-STRING consisting of nine octets of | | | two SIGNED-INTEGERs followed by a SIGNED- | | | BYTE. The first SIGNED-INTEGER contains | | | the value of cross-feed direction | | | resolution. The second SIGNED-INTEGER | | | contains the value of feed direction | | | resolution. The SIGNED-BYTE contains the | | | units value. | +----------------------+--------------------------------------------+ | rangeOfInteger | Eight octets consisting of two SIGNED- | | | INTEGERs. The first SIGNED-INTEGER | | | contains the lower bound and the second | | | SIGNED-INTEGER contains the upper bound. | +----------------------+--------------------------------------------+ | 1setOf X | Encoding according to the rules for an | | | attribute with more than one value. Each | | | value X is encoded according to the rules | | | for encoding its type. | +----------------------+--------------------------------------------+ | octetString | OCTET-STRING | +----------------------+--------------------------------------------+ | collection | Encoding as defined in Section 3.1.6. | +----------------------+--------------------------------------------+ Table 7: Attribute Value Encoding The attribute syntax type of the value determines its encoding and the value of its "value-tag".3.10. Data
The "data" field MUST include any data required by the operation.
4. Encoding of Transport Layer
HTTP/1.1 [RFC7230] is the REQUIRED transport layer for this protocol. HTTP/2 [RFC7540] is an OPTIONAL transport layer for this protocol. The operation layer has been designed with the assumption that the transport layer contains the following information: o the target URI for the operation; and o the total length of the data in the operation layer, either as a single length or as a sequence of chunks each with a length. Printer implementations MUST support HTTP over the IANA-assigned well-known port 631 (the IPP default port), although a Printer implementation can support HTTP over some other port as well. Each HTTP operation MUST use the POST method where the request-target is the object target of the operation and where the "Content-Type" of the message body in each request and response MUST be "application/ ipp". The message body MUST contain the operation layer and MUST have the syntax described in Section 3.2, "Syntax of Encoding". A Client implementation MUST adhere to the rules for a Client described for HTTP [RFC7230]. A Printer (server) implementation MUST adhere to the rules for an origin server described for HTTP [RFC7230]. An IPP server sends a response for each request that it receives. If an IPP server detects an error, it MAY send a response before it has read the entire request. If the HTTP layer of the IPP server completes processing the HTTP headers successfully, it MAY send an intermediate response, such as "100 Continue", with no IPP data before sending the IPP response. A Client MUST expect such a variety of responses from an IPP server. For further information on HTTP, consult the HTTP documents [RFC7230]. An HTTP/1.1 server MUST support chunking for IPP requests, and an IPP Client MUST support chunking for IPP responses according to HTTP/1.1 [RFC7230].4.1. Printer URI, Job URI, and Job ID
All Printer and Job objects are identified by a Uniform Resource Identifier (URI) [RFC3986] so that they can be persistently and unambiguously referenced. Jobs can also be identified by a combination of Printer URI and Job ID.
Some operation elements are encoded twice, once as the request-target
on the HTTP request-line and a second time as a REQUIRED operation
attribute in the application/ipp entity. These attributes are the
target for the operation and are called "printer-uri" and "job-uri".
Note: The target URI is included twice in an operation referencing
the same IPP object, but the two URIs can be different. For example,
the HTTP request-target can be relative while the IPP request URI is
absolute.
HTTP allows Clients to generate and send a relative URI rather than
an absolute URI. A relative URI identifies a resource with the scope
of the HTTP server but does not include scheme, host, or port. The
following statements characterize how URIs are used in the mapping of
IPP onto HTTP:
1. Although potentially redundant, a Client MUST supply the target
of the operation both as an operation attribute and as a URI at
the HTTP layer. The rationale for this decision is to maintain a
consistent set of rules for mapping "application/ipp" to possibly
many communication layers, even where URIs are not used as the
addressing mechanism in the transport layer.
2. Even though these two URIs might not be literally identical (one
being relative and the other being absolute), they MUST both
reference the same IPP object.
3. The URI in the HTTP layer is either relative or absolute and is
used by the HTTP server to route the HTTP request to the correct
resource relative to that HTTP server.
4. Once the HTTP server resource begins to process the HTTP request,
it can get the reference to the appropriate IPP Printer object
from either the HTTP URI (using to the context of the HTTP server
for relative URIs) or from the URI within the operation request;
the choice is up to the implementation.
5. HTTP URIs can be relative or absolute, but the target URI in the
IPP operation attribute MUST be an absolute URI.
5. IPP URI Schemes
The IPP URI schemes are 'ipp' [RFC3510] and 'ipps' [RFC7472]. Clients and Printers MUST support the ipp-URI value in the following IPP attributes: o Job attributes: * job-uri * job-printer-uri o Printer attributes: * printer-uri-supported o Operation attributes: * job-uri * printer-uri Each of the above attributes identifies a Printer or Job. The ipp-URI and ipps-URI are intended as the value of the attributes in this list. All of these attributes have a syntax type of 'uri', but there are attributes with a syntax type of 'uri' that do not use the 'ipp' scheme, e.g., "job-more-info". If a Printer registers its URI with a directory service, the Printer MUST register an ipp-URI or ipps-URI. When a Client sends a request, it MUST convert a target ipp-URI to a target http-URL (or ipps-URI to a target https-URI) for the HTTP layer according to the following steps: 1. change the 'ipp' scheme to 'http' or 'ipps' scheme to 'https'; and 2. add an explicit port 631 if the ipp-URL or ipps-URL does not contain an explicit port. Note that port 631 is the IANA- assigned well-known port for the 'ipp' and 'ipps' schemes. The Client MUST use the target http-URL or https-URL in both the HTTP request-line and HTTP headers, as specified by HTTP [RFC7230]. However, the Client MUST use the target ipp-URI or ipps-URI for the value of the "printer-uri" or "job-uri" operation attribute within the application/ipp body of the request. The server MUST use the
ipp-URI or ipps-URI for the value of the "printer-uri", "job-uri", or "printer-uri-supported" attributes within the application/ipp body of the response. For example, when an IPP Client sends a request directly, i.e., no proxy, to an ipp-URI "ipp://printer.example.com/ipp/print/myqueue", it opens a TCP connection to port 631 (the IPP implicit port) on the host "printer.example.com" and sends the following data: POST /ipp/print/myqueue HTTP/1.1 Host: printer.example.com:631 Content-type: application/ipp Transfer-Encoding: chunked ... "printer-uri" 'ipp://printer.example.com/ipp/print/myqueue' (encoded in application/ipp message body) ... Figure 11: Direct IPP Request As another example, when an IPP Client sends the same request as above via a proxy "myproxy.example.com", it opens a TCP connection to the proxy port 8080 on the proxy host "myproxy.example.com" and sends the following data: POST http://printer.example.com:631/ipp/print/myqueue HTTP/1.1 Host: printer.example.com:631 Content-type: application/ipp Transfer-Encoding: chunked ... "printer-uri" 'ipp://printer.example.com/ipp/print/myqueue' (encoded in application/ipp message body) ... Figure 12: Proxied IPP Request The proxy then connects to the IPP origin server with headers that are the same as the "no-proxy" example above.6. IANA Considerations
The IANA-PRINTER-MIB [RFC3805] has been updated to reference this document; the current version is available from <http://www.iana.org>. See the IANA Considerations in the document "Internet Printing Protocol/1.1: Model and Semantics" [RFC8011] for information on IANA considerations for IPP extensions. IANA has updated the existing
'application/ipp' media type registration (whose contents are defined in Section 3 "Encoding of the Operation Layer") with the following information. Type name: application Subtype name: ipp Required parameters: N/A Optional parameters: N/A Encoding considerations: IPP requests/responses MAY contain long lines and ALWAYS contain binary data (for example, attribute value lengths). Security considerations: IPP requests/responses do not introduce any security risks not already inherent in the underlying transport protocols. Protocol mixed-version interworking rules in [RFC8011] as well as protocol-encoding rules in this document are complete and unambiguous. See also the security considerations in this document and [RFC8011]. Interoperability considerations: IPP requests (generated by Clients) and responses (generated by servers) MUST comply with all conformance requirements imposed by the normative specifications [RFC8011] and this document. Protocol-encoding rules specified in RFC 8010 are comprehensive so that interoperability between conforming implementations is guaranteed (although support for specific optional features is not ensured). Both the "charset" and "natural-language" of all IPP attribute values that are a LOCALIZED-STRING are explicit within IPP requests/responses (without recourse to any external information in HTTP, SMTP, or other message transport headers). Published specifications: RFCs 8010 and 8011 Applications that use this media type: Internet Printing Protocol (IPP) print clients and print servers that communicate using HTTP/ HTTPS or other transport protocols. Messages of type "application/ ipp" are self-contained and transport independent, including "charset" and "natural-language" context for any LOCALIZED-STRING value. Fragment identifier considerations: N/A
Additional information:
Deprecated alias names for this type: N/A
Magic number(s): N/A
File extension(s): N/A
Macintosh file type code(s): N/A
Person & email address to contact for further information:
ISTO PWG IPP Workgroup <ipp@pwg.org>
Intended usage: COMMON
Restrictions on usage: N/A
Author: ISTO PWG IPP Workgroup <ipp@pwg.org>
Change controller: ISTO PWG IPP Workgroup <ipp@pwg.org>
Provisional registration? (standards tree only): No
7. Internationalization Considerations
See the section on "Internationalization Considerations" in the
document "Internet Printing Protocol/1.1: Model and Semantics"
[RFC8011] for information on internationalization. This document
adds no additional issues.
8. Security Considerations
The IPP Model and Semantics document [RFC8011] discusses high-level
security requirements (Client Authentication, Server Authentication,
and Operation Privacy). Client Authentication is the mechanism by
which the Client proves its identity to the server in a secure
manner. Server Authentication is the mechanism by which the server
proves its identity to the Client in a secure manner. Operation
Privacy is defined as a mechanism for protecting operations from
eavesdropping.
Message Integrity is addressed in the document "Internet Printing
Protocol (IPP) over HTTPS Transport Binding and the 'ipps' URI
Scheme" [RFC7472].
8.1. Security Conformance Requirements
This section defines the security requirements for IPP Clients and
IPP objects.
8.1.1. Digest Authentication
IPP Clients and Printers SHOULD support Digest Authentication [RFC7616]. Use of the Message Integrity feature (qop="auth-int") is OPTIONAL. Note: Previous versions of this specification required support for the MD5 algorithms; however, [RFC7616] makes SHA2-256 mandatory to implement and deprecates MD5, only allowing its use for backwards compatibility reasons. IPP implementations that support Digest Authentication MUST support SHA2-256 and SHOULD support MD5 for backwards compatibility. Note: The reason that IPP Clients and Printers SHOULD (rather than MUST) support Digest Authentication is that there is a certain class of Output Devices where it does not make sense. Specifically, a low- end device with limited ROM space and low paper throughput may not need Client Authentication. This class of device typically requires firmware designers to make trade-offs between protocols and functionality to arrive at the lowest-cost solution possible. Factored into the designer's decisions is not just the size of the code, but also the testing, maintenance, usefulness, and time-to- market impact for each feature delivered to the customer. Forcing such low-end devices to provide security in order to claim IPP/1.1 conformance would not make business sense. Print devices that have high-volume throughput and have available ROM space will typically provide support for Client Authentication that safeguards the device from unauthorized access because these devices are prone to a high loss of consumables and paper if unauthorized access occurs.8.1.2. Transport Layer Security (TLS)
IPP Clients and Printers SHOULD support Transport Layer Security (TLS) [RFC5246] [RFC7525] for Server Authentication and Operation Privacy. IPP Printers MAY also support TLS for Client Authentication. IPP Clients and Printers MAY support Basic Authentication [RFC7617] for User Authentication if the channel is secure, e.g., IPP over HTTPS [RFC7472]. IPP Clients and Printers SHOULD NOT support Basic Authentication over insecure channels. The IPP Model and Semantics document [RFC8011] defines two Printer attributes ("uri-authentication-supported" and "uri-security- supported") that the Client can use to discover the security policy of a Printer. That document also outlines IPP-specific security considerations and is the primary reference for security implications with regard to the IPP itself.
Note: Because previous versions of this specification did not require TLS support, this version cannot require it for IPP/1.1. However, since printing often involves a great deal of sensitive or private information (medical reports, performance reviews, banking information, etc.) and network monitoring is pervasive ([RFC7258]), implementors are strongly encouraged to include TLS support. Note: Because IPP Printers typically use self-signed X.509 certificates, IPP Clients SHOULD support Trust On First Use (defined in [RFC7435]) in addition to traditional X.509 certificate validation.8.2. Using IPP with TLS
IPP uses the "Upgrading to TLS Within HTTP/1.1" mechanism [RFC2817] for 'ipp' URIs. The Client requests a secure TLS connection by using the HTTP "Upgrade" header while the server agrees in the HTTP response. The switch to TLS occurs either because the server grants the Client's request to upgrade to TLS or a server asks to switch to TLS in its response. Secure communication begins with a server's response to switch to TLS. IPP uses the "HTTPS: HTTP over TLS" mechanism [RFC2818] for 'ipps' URIs. The Client and server negotiate a secure TLS connection immediately and unconditionally.9. Interoperability with Other IPP Versions
It is beyond the scope of this specification to mandate conformance with versions of IPP other than 1.1. IPP was deliberately designed, however, to make supporting other versions easy. IPP objects (Printers, Jobs, etc.) SHOULD: o understand any valid request whose major "version-number" is greater than 0; and o respond appropriately with a response containing the same "version-number" parameter value used by the Client in the request (if the Client-supplied "version-number" is supported) or the highest "version-number" supported by the Printer (if the Client- supplied "version-number" is not supported). IPP Clients SHOULD: o understand any valid response whose major "version-number" is greater than 0.
9.1. The "version-number" Parameter
The following are rules regarding the "version-number" parameter (see Section 3.3): 1. Clients MUST send requests containing a "version-number" parameter with the highest supported value, e.g., '1.1', '2.0', etc., and SHOULD try supplying alternate version numbers if they receive a 'server-error-version-not-supported' error return in a response. For example, if a Client sends an IPP/2.0 request that is rejected with the 'server-error-version-not-supported' error and an IPP/1.1 "version-number", it SHOULD retry by sending an IPP/1.1 request. 2. IPP objects (Printers, Jobs, etc.) MUST accept requests containing a "version-number" parameter with a '1.1' value (or reject the request for reasons other than 'server-error-version- not-supported'). 3. IPP objects SHOULD either accept requests whose major version is greater than 0 or reject such requests with the 'server-error- version-not-supported' status-code. See Section 4.1.8 of [RFC8011]. 4. In any case, security MUST NOT be compromised when a Client supplies a lower "version-number" parameter in a request. For example, if an IPP/2.0 conforming Printer accepts version '1.1' requests and is configured to enforce Digest Authentication, it MUST do the same for a version '1.1' request.9.2. Security and URI Schemes
The following are rules regarding security, the "version-number" parameter, and the URI scheme supplied in target attributes and responses: 1. When a Client supplies a request, the "printer-uri" or "job-uri" target operation attribute MUST have the same scheme as that indicated in one of the values of the "printer-uri-supported" Printer attribute. 2. When the Printer returns the "job-printer-uri" or "job-uri" Job Description attributes, it SHOULD return the same scheme ('ipp', 'ipps', etc.) that the Client supplied in the "printer-uri" or "job-uri" target operation attributes in the Get-Job-Attributes or Get-Jobs request, rather than the scheme used when the Job was created. However, when a Client requests Job attributes using the Get-Job-Attributes or Get-Jobs operations, the Jobs and Job
attributes that the Printer returns depends on: (1) the security
in effect when the Job was created, (2) the security in effect in
the query request, and (3) the security policy in force.
3. The Printer MUST enforce its security and privacy policies based
on the owner of the IPP object and the URI scheme and/or
credentials supplied by the Client in the current request.
10. Changes since RFC 2910
The following changes have been made since the publication of
RFC 2910:
o Added references to current IPP extension specifications.
o Added optional support for HTTP/2.
o Added collection attribute syntax from RFC 3382.
o Fixed typographical errors.
o Now reference TLS/1.2 and no longer mandate the TLS/1.0 MTI
ciphersuites.
o Updated all references.
o Updated document organization to follow current style.
o Updated example ipp: URIs to follow guidelines in RFC 7472.
o Updated version compatibility for all versions of IPP.
o Updated HTTP Digest Authentication to optional for Clients.
o Removed references to (Experimental) IPP/1.0 and usage of
http:/https: URLs.
(next page on part 3)
