|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: Use of SRP (draft -04)Ofer: If SRP is mutual, then I think the draft should state that with text similiar to the Kerberos method, and also state how to handle mixed SRB and Kerberos authentication (or disallow it). Also, I am not sure I agree that SRP is entirely mutual. See draft-ietf-pppext-eap-srp-00.txt for a proposal for using SRP with PPP. Regards, Steve Senum biran@il.ibm.com wrote: > > Steve, > > You are correct, we'll change the SRP message sequence similar to telnet (U > --- N,g,s -- A -- B...). > > For simultaneous authentication processes (InitAuth, TargetAuth) it seems a > problem of over flexibility. The simpler > and reasonable way would be to negotiate one authentication method > AuthMethod and leave the one way / mutual > authentication decision to the specific method selected. In KERB5 the > client decides it by setting the krb_ap_req mutual > flag, in SRP it's actually mutual. > > Regards, > Ofer > > Ofer Biran > Systems and Software > IBM Research Lab in Haifa > biran@il.ibm.com 972-4-8296253 > > Steve Senum <ssenum@cisco.com> on 02/28/2001 01:41:01 AM > > Please respond to Steve Senum <ssenum@cisco.com> > > To: ietf-ips <ips@ece.cmu.edu> > cc: > Subject: iSCSI: Use of SRP (draft -04) > > Julian: > > With respect to use of the SRP protocol for authentication, > I think the current draft is incomplete. The SRP spec > requires that values for the Prime Modulus value 'N' and the > Generator value 'g' be sent by the authenticating entity > as well as 's' and 'B' (or known through some other method). > Look at RFC 2944 to see how telnet handles this. > > Also, if both Initiator and Target choose to authenticate with > SRP, or if InitAuth=KERB5 and TargetAuth=srp, the same key names > will be needed by both sides at the same time, resulting in the > same key name appearing twice in the same text message. This > will make it difficult for the receiver to know which key names > goes with which authentication process, since there can be two > going on at one time. > > Regards, > Steve Senum
Home Last updated: Tue Sep 04 01:05:29 2001 6315 messages in chronological order |