|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI SecurityJosh, We will consider it. Let's discuss this in Minneapolis. Julo Joshua Tseng <jtseng@NishanSystems.com> on 06/03/2001 08:56:15 Please respond to Joshua Tseng <jtseng@NishanSystems.com> To: ips@ece.cmu.edu cc: Subject: RE: iSCSI Security Julian, See below: > > Josh, > > We don't want to deal with any of the authentication schemes > on which we > have to keep inventing things and interfaces. The public key algorithms are already well documented. I don't think we're inventing anything new. See RFC 2437 for RSA and FIPS-186-2 for DSA. All we need are some text keys to carry the verification signatures. > > Kerberos and SRP have everything needed, including being > implemented on > widely available platforms, and beyond them IPSec handles everything. Many consider Kerberos to be less than secure. It is yesterday's technology, and it does not scale well, since it requires manual distribution and coordination of shared secrets between the server and its users. Consequently, the kerberos server is a headache to set up and maintain, especially for a large number of clients. Furthermore, it is also a single point of vulnerability, in contrast to a PKI infrastructure which can rely upon hierarchies of certificate authorities. IPSec is optimized to secure IP endpoints. It will not verify identities (i.e., WWUI's) unless you implement ISAKMP's optional features, which may be problematic if you're using an off-the-shelf ISAKMP implementation. > > Obviously vendors can add anything (including public key). If you do not add the text keys to negotiate public key authentication, then there will be no public key method. I don't think I'm asking for very much--just that you reinstate the previous public key method from the previous draft. This will make key distribution MUCH easier, safer, and scalable. Regards, Josh > > Regards, > Julo > > Joshua Tseng <jtseng@NishanSystems.com> on 05/03/2001 20:53:05 > > Please respond to Joshua Tseng <jtseng@NishanSystems.com> > > To: Julian Satran/Haifa/IBM@IBMIL > cc: ips@ece.cmu.edu > Subject: iSCSI Security > > > > > Julian, > > Why was the public key authentication method removed from version -05? > Are you sure you want iSCSI to forsake the benefits of public key > cryptography? I strongly suggest it be reinstated as one of the > authentication > methods listed in page 95. > > Josh > > > > >
Home Last updated: Tue Sep 04 01:05:26 2001 6315 messages in chronological order |