RE: Security in iSCSI

[Black_David@emc.com]

Julian,

> To be absolutely correct the issue of removing the option of cryptographyc
> digest was brough up
> by you as a possibility,  under the now fashionable umbrela of
> simplification, and I agree that we might want to
> remove some of them and limit ourselves to the set close to what we intend
> to make mandatory to implement (e.g., if we make SRP mandatory to
implement
> then a SRP "keyed" digest could be the right thing to specify - not
> mandate).  As Kerberos and CHAP are popular in enterprises due to their
> manageability removing them and leving the implementation for them to be
> completely vendor specific is not a good idea.

You've confused two separate issues.  The digests referred to in
the email exchange below are the KRB5 and SPKM digests in the
table on p.135 of -07 which I proposed for removal on the list
well before the London meeting and which you agreed to do; please
make sure that they do not appear in -08.  There is no SRP keyed
inband digest specified anywhere in -07 -- at the moment, any such
functionality would be obtained via keying of ESP.

The issue of whether all 5 of the authentication methods (Kerberos, SRP,
SPKM-1, SPKM-2, CHAP) in the table on p.136 are needed is a separate and
open issue that is on the agenda for Orange County.

--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------