|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Security in iSCSIDavid, I am certainly not confusing issues. Removing cryptographic digests was never a consensus call thing. And true I agreed that we might remove the current specific ones but even doing this will require everybody to agree after being clear what the consequences are. As for using an SRP keys in ESP they will serve a completely different purpose. A cryptographically safe digest on data is needed to get a cryptographically safe transfer of data through iSCSI proxies - CRCs are not cryptographically safe. Julo Black_David@emc.com on 22-08-2001 16:26:39 Please respond to Black_David@emc.com To: Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu cc: Subject: RE: Security in iSCSI Julian, > To be absolutely correct the issue of removing the option of cryptographyc > digest was brough up > by you as a possibility, under the now fashionable umbrela of > simplification, and I agree that we might want to > remove some of them and limit ourselves to the set close to what we intend > to make mandatory to implement (e.g., if we make SRP mandatory to implement > then a SRP "keyed" digest could be the right thing to specify - not > mandate). As Kerberos and CHAP are popular in enterprises due to their > manageability removing them and leving the implementation for them to be > completely vendor specific is not a good idea. You've confused two separate issues. The digests referred to in the email exchange below are the KRB5 and SPKM digests in the table on p.135 of -07 which I proposed for removal on the list well before the London meeting and which you agreed to do; please make sure that they do not appear in -08. There is no SRP keyed inband digest specified anywhere in -07 -- at the moment, any such functionality would be obtained via keying of ESP. The issue of whether all 5 of the authentication methods (Kerberos, SRP, SPKM-1, SPKM-2, CHAP) in the table on p.136 are needed is a separate and open issue that is on the agenda for Orange County. --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 435-1000 x75140 FAX: +1 (508) 497-8500 black_david@emc.com Mobile: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Sep 04 01:03:57 2001 6315 messages in chronological order |