SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security in iSCSI



    David,
    
    I am certainly not confusing issues.  Removing cryptographic digests was
    never a consensus call thing.
    And true I agreed that we might remove the current specific ones but even
    doing this will require everybody to agree after being clear what the
    consequences are. As for using an SRP keys in ESP they will serve a
    completely different purpose. A cryptographically safe digest on data is
    needed to get a cryptographically safe transfer of data
    through iSCSI proxies - CRCs are not cryptographically safe.
    
    Julo
    
    Black_David@emc.com on 22-08-2001 16:26:39
    
    Please respond to Black_David@emc.com
    
    To:   Julian Satran/Haifa/IBM@IBMIL, ips@ece.cmu.edu
    cc:
    Subject:  RE: Security in iSCSI
    
    
    
    Julian,
    
    > To be absolutely correct the issue of removing the option of
    cryptographyc
    > digest was brough up
    > by you as a possibility,  under the now fashionable umbrela of
    > simplification, and I agree that we might want to
    > remove some of them and limit ourselves to the set close to what we
    intend
    > to make mandatory to implement (e.g., if we make SRP mandatory to
    implement
    > then a SRP "keyed" digest could be the right thing to specify - not
    > mandate).  As Kerberos and CHAP are popular in enterprises due to their
    > manageability removing them and leving the implementation for them to be
    > completely vendor specific is not a good idea.
    
    You've confused two separate issues.  The digests referred to in
    the email exchange below are the KRB5 and SPKM digests in the
    table on p.135 of -07 which I proposed for removal on the list
    well before the London meeting and which you agreed to do; please
    make sure that they do not appear in -08.  There is no SRP keyed
    inband digest specified anywhere in -07 -- at the moment, any such
    functionality would be obtained via keying of ESP.
    
    The issue of whether all 5 of the authentication methods (Kerberos, SRP,
    SPKM-1, SPKM-2, CHAP) in the table on p.136 are needed is a separate and
    open issue that is on the agenda for Orange County.
    
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    black_david@emc.com       Mobile: +1 (978) 394-7754
    ---------------------------------------------------
    
    
    
    
    


Home

Last updated: Tue Sep 04 01:03:57 2001
6315 messages in chronological order