|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: SRP statusDavid, Can you clarify the statement "...and that have been commercially deployed without licensing another organization's patents." Aren't you talking here about the patented SPEKE methods ? Thanks, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253 David Jablon <dpj@theworld.com>@ece.cmu.edu on 26/03/2002 23:37:45 Please respond to David Jablon <dpj@theworld.com> Sent by: owner-ips@ece.cmu.edu To: Black_David@emc.com cc: ips@ece.cmu.edu Subject: Re: iSCSI: SRP status David, Here are a few points to add to this summary of recent events regarding SRP. The first is simply that the just-posted policy letter from Phoenix legal was presented and discussed in Minneapolis. While I won't attempt to summarize that discussion here, I have relayed the concerns expressed back to Phoenix. A second point is a delicate one, related to larger IETF policy in general. Concern was expressed at the meeting that the WG appears to be changing the content (if not the requirements too) of a proposed standard, based on unconfirmed rumor. The fact that a patent holder has refused to confirm or deny such rumors, or provide a license policy statement, is surely a concern. But this concern may mask a pernicious problem. Such WG behavior allows anyone to start unresolvable rumors of potential patent coverage in order to steer a group in arbitrary directions. Unfortunately, IETF policy and tradition make open discussion of the legitimacy of such rumors very difficult. Concern was expressed at the meeting about security dangers inherent in designing a new method, such as some kind of mutually-authenticating variant of CHAP. Even beyond the security concerns, it may be impossible for the group to determine that a newly proposed method is patent- free. The standard practices of using evidence of surviving years of cryptographic review to establish security, or commercial use to establish unencumbrance, both may not work for methods still-to-be described. The draft-jablon-speke-00.txt presented to the WG on this list and at the meeting specifically describes methods that provide the benefits of SRP, but are less structurally related to EKE. It describes methods that have survived 5 years of public scrutiny, that achieve higher goals than the just-proposed alternatives, and that have been commercially deployed without licensing another organization's patents. In presenting this information, I am clearly staying within the guidelines of longstanding written IETF policy, but clearly coming up against IETF tradition in talking as openly as possible about such sensitive issues. I hope that the group will carefully consider these methods, in addition to any soon-to-be proposed variants of CHAP or Diffie-Hellman, as they review their security and functionality objectives. Furthermore, in light of the repeated attempts to get another company to clarify or simplify it's license position, I would hope that any group or individual with concern about the Phoenix position will make their concerns known to the company, or to me personally, and I'll do my best to get an acceptable response. -- David Jablon
Home Last updated: Tue Mar 26 15:18:16 2002 9308 messages in chronological order |