|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: SRP vs DH-CHAPOn Tue, 2 Apr 2002, Mallikarjun C. wrote: > - Given that Lucent's new clarification came after Minneapolis, let's > consider the possibility that several/most WG participants are now > favorably inclined to go with SRP as the "MUST implement". Can > folks with continuing concerns on SRP please speak up? [ This is *not* > a legal advice; but HP's lawyers do not see any issues for Hewlett-Packard > in the area of SRP. ] My concern with SRP is simple: we will need to license patents. Yes, with ucent's recent statement, the terms are better than they were. But we still need licenses (or at least lawyers). With CHAP or DH+CHAP, we won't. HP may be fine, Intel may be fine, IBM may be fine, EMC may be fine (I don't know on all of these; I am not a lawyer). In general, large companies have patent exchange agreements which can help in things like this. Smaller companies don't. We're an Open-Source implimenter, and patents will cause real problems for our customers. What exactly is SRP offering that is so desired? I understand the desire to have stronger protection of access, but if you care about security that much, why wouldn't you be using IPsec ESP? If you don't do something to protect the connection once it's up, someone can steal it. Regardless of what (CHAP, SRP) was done to protect the password. So if you care about security, you most likely are using IPsec ESP. In that case, whatever authentication method you use takes place over an encrypted channel; ESP gets set up before iSCSI. So what's wrong with CHAP in a case like that? If you aren't doing IPsec ESP, then discussions about password security (SRP vs. CHAP) are like talking about how good a deadbolt we have on the door when we leave windows unlocked. Take care, Bill
Home Last updated: Thu Apr 04 12:18:19 2002 9490 messages in chronological order |