Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

[Philip MacKenzie <philmac@research.bell-labs.com>]

> So is the goal of the working group now to propose a "new and 
> improved" authentication method every 2 months so we can never
> make forward progress...
> 


I hope not.  I simply believe that password authentication
with no security against active attacks is not a good idea,
and thought that I could bring a protocol that has advantages
over the current alternatives.  I hope that is progress.


> I have no problems with having the ability to use optional 
> authentication methods, but we need to be VERY careful of specifying
> MUST/SHOULD algorithms, and the number should be really small, 
> VERY well understood, and as widespread as possible.
> 


Agreed.


>>From my understaning of PAK, I don't see a way of plugging this into
> a legacy RADIUS environment (I don't have the password avail at the 
> iSCSI endpoint, only the ability to say please authenticate this for me)
> 


I also do not see a way to plug PAK into RADIUS.  I don't
believe any password authentication protocol with security
against active attacks could work with RADIUS.

-Phil