|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI: PAK: an alternative to SRP and DH-CHAP>I'd almost buy this argument, except that means that my custommers will >have to upgrade their environments to an updated Radius server. >Putting >deployment requirements like this on custommers is not an easy >thing... This used to be a reasonable argument when most RADIUS servers didn't support extensible authentication, but that isn't true anymore. Today customers who don't want to upgrade legacy servers often go out and buy a new set of servers supporting extensible authentication and deploy it for the new application only. That way they don't have to worry about the upgrades breaking legacy applications, yet they can still support new applications. Also, if we were to restrict IETF authentication methods to those supported in RFC 2865, that would mean that that the only acceptable algorithm would be CHAP. Given that CHAP doesn't support mutual authentication and has a dictionary attack vulnerability, that seems like too tight a straightjacket to put ourselves in. _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
Home Last updated: Fri May 03 14:18:27 2002 9960 messages in chronological order |