|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolutionDavid, Just two comments (being on trip it went to the list too fast for me): 1. "If the CHAP shared secret is weaker than 96 bits of cryptographic randomness..." All this par. actually tell you what to do when you disobey the SHOULD in the par. above... ("the CHAP shared secret SHOULD represent a cryptographically random quantity...") maybe it's OK (because there are MUSTs here) but it's a bit unusual. This makes it look like we accept this alternative way, so maybe that SHOULD can go away (i.e., either 96/random or these IPsec conditions). 2. "In order to provide mutual authentication and protect against rogue Targets, CHAP authentication SHOULD be done in both directions..." Mutual authentication is optional to use for all authentication methods, and I don't see any reason to enforce it only in CHAP. This is a change, it is not related to the CHAP problems discussed, and I would not put it in suddenly now. Regards, Ofer Ofer Biran Storage and Systems Technology IBM Research Lab in Haifa biran@il.ibm.com 972-4-8296253
Home Last updated: Wed May 22 11:18:36 2002 10198 messages in chronological order |