SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Re: iSCSI Inband authentication (SRP/CHAP) - proposed resolution



    David,
    
    Just two comments (being on trip it went to the list  too fast for
    me):
    
    1.
    "If the CHAP shared secret is weaker than 96 bits of cryptographic
    randomness..."
    All this par. actually tell you what to do when you disobey the
    SHOULD in the par. above... ("the CHAP shared secret SHOULD
    represent a cryptographically random quantity...") maybe it's OK
    (because there are MUSTs here) but it's a bit unusual. This makes
    it look like we accept this alternative way, so maybe that SHOULD
    can go away (i.e., either 96/random or these IPsec conditions).
    
    2.
    "In order to provide mutual authentication and protect against rogue
    Targets, CHAP authentication SHOULD be done in both directions..."
    Mutual authentication is optional to use for all authentication
    methods, and I don't see any reason to enforce it only in CHAP. This
    is a change, it is not related to the CHAP problems discussed, and
    I would not put it in suddenly now.
    
    
      Regards,
         Ofer
    
    
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    
    


Home

Last updated: Wed May 22 11:18:36 2002
10198 messages in chronological order