SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI: Login authentication SRP/CHAP



    
    
    1. It's good news that the Stanford license fee is zero (I verified  this -
    see attached note).
    
    2.
    > Can you warrant that I will not have to use SRP-Z to implement any iSCSI
    > operations ?
    
    The SRP usage defined in iSCSI is EXACTLY according to RFC-2945.
    This usage is explicitly covered by the Stanford free license.
    SRP-Z involves additional private/public keys for the server, and you
    will not have to use that if you only want to follow the iSCSI standard.
    
    3. If anyone has information about any other IP claiming on the
    RFC-2945 usage (SRP-SHA1) please post the full information here.
    
    4. There is no question about the superior cryptographic features of
    SRP over CHAP. In situations where underlying IPsec will not be
    implemented/used (and these are forecasted), basing the iSCSI security
    on plain CHAP is a poor solution which IMHO the iSCSI standard should not
    encourage (by mandating CHAP instead of SRP).
    
      Regards,
        Ofer
    
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    
    
    Kirsten Leute <kirsten.leute@stanford.edu> on 23/10/2001 00:18:00
    
    Please respond to Kirsten Leute <kirsten.leute@stanford.edu>
    
    To:   Ofer Biran/Haifa/IBM@IBMIL
    cc:
    Subject:  Re: SRP Licensing terms
    
    
    
    Dear Ofer:
    
    Yes, this is correct.  For the type of usage described in the agreement,
    there are no licensing fees.
    
    As far as I know, there are no licensing issues from Stanford.
    
    Best,
    Kirsten
    
    At 06:58 PM 10/22/2001 +0300, you wrote:
    Kirsten,
    
    I'm working on the security aspects of the new iSCSI standard in the IPS
    working group of the IETF.
    Our intention is to define SRP (usage according to RFC2945) as the
    'mandatory to implement' authentication algorithm.
    
    There were concerns in the working group about the licensing terms with
    Stanford. I looked in your "Ready-to-Sign Agreements" page and it seems
    to me that there are no fee involved in getting this license. I wanted to
    verify this with you.
    
    Also - are you aware of any other licensing issue with SRP
    
      Thanks in advance,
    
          Ofer
    
    Ofer Biran
    Storage and Systems Technology
    IBM Research Lab in Haifa
    biran@il.ibm.com  972-4-8296253
    
    **************************************
    Kirsten Leute
    Licensing Associate
    Office of Technology Licensing, Stanford University
    900 Welch Road, Suite 350, Palo Alto, CA 94304
    Direct: (650) 725-9407; Fax: (650) 725-7295
    website: http://otl.stanford.edu/
    
    
    
    
    
    "Bill Strahm" <bill@sanera.net>@ece.cmu.edu on 22/10/2001 18:58:06
    
    Please respond to "Bill Strahm" <bill@sanera.net>
    
    Sent by:  owner-ips@ece.cmu.edu
    
    
    To:   Joe Czap/Raleigh/IBM@IBMUS
    cc:   "IPS Reflector \(E-mail\)" <ips@ece.cmu.edu>, John Hufferd/San
          Jose/IBM@IBMUS, <owner-ips@ece.cmu.edu>
    Subject:  RE: iSCSI: Login authentication SRP/CHAP
    
    
    
    Directly from the Stanford license (http://otl.stanford.edu/pdf/97006.pdf)
    
    "Licensed Field of Use" means use of the Invention(s), Software and
    Licensed
    Patent(s)
    in Licensed Product(s) for implicit server authentication. By way of
    example, but not by
    limitation, RFC2945. The Licensed Field of Use specifically excludes use of
    the
    Invention(s), Software and Licensed Patent(s) machines and servers that
    deal
    with
    explicit bidirectional authentication (for example, SRP-Z for explicit
    server
    authentification). SOFTWARE may only be transferred under a Use Sublicense.
    
    Note that this applies only if Stanford is the only organization to own IP
    on this technology and there are no other patents in this field.  Joe, can
    you warrant that IBM will make NO patent claims against this algorithm ?
    Can
    you warrant that I will not have to use SRP-Z to implement any iSCSI
    operations ?
    
    Again the problem isn't with the algorithm necissarily, but with the fact
    that it is the only MUST implement algorithm, I would rather see an
    algorithm with NO encumbrance against it...
    
    Bill
    +========+=========+=========+=========+=========+=========+=========+
    Bill Strahm     Software Development is a race between Programmers
    Member of the   trying to build bigger and better idiot proof software
    Technical Staff and the Universe trying to produce bigger and better
    bill@sanera.net idiots.
    (503) 601-0263  So far the Universe is winning --- Rich Cook
    
    -----Original Message-----
    From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
    Joe Czap
    Sent: Monday, October 22, 2001 5:03 AM
    To: Bill Strahm
    Cc: IPS Reflector (E-mail); John Hufferd; owner-ips@ece.cmu.edu
    Subject: RE: iSCSI: Login authentication SRP/CHAP
    
    
    The lack of information relating to SRP IP concerns make the issue seem a
    little
    like misdirection.  Can anyone offer a clear explanation the SRP IP
    situation ?
    
    
    Joe Czap
    IBM Storage Networking
    zapper@us.ibm.com
    
    
    
    
    


Home

Last updated: Tue Oct 23 12:17:28 2001
7337 messages in chronological order