SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: iSCSI Security



    Julian,
    
    See below:
    
    > 
    > Josh,
    > 
    > We don't want to deal with any of the authentication schemes 
    > on which we
    > have to keep inventing things and interfaces.
    
    The public key algorithms are already well documented.  I don't
    think we're inventing anything new.  See RFC 2437 for RSA and
    FIPS-186-2 for DSA.  All we need are some text keys to carry the
    verification signatures.
    
    > 
    > Kerberos and SRP have everything needed, including being 
    > implemented on
    > widely available platforms, and beyond them IPSec handles everything.
    
    Many consider Kerberos to be less than secure.  It is yesterday's
    technology, and it does not scale well, since it requires manual
    distribution and coordination of shared secrets between the
    server and its users.  Consequently, the kerberos server is a headache
    to set up and maintain, especially for a large number of clients.
    Furthermore, it is also a single point of vulnerability, in contrast
    to a PKI infrastructure which can rely upon hierarchies of certificate
    authorities.
    
    IPSec is optimized to secure IP endpoints.  It will not verify
    identities (i.e., WWUI's) unless you implement ISAKMP's optional
    features, which may be problematic if you're using an off-the-shelf
    ISAKMP implementation.
    
    > 
    > Obviously vendors can add anything (including public key).
    
    If you do not add the text keys to negotiate public key authentication,
    then there will be no public key method.
    
    I don't think I'm asking for very much--just that you reinstate the
    previous public key method from the previous draft.  This will make
    key distribution MUCH easier, safer, and scalable.
    
    Regards,
    Josh
    
    > 
    > Regards,
    > Julo
    > 
    > Joshua Tseng <jtseng@NishanSystems.com> on 05/03/2001 20:53:05
    > 
    > Please respond to Joshua Tseng <jtseng@NishanSystems.com>
    > 
    > To:   Julian Satran/Haifa/IBM@IBMIL
    > cc:   ips@ece.cmu.edu
    > Subject:  iSCSI Security
    > 
    > 
    > 
    > 
    > Julian,
    > 
    > Why was the public key authentication method removed from version -05?
    > Are you sure you want iSCSI to forsake the benefits of public key
    > cryptography?  I strongly suggest it be reinstated as one of the
    > authentication
    > methods listed in page 95.
    > 
    > Josh
    > 
    > 
    > 
    > 
    > 
    


Home

Last updated: Tue Sep 04 01:05:26 2001
6315 messages in chronological order