Re: iSCSI: SRP status

["Ofer Biran" <BIRAN@il.ibm.com>]

David,

Can you clarify the statement

"...and that have been commercially deployed without licensing another
organization's patents."

Aren't you talking here about the patented SPEKE methods ?


 Thanks,
    Ofer


Ofer Biran
Storage and Systems Technology
IBM Research Lab in Haifa
biran@il.ibm.com  972-4-8296253


David Jablon <dpj@theworld.com>@ece.cmu.edu on 26/03/2002 23:37:45

Please respond to David Jablon <dpj@theworld.com>

Sent by:    owner-ips@ece.cmu.edu


To:    Black_David@emc.com
cc:    ips@ece.cmu.edu
Subject:    Re: iSCSI: SRP status



David,

Here are a few points to add to this summary of recent
events regarding SRP.

The first is simply that the just-posted policy letter from
Phoenix legal was presented and discussed in Minneapolis.
While I won't attempt to summarize that discussion here,
I have relayed the concerns expressed back to Phoenix.

A second point is a delicate one, related to larger IETF
policy in general. Concern was expressed at the meeting that
the WG appears to be changing the content (if not the
requirements too) of a proposed standard, based on
unconfirmed rumor.

The fact that a patent holder has refused to confirm or deny
such rumors, or provide a license policy statement, is
surely a concern.  But this concern may mask a pernicious
problem.  Such WG behavior allows anyone to start
unresolvable rumors of potential patent coverage in order to
steer a group in arbitrary directions.  Unfortunately, IETF
policy and tradition make open discussion of the legitimacy
of such rumors very difficult.

Concern was expressed at the meeting about security
dangers inherent in designing a new method, such as some
kind of mutually-authenticating variant of CHAP.  Even
beyond the security concerns, it may be impossible for the
group to determine that a newly proposed method is patent-
free.  The standard practices of using evidence of
surviving years of cryptographic review to establish
security, or commercial use to establish unencumbrance,
both may not work for methods still-to-be described.

The draft-jablon-speke-00.txt presented to the WG on this
list and at the meeting specifically describes methods that
provide the benefits of SRP, but are less structurally
related to EKE.  It describes methods that have survived
5 years of public scrutiny, that achieve higher goals than
the just-proposed alternatives, and that have been
commercially deployed without licensing another
organization's patents.

In presenting this information, I am clearly staying within
the guidelines of longstanding written IETF policy, but
clearly coming up against IETF tradition in talking as
openly as possible about such sensitive issues.

I hope that the group will carefully consider these methods,
in addition to any soon-to-be proposed variants of CHAP
or Diffie-Hellman, as they review their security and
functionality objectives.

Furthermore, in light of the repeated attempts to get
another company to clarify or simplify it's license
position, I would hope that any group or individual with
concern about the Phoenix position will make their concerns
known to the company, or to me personally, and I'll do my
best to get an acceptable response.

-- David Jablon