RE: iSCSI:SRP

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 2 April 2002) by KRUEGER,MARJORIE (HP-Roseville,ex1):
> I don't see your reasoning here David, please explain.  As Mallikarjun says,
> it's up to this WG to decide what the authentication reqmts are for iSCSI
> and choose a protocol.  Why would the IESG second guess that?  If that's the
> case, perhaps there's an unknown, unbounded list of authentication protocols
> that we haven't considered that the IESG will make us go back and consider?
> It's my understanding that DH-strenghthened CHAP is only "proposed", not
> currently standard (not even a draft)?  So I can't believe the IESG will
> make us go consider requiring a draft in our proposed standard, that's
> against their own stated rules?
> 
> I agree with John.

Same here.

I'm definitely not the world's greatest fan of SRP, but I much prefer
a requirement for an existing RFC (even if not yet widely implemented)
over a diversion towards a not yet defined, not yet analyzed, new
protocol with unknown security properties.  That way only leads to
further delay and further confusion.  (Note that "based on CHAP" is
equivalent to saying "DIFFERENT from CHAP" -- there is NO such thing
in security protocols as a "small change".)

Let me make that a stronger proposal: I propose to retain the "SRP
mandatory" language in Draft 12, and issue that document for a real
(not a fake) WG Last Call.

It's time.

     paul