RE: iSCSI: SRP vs DH-CHAP

To: wrstuden@wasabisystems.com, cbm@rose.hp.com
Subject: RE: iSCSI: SRP vs DH-CHAP
From: pat_thaler@agilent.com
Date: Wed, 3 Apr 2002 17:09:14 -0700
Cc: ips@ece.cmu.edu
Content-Type: text/plain;charset="iso-8859-1"
Sender: owner-ips@ece.cmu.edu

We have no idea whether DH+CHAP may be covered by patents or not. Often
patents cover some little mechanism rather than the whole algorithm that is
patented. We haven't even seen the DH+CHAP draft yet and given that it is
new it is also possible that there are patent applications that we can't see
yet. 

Be very wary of comparing the patent exposure of something that has been
defined for a while to something that is in the process of creation.

Pat

-----Original Message-----
From: Bill Studenmund [mailto:wrstuden@wasabisystems.com]
Sent: Wednesday, April 03, 2002 3:47 PM
To: Mallikarjun C.
Cc: ips@ece.cmu.edu
Subject: Re: iSCSI: SRP vs DH-CHAP

On Tue, 2 Apr 2002, Mallikarjun C. wrote:

> - Given that Lucent's new clarification came after Minneapolis, let's
>    consider the possibility that several/most WG participants are now
>    favorably inclined to go with SRP as the "MUST implement".  Can
>    folks with continuing concerns on SRP please speak up? [ This is *not*
>    a legal advice; but HP's lawyers do not see any issues for
Hewlett-Packard
>    in the area of SRP. ]

My concern with SRP is simple: we will need to license patents. Yes, with
ucent's recent statement, the terms are better than they were. But we
still need licenses (or at least lawyers). With CHAP or DH+CHAP, we won't.

HP may be fine, Intel may be fine, IBM may be fine, EMC may be fine (I
don't know on all of these; I am not a lawyer). In general, large
companies have patent exchange agreements which can help in things like
this. Smaller companies don't. We're an Open-Source implimenter, and
patents will cause real problems for our customers.

What exactly is SRP offering that is so desired? I understand the desire
to have stronger protection of access, but if you care about security that
much, why wouldn't you be using IPsec ESP? If you don't do something to
protect the connection once it's up, someone can steal it. Regardless of
what (CHAP, SRP) was done to protect the password.

So if you care about security, you most likely are using IPsec ESP. In
that case, whatever authentication method you use takes place over an
encrypted channel; ESP gets set up before iSCSI. So what's wrong with CHAP
in a case like that?

If you aren't doing IPsec ESP, then discussions about password security
(SRP vs. CHAP) are like talking about how good a deadbolt we have on the
door when we leave windows unlocked.

Take care,

Bill

Prev by Date: RE: iSCSI:SRP
Next by Date: RE: iSCSI:SRP
Prev by thread: RE: iSCSI: SRP vs DH-CHAP
Next by thread: iSCSI: SRP vs DH-CHAP
Index(es):
- Date
- Thread

Home

Last updated: Thu Apr 04 08:18:32 2002
9481 messages in chronological order