RE: iSCSI:SRP

[Paul Koning <ni1d@arrl.net>]

Excerpt of message (sent 3 April 2002) by Bill Studenmund:
> On Wed, 3 Apr 2002, Paul Koning wrote:
> > 1. CHAP is vulnerable to certain attacks that SRP does not suffer
> >    from, and is one-way.
> 
> Are these concerns strong enough to warrant using patented technologies?
> 
> While I gather it wasn't always so, IPsec is now the primary form of
> security for iSCSI connections. Whatever login method is chosen, it will
> (should) be happening in an ESP-protected channel.

Someone else tried that argument.  It didn't go very far, because
IPsec is optional to use.  You can try to revive that argument if you
wish, but you may want to go back and look at the last iteration.
 
> > 2. DH-CHAP had not been specified yet, while SRP is a published RFC.
> >
> > Why isn't (2) sufficient?  Surely, when we're trying to go through the
> > RFC publication process, we can't be expected to consider a proposal
> > that is not yet at the "draft 00" stage as a prime contender, can we?
> > Otherwise no one could ever finish.
> 
> The concerns over SRP involve IPR, which is a seperate question from being
> an RFC.

We have not yet had an IPR call for DH+CHAP.  Just because CHAP
appears to be unencumbered does NOT mean that DH+CHAP will be.
 
> > Is there any consensus that iSCSI Last Call should wait for DH-CHAP
> > Last Call?
> 
> Yes.

OH REALLY?

I did not see a consensus call.  And I most assuredly did not see
consensus.

David, can we have a consensus call on this?

       paul