Re: iSCSI: SRP vs DH-CHAP

[David Jablon <dpj@theworld.com>]

At 03:47 PM 4/3/02 -0800, Bill Studenmund wrote:
>My concern with SRP is simple: we will need to license patents. 

Bill, it is not clear to me whether you will or won't "need to license patents",
although you may have a legitimate reason to be concerned about the
unknowns.

Also, in light of what Pat Thaler recently wrote:
>... If you consider a non-free license to be a barrier to smooth progress then we
>already have that problem independent of SRP, ...

Can you elaborate on how you addressed your needs and concerns
in that regard?

Bill also wrote:
>... With CHAP or DH+CHAP, we won't.

Simple black and white declarative statements sound nice.
But have you actually investigated patent issues of the alternatives?
Or are you simply assuming that the IESG or WG has done that for you?

>... why wouldn't you be using IPsec ESP? If you don't do something to
>protect the connection once it's up, someone can steal it. Regardless of
>what (CHAP, SRP) was done to protect the password.

While I in no way want to argue a case for using unencrypted channels
in a hostile environment, I should note that session hijacking is
more difficult than password stealing, especially regarding CHAP.
I've also responded to some of your other points in the RE: iSCSI:SRP thread.

>... If you aren't doing IPsec ESP, then discussions about password security
>(SRP vs. CHAP) are like talking about how good a deadbolt we have on the
>door when we leave windows unlocked.

I think Ted and I have already both taken that "home improvement"
debate about as far as it can go for now. We should probably stick
to precise discussion from here on.

-- David