Re: iSCSI: SRP vs DH-CHAP

["Bernard Aboba" <bernard_aboba@hotmail.com>]

>- A procedural question in this regard is the seeming lack of
>    documented requirements for the authentication mechanism.  I
>    don't really see a list of requirements stated in the security draft,
>    even though there's general text that discusses some issues.  (BTW,
>    the iSCSI requirements draft (rightly) does not go to the depth >    
>we're seeking here). I am equally to blame for this, but I was    under the 
>impression that we had a list of *documented*
>    requirements to evaluate candidates - and we chose SRP.  I was    
>somewhat surprised to see that we now seem to be    defining/weakening 
>requirements afresh in some of the recent email >    threads I had seen.  I 
>admit that I am not
>    a security expert, but I am personally not _yet_ clear on the
>    requirements....
>--
>Mallikarjun

Since we seem to be in "blame sharing mode" here, I'll take some for myself. 
The security draft doesn't talk about requirements for iSCSI authentication, 
on the (mistaken) assumption that this was provided within the iSCSI 
requirements document. However, there is no such guidance provided there. So 
if we are to make a choice, there needs to be some requirements language 
describing the relevant considerations. That's how the discussion got 
started. If someone can provide a pointer to an earlier discussion that 
settled this issue, that would save some time.

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com