Re: iSCSI: Delay on results of Consensus call -- DH-CHAP [Resend]

To: "Elizabeth G. Rodriguez" <Elizabeth.G.Rodriguez@123mail.net>
Subject: Re: iSCSI: Delay on results of Consensus call -- DH-CHAP [Resend]
From: "Julian Satran" <Julian_Satran@il.ibm.com>
Date: Tue, 30 Apr 2002 01:20:53 +0300
Cc: ips@ece.cmu.edu, owner-ips@ece.cmu.edu, Allison Mankin <mankin@east.isi.edu>
Content-Type: multipart/alternative; boundary="=_alternative 007A5362C2256BAA_="
Sender: owner-ips@ece.cmu.edu

Elizabeth,

At the last IPS Security team phone call DH-CHAP was praised for being very well written but too "young" for a security protocol for us to make any decision.

We are looking also for advise from other people within our communities.

I spent some time reading the last several days all the submissions to the IEEE workgroup P1363 and I feel even more helpless - there are submissions there that have a DH exchange and are far stronger that DH-CHAP at the same computational expense.

Also the original 1993 Bellovin and Merritt paper on AKE covers mechanisms closely related to DH-CHAP and as I have no access to the alleged patents on all AKE protocols

we have no clue if DH-CHAP will not be covered by those claims.

Considering that we are not a security workgroup many of us feel that we should either choose a week authentication like CHAP as must and wait for IEEE to standardize one or more forms of AKE or stay with what we have now and that is SRP mandatory. I find it also very curious that the ADs seem to advise us against mandating a protocol that is already an RFC (SRP). And again neither I nor IBM (as far as I know) have no vested interest in SRP - it seems to be the only AKE class protocol that has already undergone public scrutiny and it meets all our needs.

Julo

"Elizabeth G. Rodriguez" <Elizabeth.G.Rodriguez@123mail.net>
Sent by: owner-ips@ece.cmu.edu

04/28/2002 10:50 PM
Please respond to "Elizabeth G. Rodriguez"

To: <ips@ece.cmu.edu>
cc:
Subject: iSCSI: Delay on results of Consensus call -- DH-CHAP [Resend]

Never saw this post, so resending…

A quick update on why the results of the consensus call for DH-CHAP have not been announced:

The results of the input received were very roughly (e.g. not clear consensus) in favor of inclusion of DH-CHAP.

I have been asked by Allison Mankin to consult with the security advisors to the group, to check into more matters.

Specifically, to check on the requirements for the authentication mechanism, and to see if DH-CHAP satisfy these requirements.

We are still working on this, and will try to post something about this as soon as possible.

Thanks,

Elizabeth

Prev by Date: Re: iSCSI: PAK: an alternative to SRP and DH-CHAP
Next by Date: Re: Logout request
Prev by thread: iSCSI: Delay on results of Consensus call -- DH-CHAP [Resend]
Next by thread: RE: iSCSI: Delay on results of Consensus call -- DH-CHAP [Resend]
Index(es):
- Date
- Thread

Home

Last updated: Mon Apr 29 19:18:24 2002
9864 messages in chronological order