Paul and all,

I have some comments on 05-446r9

TECHNICAL:
1) Section 4.2.9.13, pg 6, last sentence of 2nd to last paragraph, "The device server shall establish the logical position at the BOP side the encrypted block." should be "The device server shall establish the logical position after the failed encrypted block."  This will make the behavior consistent with reading a corrupted block.

2) Section 4.2.19.5, pg 8.  All the statements about establishing a UA for all other I_T Nexus that are affected by....
If this is the behavior that we take, then this will severely inhibit being able to use a third party device - like a Decru EKM transparent to the application.  The UA's will cause the applications or host on which the applications reside, to handle these UA's that it knows nothing about.

I think the UA's should be restricted to those I_T Nexus over which a Security Protocol Out/In command has been received and not to any body else.  This will allow using an External EKM transparent to applications.

3) Section 4.2.19.6, pg 8, second list. Should a "Prohibit Encryption" be added?

4) Section 4.2.19.7, pg 9.  Please add "CKORSC" to list.

5) Section 4.2.19.7, pg 9.  Item c) of list - key scope.  I was confused here and it took me some time to realize that "key scope" is referring to a value in Table Y2 for the "scope" field of the set data encryption page.  Please add a definition and/or cross reference for this term.

6) The following changes are desired by IBM.  We do not want to prohibit any out-of-band methods from being used.
Section 8.5.2.7, pg 19, last paragraph.  Remove the text "by processing a Set Data Encryption page."
Section 8.5.2.7, pg 20, first three paragraphs, change the text
     "in the Set Data Encryption page that established the key in the device server."
to
     "when the key was established in the device server."


EDITORIAL:

1) Section 4.2.19.6, pg 8, sentence leading into second list, "The set of possible data encryption scope values for an I_T nexus is limited to:" please remove "limited to".  "limited to" might lead a reader to infer intent that is not intended.

2) Section 4.2.19.11, pg 11 end of 1st paragraph.  Should "non-authenticated" be changed to "unauthenticated"?

3) Section 8.5.2.7, pg 19.  Second to last sentence on the page: "..., they shall be order of increasing..."  missing  the word "in".

3) Section 8.5.3.1, pg 23, second sentence in first paragraph.  I think "requested" should be changed to "sent".

4) Last paragraph of pg 26: "If the device server does is not...."  delete "does".

5) Page 28, last paragraph before section 8.5.4.  Missing D: "INCOMPLETE KEY - ASSOCIATE DATA SET" s/b  "INCOMPLETE KEY - ASSOCIATED DATA SET"

6) Section 8.5.4.1, pg 28, first sentence: "Several of the parameter pages in used" delete the "in"

Thanks,

Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/