To: t10@t10.org
Subject: SSC-3: Late Letter Ballot comment
From: Kevin D Butt <kdbutt@us.ibm.com>
Date: Thu, 20 Mar 2008 14:48:25 -0700
X-Message-Number: 8629
Formatted message: HTML-formatted message

I received communication from an ISV today related to Encryption mode 
locking (4.2.21.11).  They were unable to determine if the locking applied 
when the data encryption parameters were set such that 
encryption/decryption is turned off.  In a close reading this clause 
refers to "...locked to that set of data encryption parameters and key 
instance counter value until a hard reset condition occurs or another 
[SPOUT command is received]"
In 4.2.21.6 Managing keys within the physical device, where it describes 
when to release a set of data encryption parameters, there is no mention 
of turning off encryption.  Therefore, the locking does apply to the saved 
set of encryption parameters even when encryption is turned off.  This is 
indeed the desired behavior.  However, it is not clear to the casual or 
novice standards reader that this is the case.
Proposed Solution (Editorial):
In 4.2.21.11, p2, add a new sentence after s1:
The LOCK bit in the Set Data Encryption page is set to one to lock the I_T 
nexus that issued the SECURITY PROTOCOL OUT command to the set of data 
encryption parameters established at the completion of the processing of 
the command.  A set of data encryption parameters are established and 
locked even if the ENCRYPTION MODE is set to DISABLE and the DECRYPTION 
MODE is set to DISABLE.
Thanks,
Kevin D. Butt
SCSI & Fibre Channel Architect, Tape Firmware
MS 6TYA, 9000 S. Rita Rd., Tucson, AZ 85744
Tel: 520-799-2869 / 520-799-5280
Fax: 520-799-2723 (T/L:321)
Email address: kdbutt@us.ibm.com
http://www-03.ibm.com/servers/storage/