Make Certificate Data Optional for SECURITY PROTOCOL IN Command (T10/06-372r0)

Roger Cummings roger_cummings at symantec.com
Tue Aug 15 20:45:52 PDT 2006


* From the T10 Reflector (t10 at t10.org), posted by:
* "Roger Cummings" <roger_cummings at symantec.com>
*
Paul,
For the tape drive encryption work in SSC-3 you are probably right that
a certificate is not an absolute requirement, although frankly even in
that case it would be nice for an application to unambiguously identify
a specific device BEFORE loading it with keying material - and a
certificate is one part of that.
However I believe that a certificate WILL be required to support some of
the Security Protocols in the future, and I believe it's required today
for the TCG protocols. Therefore would it be acceptable to you if the
support for code 0001h was dependent on the other protocols supported by
the device? We could define this today as mandatory for the protocols
defined by TCG, and optional for all of others. Each definition of a new
security protocol value would therefore need to contain a definition of
the support status of code 0001h.
Note that I think there's a good reason that code 0001h is defined in
SPC-4 today. As repugnant as certificate support is to some folks, what
would be even more repugnant to everybody would be the need to provision
MULTIPLE different certificates in a storage device to support multiple
security protocols.
Regards,
Roger Cummings
SYMANTEC
roger_cummings at symantec.com
> -----Original Message-----
> From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf 
> Of Paul Suhler
> Sent: Monday, August 14, 2006 3:45 PM
> To: t10 at t10.org
> Subject: Make Certificate Data Optional for SECURITY PROTOCOL 
> IN Command (T10/06-372r0)
> 
> * From the T10 Reflector (t10 at t10.org), posted by:
> * "Paul Suhler" <Paul.Suhler at Quantum.Com>
> *
> Hi, everyone.
> 
> The above proposal is now available on the T10 server: 
> 
>    http://www.t10.org/ftp/t10/document.06/06-372r0.pdf
> 
> If anyone believes that a storage device simply can't work 
> without presenting an X.509 certificate, I'd like to hear 
> about it at your earliest convenience.
> 
> Thanks very much,
> 
> Paul Suhler
> Quantum
> 
> *
> * For T10 Reflector information, send a message with
> * 'info t10' (no quotes) in the message body to majordomo at t10.org
> 
*
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org



More information about the T10 mailing list