Ralph Weber roweber at
Thu Mar 6 14:41:00 PST 2008

* From the T10 Reflector (t10 at, posted by:
* Ralph Weber <roweber at>
Sivan Tal wrote:
> <snip>
> Comment 4:
> The RECEIVE CREDENTIAL command must always include a logical unit (or SCSI
> device) and optionally a volume designator. When CbCS is used with volumes,
> the Capability field only contains identification of the volume, but the
> request must also include identification of the LU through which the volume
> is to be accessed. This allows the Security Manager to use the right shared
> key for the ICV. The new way you constructed the CDB allows for either LU
> or volume identifier. It should be either LU or LU+volume.
Since the LU information is not in the capability, how does
the enforcement manager determine the correct shared key
for use in its reconstruction of the capkey?
I spoke with Kevin about this, and the intention is to make this
credential format applicable to a volume regardless of the LU in
which it is mounted. Therefore, I am concerned that there are
some undesirable hidden connections here.
All the best,
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at

More information about the T10 mailing list