eap Mailing List: Re: Key derivation and the principle of equivalence

[Yoshihiro Ohba (yohba]

On Wed, May 18, 2005 at 04:59:09PM +0300, Jari Arkko wrote:
> Bernard Aboba wrote:
> 
> >>If I understand your comment correctly, even if the key Management
> >>framework document defines EAP session-ID (or some other attribute
> >>that servers as key versioning), if Diameter EAP needs to carry that
> >>attribute, I think the attribute needs to be added in Diameter EAP
> >>document and recycling would be needed anyways.
> >>   
> >>
> >
> >Yes, I think that's true.
> > 
> >
> I believe key phrase above (no pun intended) is "if ...
> needs to carry". Current usage of EAP does not really
> use key names at this level for anything. My suspicision
> is that we will only need the names when we go to the
> more interesting scenarios, like fast handoffs, or application
> usage of EAP keys. But these are likely to require new
> AAA support anyway.

In the case of Diameter EAP, since Diameter runs over reliable
transport, we can probably say that the authenticator can distinguish
old and new MSKs received from the EAP server without carrying a key
versioning information.

AMSK will need key names to be carried because the consumer of AMSK
may not be an authenticator, but this will require new AAA support as 
Jari mentioned above.

For the above reasons, I have personally no issue on moving forward
the Diameter EAP document if my observation is correct.

Yoshihiro Ohba



> 
> (Lets not delay Diameter EAP unless we really need to.)
> 
> --Jari
> 
> 
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap