eap Mailing List: Re: Re: Rewrite of Section 2 of the EAP Key Management Framework

[Jari Arkko (jari.arkko]

Bernard Aboba wrote:

> > In the document we should not show the propagation of the EMSK and have
> > a statement like the following (I'm not sure where it goes yet):
> >    
>
> While I agree that we should not be adding material relating to the EMSK, we
> do have to be consistent with RFC 3748, which states that the EMSK is
> exported by EAP methods.  This means that the EAP peer/authenticator layer
> (and presumably the EAP layer) will receive the EMSK.  
>
> My current proposal is to state that the EMSK is passed down to the EAP
> peer/authenticator layer and EAP layer, but is never passed down to the
> lower layer, although keys calculated from the EMSK can be passed down to
> the lower layer if requested by the lower layer, as long as the EMSK itself
> is not exposed. 
>  
This works for me.

> > "Instead of using the EMSK directly keys should be derived for application
> > specific usage.  This usage and specification is beyond the scope of the
> > current document."
> >    
>
> I think that some language specifying that the lower layer never receives
> the EMSK, or quantities from which the EMSK can be derived should do the
> job.
>  
Yes. I also think that we should define the generic
formula for AMSKs. The only problem that I have is
whether we can agree on f in AMSK=f(EMSK).

--Jari