| RE: the outcome of EMSK and AMSK discussion? | <– Date –> <– Thread –> |
From: Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri motorola.com)
|
|
| Date: Wed, 30 Nov 2005 14:42:26 -0800 (PST) | |
Hi Joe, Yes, I was asking since as I recall the end of review period was end of November, but it was not clear what the outcome of the review was supposed to be? I guess I agree with most of the answers you provided, except the response to Q on deleting or caching EMSK: "The sooner an implementation deletes the EMSK the better." This relates to when an AMSK for an application can be requested from the EAP server (if EAP server is to calculate AMSKs). Thanks, Madjid [Joe] It seemed like we were converging based on what was on the list, but I'm not sure we closed on all these issues. I'll try to go through the document and make recommendations by the end of the week, but it is up to the authors and chairs as to the next steps. > Qs: > AAA server versus EAP server? Their roles? Are you adding the KDF as > another entity? [Joe] The EAP server is responsible for authentication and has very limited (hopefully none) application specific knowledge. The AAA server contains the application specific logic to perform authorization and other application specific tasks based on the output of the EAP server. I think the KDF best kept as part of the EAP Server. It is an interface to a specific function supported by an EAP server. > Does the AAA server (lower layer at backend EAP server) get the AMSK > after requesting it from the EAP layer (which holds the EMSK)? [Joe] The application that requests the AMSK gets the AMSK (unless there is some authorizaiton or policy that prevents it). The AAA server can contain one or more applications that can request AMSKs so yes the AAA server can obtain an AMSK. There is no AMSK specific to a AAA server, an AMSK is specific to an application supported by a AAA server. >Is EMSK cached at all or is it deleted right away? [Joe] The sooner an implementation deletes the EMSK the better. Applications that need AMSKs should determine the need for the AMSK as soon as possible and request it. These are basic guidelines, I'm not sure if we have resolved the issue of caching the EMSK yet. > Can we assume one AMSK per applications authorized by AAA server? > [Joe] Each application can obtain one or more AMSKs. An AMSK should not be used for two different applications.
-
RE: the outcome of EMSK and AMSK discussion? Nakhjiri Madjid-MNAKHJI1, November 23 2005
- RE: the outcome of EMSK and AMSK discussion? Salowey, Joe, November 28 2005
- RE: the outcome of EMSK and AMSK discussion? Nakhjiri Madjid-MNAKHJI1, November 30 2005
Results generated by Tiger Technologies using MHonArc.