| Issue: Use of term lower layer | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Thu, 1 Dec 2005 15:01:31 -0800 (PST) | |
Submitter name: Joe Salowey Submitter email address: jsalowey [at] cisco.com Date first submitted: 12/1/2005 Reference: Document: Keying Framework Comment type: E Priority: '1' Should fix Section: 2 Rationale/Explanation of issue: The term lower layer is used inconsistently in the document. Lower layer should refer to the protocol between the EAP Peer and the EAP Authenticator. It is between these entities that the security association protocol is typically run. The MSK is transported to the lower layer. AAA is not an EAP lower layer except in the special case where the AAA client and server are acting as the EAP Peer and EAP Authenticator for some reason (an example of this could was in EUSM). Entities other than the lower layer may obtain keys derived from the EMSK. Requested change: Section 2.1 ----------- change "Of these phases, Phase 0, 1b and Phase 2 are handled by a lower layer." To "Of these phases, Phase 0, 1b and Phase 2 are handled external to EAP. Phases 0 and 2 are handled by the lower layer protocol and phase 1b is typically handled by a AAA protocol." Section 2.2 ------------ (remove references to IV) --- Change "The EMSK MUST NOT be provided to the lower layer, nor is it permitted to pass any quantity to the lower layer from which the EMSK could be computed without breaking some cryptographic assumption, such as inverting a one-way function." To "The EMSK MUST NOT be provided to an entity outside the EAP server or peer, nor is it permitted to pass any quantity to an entity outside the EAP server or peer from which the EMSK could be computed without breaking some cryptographic assumption, such as inverting a one-way function." --- Change "In order to preserve the security of keys derived within EAP methods, lower layers other than AAA MUST NOT export keys passed down by EAP methods. " To "In order to preserve the security of keys derived within EAP methods, lower layers MUST NOT export keys passed down by EAP methods. " --- Change "EAP keying material and parameters provided to a lower layer other than AAA MUST NOT be transported to another entity." To "EAP keying material and parameters provided to a lower layer MUST NOT be transported to another entity." --- Change "The exception to the "no sharing" rule is the AAA layer. On EAP server, keying material requested by and passed down to the AAA layer may be replicated to the AAA layer on the authenticator. On the authenticator, the AAA layer may provide the replicated keying material to the lower layer over which the EAP authentication conversation took place. This enables "mode independence" to be maintained. " To "The AAA layer may transport keys that are exported from the EAP server. On EAP server, keying material requested by and passed down to the AAA layer may be replicated to the AAA layer on the authenticator. On the authenticator, the AAA layer may provide the replicated keying material to the lower layer over which the EAP authentication conversation took place. This enables "mode independence" to be maintained." ----------- Section 2.3 ----------- Change "The caching behavior of existing EAP lower layers is as follows:" To "The caching behavior of existing EAP lower layers and AAA layers is as follows:"
-
Issue: Use of term lower layer Salowey, Joe, December 1 2005
- Re: Issue: Use of term lower layer Jari Arkko, December 6 2005
-
Re: Issue: Use of term lower layer Julien Bournelle, December 7 2005
-
Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
- Re: Issue: Use of term lower layer Yoshihiro Ohba, December 13 2005
-
Re: Issue: Use of term lower layer Jari Arkko, December 13 2005
Results generated by Tiger Technologies using MHonArc.