eap Mailing List: Re: Issue: Key Scope

[Jari Arkko (jari.arkko]

Ok for me. --Jari

Salowey, Joe wrote:

> Submitter name: Joe Salowey	
> Submitter email address: jsalowey [at] cisco.com
> Date first submitted: 12/2/2005
> Reference: 
> Document: Keying Framework
> Comment type: T
> Priority: 1
> Section: 2.4
> Rationale/Explanation of issue:
>
> The key scope section is a little hard to understand. 
>
> ---
> There is a lot of discussion about authenticator architecture which
> probably should be pulled into a separate section on authenticator
> architecture.
> ---
> The key scope recommendations should specify which key it refers to.  I
> believe ti refers to the AAA-key.
> ---
> There could be some more generic text about key scoping that describes
> the requirements in the lower layer such as:
>
> - Identify what parameters in the lower layer define the key scope
> - In phase 0 communicate lower layer parameters that identify the key
> scope between Peer and Authenticator
> - If channel bindings are supported then include these parameters in the
> channel bindings in phase 1a
> - The peer can now use the key scope parameters to determine if it has
> correct keys for phase 2 lower layer protocol interactions
>
>
> Requested change:
>
> Move the description of authenticator architecture to its own section
>
> ----
>
> Include in the key scoping section introduction (2.4) something along
> the lines of the following text:
>
> "Since authenticator architectures and deployment scenarios vary the
> usable scope of the keys derived by the peer and server and sent to the
> authenticator vary.  By defining a key scope a lower layer can take
> advantage of key caches in the system to optimize lower layer
> interactions.  In order to address key scoping the following needs to be
> specified by the lower layer:
>
> - Identify what parameters in the lower layer define the key scope
> - In phase 0 communicate lower layer parameters that identify the key
> scope between Peer and Authenticator
> - If channel bindings are supported then include these parameters in the
> channel bindings in phase 1a
> - The peer can now use the key scope parameters to determine if it has
> correct keys for phase 2 lower layer protocol interactions"
>
> The following sections describe key scoping with respect to the AAA-Key
> that is sent to the authenticator for lower layer protection.  It is
> possible that a lower layer may define other keys and key uses which
> need to have scoping applied.  
>
> ---
>
> Make it clear that remaining parts of sections 2.4.1 and 2.4.2 refer to
> the AAA-Key.
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
>
> Arhives: http://lists.frascone.com/pipermail/eap
>
>
>