| Re: Issue 322: Key Scope | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Sun, 22 Jan 2006 21:29:17 -0800 (PST) | |
Has this issue been addressed in -09, or are more changes needed?
Issue 322: Key Scope Submitter name: Joe Salowey Submitter email address: jsalowey [at] cisco.com Date Submitted: December 1, 2005 Reference: Document: Keying-08 Comment type: T Priority: 1 Section: 2.4 Rationale/Explanation of issue: The key scope section is a little hard to understand. --- There is a lot of discussion about authenticator architecture which probably should be pulled into a separate section on authenticator architecture. --- The key scope recommendations should specify which key it refers to. I believe it refers to the AAA-key. --- There could be some more generic text about key scoping that describes the requirements in the lower layer such as:
- Identify what parameters in the lower layer define the key scope - In phase 0 communicate lower layer parameters that identify the key scope between Peer and Authenticator - If channel bindings are supported then include these parameters in the channel bindings in phase 1a - The peer can now use the key scope parameters to determine if it has correct keys for phase 2 lower layer protocol interactions Requested change:
Move the description of authenticator architecture to its own section ----
Include in the key scoping section introduction (2.4) something along the lines of the following text:
"Since authenticator architectures and deployment scenarios vary the usable scope of the keys derived by the peer and server and sent to the authenticator vary. By defining a key scope a lower layer can take advantage of key caches in the system to optimize lower layer interactions. In order to address key scoping the following needs to be specified by the lower layer:
- Identify what parameters in the lower layer define the key scope - In phase 0 communicate lower layer parameters that identify the key scope between Peer and Authenticator - If channel bindings are supported then include these parameters in the channel bindings in phase 1a - The peer can now use the key scope parameters to determine if it has correct keys for phase 2 lower layer protocol interactions"
The following sections describe key scoping with respect to the AAA-Key that is sent to the authenticator for lower layer protection. It is possible that a lower layer may define other keys and key uses which need to have scoping applied. ---
Make it clear that remaining parts of sections 2.4.1 and 2.4.2 refer to the AAA-Key.
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.