eap Mailing List: RE: Proposed Resolution to Issue 323: AAA Key Cache

[Salowey, Joe (jsalowey]

How about:

"In order to prevent keys from exposure beyond their intended usage a
key should not typically be both transported and cached by an entity.
An entity may cache a key for the purpose of deriving additional keys
for other uses.  In this case they cached key should only be used for
key derivation purposes and the key derivation function should provide
cryptographic separation between the derived keys and the cached key."

> -----Original Message-----
> From: Bernard Aboba [mailto:Bernard_Aboba [at] hotmail.com] 
> Sent: Monday, January 16, 2006 6:46 PM
> To: Salowey, Joe; eap [at] frascone.com
> Subject: RE: [eap] Proposed Resolution to Issue 323: AAA Key Cache
> 
> [Joe] Why do you want to use the same key in both places?
> 
> [BA] I don't know why that would be necessary or desirable.  
> 
> [Joe] If I understand the current text correctly it is stating that an
> entity should not simultaneously cache and transport a key.  
> In general
> this is good practice because it prevents reuse of a key, if you are
> going to give someone else a key for a specific purpose you should not
> hold onto it for another use.  While I don't  agree with a MUST NOT
> cache transported keys, I would question why you would want 
> to do this.
> It seems that the current text allows one to cache a key and 
> export keys
> derived from it.  Perhaps the text should explicitly say so. 
> 
> [BA] That sounds reasonable.  Do you have some text to suggest?
>