| RE: Strawman -10/EMSK deletion requirement? | <– Date –> <– Thread –> |
From: Narayanan, Vidya (vidyan qualcomm.com)
|
|
| Date: Thu, 9 Mar 2006 07:25:20 -0800 (PST) | |
> > >Putting all this together, is it fair to say this then? > > > >"The EMSK MUST NOT be used to generate any keys other than > AMSKs needed > >for the same EAP peer that owns the EMSK. The EMSK MUST NOT be > >transported out of the EAP (AAA?) Layer and MUST be deleted when the > >corresponding EAP session expires. Further, an EMSK MUST NOT > be used to > >generate more than one AMSK for a given application. If more > keys are > >needed for an application, those may be derived from the AMSK > >subsequently by the entities sharing the AMSK. It is > RECOMMENDED that > >all necessary AMSKs corresponding to various applications be > generated > >immediately upon EMSK generation and that the EMSK be deleted right > >away thereafter." > > > > > I think I can live with this text. As I said in a previous > e-mail, I have been convinced that we need to support some > form of dynamic generation of AMSKs. > > We also seem to be coming to a consensus on keeping the EMSK > at the server side. > > But I still have a few nagging thoughts: > > 1. In order to avoid a situation that suddenly all AAA > servers need to start > keeping state, do we need to require an authorization profile > flag, configuration knob, or attribute to signal the need for > keeping state? > I wonder if this could be handled by policy alone. A flag or signal would be better and more explicit - did you think this would be signaled by the peer? The authenticator will not have sufficient knowledge about the applications that the peer is interested in and hence this should probably come from the peer - now, we are talking about introducing this into EAP messaging - right? > 2. The text does not tell us how to determine when all necessary > AMSKs have been generated. > Maybe the text should also say "The server may have policies to indicate the number of AMSKs a peer is authorized for - once those are derived, the EMSK is deleted" - ? -Vidya
- RE: Strawman -10/EMSK deletion requirement?, (continued)
-
RE: Strawman -10/EMSK deletion requirement? Narayanan, Vidya, March 8 2006
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Narayanan, Vidya, March 9 2006
-
RE: Strawman -10/EMSK deletion requirement? Narayanan, Vidya, March 8 2006
- RE: Strawman -10/EMSK deletion requirement? Narayanan, Vidya, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
-
RE: Strawman -10/EMSK deletion requirement? Glen Zorn (gwz), March 9 2006
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 9 2006
Results generated by Tiger Technologies using MHonArc.