eap Mailing List: RE: Strawman -10/EMSK deletion requirement?

[Salowey, Joe (jsalowey]

> > The 
> > EMSK MUST NOT be transported out of the EAP (AAA?) Layer and 
> > MUST be deleted when the corresponding EAP session expires.
> 
> Replace EAP (AAA?) with EAP Authentication Server; and "corresponding
> EAP session expires" with 'corresponding session has ended'.
> 
> Motivation for above: Not sure if EAP session is defined; and 
> you delete
> the EMSK when the session is terminated either because it expired or
> because it was explicitly terminated.
> 

[Joe] I think we will probably need mopre definition around this. 
 
> > Further, an EMSK MUST NOT be used to generate more than one 
> > AMSK for a given application. 
> 
> I am not sure that the above does not pose a threat.  
> Normally we would
> think that one Application would require one AMSK.  But since 
> we are not
> defining what an application is -- and we shouldn't IMO enter that rat
> hole.  Then what if there was some application that requires an two
> AMSKs.?  Is there harm?
> 

[Joe] If they are generated at the same time I don't think there is a
problem.  If there is a delay in generation where the application
requires the EMSK to be cached it is less than optimal.