| RE: Strawman -10/EMSK deletion requirement? | <– Date –> <– Thread –> |
From: Avi Lior (avi bridgewatersystems.com)
|
|
| Date: Thu, 9 Mar 2006 21:08:34 -0800 (PST) | |
Joe, See inline.... > -----Original Message----- > From: Salowey, Joe [mailto:jsalowey [at] cisco.com] > Sent: Thursday, March 09, 2006 11:51 PM > To: Avi Lior; Narayanan, Vidya; Jari Arkko > Cc: eap [at] frascone.com > Subject: RE: [eap] Strawman -10/EMSK deletion requirement? > > > > > > The > > > EMSK MUST NOT be transported out of the EAP (AAA?) Layer > and MUST be > > > deleted when the corresponding EAP session expires. > > > > Replace EAP (AAA?) with EAP Authentication Server; and > "corresponding > > EAP session expires" with 'corresponding session has ended'. > > > > Motivation for above: Not sure if EAP session is defined; and you > > delete the EMSK when the session is terminated either because it > > expired or because it was explicitly terminated. > > > > [Joe] I think we will probably need mopre definition around this. [Avi] Okay. > > > Further, an EMSK MUST NOT be used to generate more than one > > > AMSK for a given application. > > > > I am not sure that the above does not pose a threat. > > Normally we would > > think that one Application would require one AMSK. But since > > we are not > > defining what an application is -- and we shouldn't IMO > enter that rat > > hole. Then what if there was some application that requires an two > > AMSKs.? Is there harm? > > > > [Joe] If they are generated at the same time I don't think there is a > problem. If there is a delay in generation where the application > requires the EMSK to be cached it is less than optimal. > [Avi] In another email thread we explored this further and the way I understand it is that an Application can have one AMSK key because: FOO-AMSK = KGF(EMSK,"FOO" | ... | ...) "FOO" is a the Key Lable and it must be unique. FOO-A-AMSK = KGF(EMSK,"FOO-A" | ... | ...) FOO-B-AMSK = KGF(EMSK,"FOO-B" | ... | ...) Are really two differnet AMSKs and this is legal because these are viewed as two separate applications. And FOO-A-AMSK = KGF(EMSK,"FOO" | "A" | ...) FOO-B-AMSK = KGF(EMSK,"FOO" | "B" | ...) Generates two distinct keys but SHOULD not be legal. I am not sure if this is defined correctly. Finally, I am not sure how this has to do with EMSK caching or not.
- Re: Strawman -10/EMSK deletion requirement?, (continued)
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Salowey, Joe, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Salowey, Joe, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
- RE: Strawman -10/EMSK deletion requirement? Salowey, Joe, March 9 2006
-
RE: Strawman -10/EMSK deletion requirement? Avi Lior, March 9 2006
-
Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 10 2006
- Re: Strawman -10/EMSK deletion requirement? Rafa Marin Lopez, March 10 2006
-
Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 10 2006
Results generated by Tiger Technologies using MHonArc.