| RE: Strawman -10/EMSK deletion requirement? | <– Date –> <– Thread –> |
From: Salowey, Joe (jsalowey cisco.com)
|
|
| Date: Thu, 9 Mar 2006 21:35:43 -0800 (PST) | |
> > > > The > > > > EMSK MUST NOT be transported out of the EAP (AAA?) Layer > > and MUST be > > > > deleted when the corresponding EAP session expires. > > > > > > Replace EAP (AAA?) with EAP Authentication Server; and > > "corresponding > > > EAP session expires" with 'corresponding session has ended'. > > > > > > Motivation for above: Not sure if EAP session is defined; and you > > > delete the EMSK when the session is terminated either because it > > > expired or because it was explicitly terminated. > > > > > > > [Joe] I think we will probably need mopre definition around this. > > [Avi] Okay. > > > > > Further, an EMSK MUST NOT be used to generate more than one > > > > AMSK for a given application. > > > > > > I am not sure that the above does not pose a threat. > > > Normally we would > > > think that one Application would require one AMSK. But since > > > we are not > > > defining what an application is -- and we shouldn't IMO > > enter that rat > > > hole. Then what if there was some application that > requires an two > > > AMSKs.? Is there harm? > > > > > > > [Joe] If they are generated at the same time I don't think > there is a > > problem. If there is a delay in generation where the application > > requires the EMSK to be cached it is less than optimal. > > > [Avi] In another email thread we explored this further and the way I > understand it is that an Application can have one AMSK key because: > > FOO-AMSK = KGF(EMSK,"FOO" | ... | ...) > > "FOO" is a the Key Lable and it must be unique. > > FOO-A-AMSK = KGF(EMSK,"FOO-A" | ... | ...) > FOO-B-AMSK = KGF(EMSK,"FOO-B" | ... | ...) > > Are really two differnet AMSKs and this is legal because these are > viewed as two separate applications. > > And > FOO-A-AMSK = KGF(EMSK,"FOO" | "A" | ...) > FOO-B-AMSK = KGF(EMSK,"FOO" | "B" | ...) > > Generates two distinct keys but SHOULD not be legal. > > I am not sure if this is defined correctly. > [Joe] I'm not sure the last has to be illegal but it calls into question the "M" in AMSK. It would be better to derive these two keys off an AMSK for FOO. > Finally, I am not sure how this has to do with EMSK caching or not. [Joe] Any one application should not introduce a requirement to cache the EMSK. If you are going to derive keys at different times for an application this should be done off an AMSK not the EMSK.
- Re: Strawman -10/EMSK deletion requirement?, (continued)
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 12 2006
- Re: Strawman -10/EMSK deletion requirement? Rafa Marin Lopez, March 13 2006
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 14 2006
- Re: Strawman -10/EMSK deletion requirement? Rafa Marin Lopez, March 14 2006
- Re: Strawman -10/EMSK deletion requirement? Jari Arkko, March 12 2006
Results generated by Tiger Technologies using MHonArc.