| Re: Issue 339: Use of Session-Timeout in Pre-authentication | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 28 Mar 2006 19:27:15 -0800 (PST) | |
I agree. Yoshihiro Ohba On Tue, Mar 28, 2006 at 03:40:52PM -0800, Bernard Aboba wrote: > >I actually liked the old text since it was very clear: ALL exported > >keys expire at Session-Timeout time, no exceptions. This seems > >to make sense, still. > > > >I do agree that it might make sense to have additional lifetimes > >specified for the preauth case, but I see those as additional > >constraints rather than something that replaces Session-Timeout. > > I think the issue is how to specify *both* the Session-Timeout and the > pre-auth timeout. If only Session-Timeout is included, the meaning is > clear -- all keys expire when Session-Timeout runs out. However, if a > pre-auth timeout attribute is included then the question is how to specify > the maximum lifetime of the session, as opposed to the key lifetime. I'd > like to leave some wiggle room for future documents. > > How about this? > > "Where EAP is used for pre-authentication, the session may not start until > some future > time, or may never occur. Nevertheless, the Session-Timeout value > represents the maximum time after which transported EAP keying material, > and all keys calculated from it, will have expired on the authenticator. > If the session subsequently starts, re-authentication will be initiated > once the Session-Time has expired. If the session never started, or started > and ended, by default keys transported by AAA and all keys calculated from > them will be expired by the authenticator prior to the future time > indicated by Session-Timeout. Note that in future additional attributes > may be specified to control the lifetime of cached keys; these attributes > may modify the meaning of the Session-Timeout attribute in specific > circumstances." > > > _________________________________________________________________ > To unsubscribe or modify your subscription options, please visit: > http://lists.frascone.com/mailman/listinfo/eap > > Arhives: http://lists.frascone.com/pipermail/eap >
-
Issue 339: Use of Session-Timeout in Pre-authentication Bernard Aboba, March 23 2006
-
Re: Issue 339: Use of Session-Timeout in Pre-authentication Jari Arkko, March 28 2006
-
Re: Issue 339: Use of Session-Timeout in Pre-authentication Bernard Aboba, March 28 2006
- Re: Issue 339: Use of Session-Timeout in Pre-authentication Yoshihiro Ohba, March 28 2006
- Re: Issue 339: Use of Session-Timeout in Pre-authentication Jari Arkko, March 29 2006
- Re: Issue 339: Use of Session-Timeout in Pre-authentication Bernard Aboba, March 29 2006
-
Re: Issue 339: Use of Session-Timeout in Pre-authentication Bernard Aboba, March 28 2006
-
Re: Issue 339: Use of Session-Timeout in Pre-authentication Jari Arkko, March 28 2006
Results generated by Tiger Technologies using MHonArc.