| RE: Re: KDF Negotiation for AMSK derivation | <– Date –> <– Thread –> |
From: Narayanan, Vidya (vidyan qualcomm.com)
|
|
| Date: Wed, 5 Apr 2006 22:26:36 -0700 (PDT) | |
> -----Original Message----- > From: Salowey, Joe [mailto:jsalowey [at] cisco.com] > Sent: Wednesday, March 22, 2006 7:20 AM > To: Jari Arkko > Cc: Bernard Aboba; eap [at] frascone.com > Subject: RE: [eap] Re: KDF Negotiation for AMSK derivation > > > > > -----Original Message----- > > From: Jari Arkko [mailto:jari.arkko [at] piuha.net] > > Sent: Wednesday, March 22, 2006 5:32 AM > > To: Salowey, Joe > > Cc: Bernard Aboba; eap [at] frascone.com > > Subject: Re: [eap] Re: KDF Negotiation for AMSK derivation > > > > > > > > > > >>Just to clarify what you are proposing -- are you saying > that (a) we > > >>should deliver both MSK and EMSK to the lower layer and > that (b) in > > >>addition prohibit AAA from transporting the EMSK? > > >> > > >> > > >> > > > > > >[Joe] This to me sounds like a contradiction so I do not > possibly see > > >how it could work. Perhaps I am not understanding the term "lower > > >layer". > > > > > > > > I think we have a terminology problem. I though what Bernard was > > suggesting is that you provide the MSK and EMSK through the API to > > whatever is calling EAP. And then setting an additional > requirement to > > AAA that it cannot transport one of the quantities out of the box. > > > [Joe] If it is only a terminology problem that is OK, I'm not > cmpletely sure that it is. We need to clean up the > terminology around lower layer. > My understanding of lower layer is it is the protocol between > the EAP Peer and EAP Authenticator where ciphering may be > aplied based on keys derived from the EAP exchange. The > endpoints of the lower layer do not always directly invoke EAP. > I just looked up RFC3748 and the EAP Keying Framework and realized that there isn't a definition for the term "lower layer". I would recommend adding a definition to the terminology section of the keying framework draft. Lower layer, to me means the layer over which EAP runs. Between the peer and the authenticator, this would be the layer that runs the secure association protocol to derive TSKs, while between the authenticator and the AS, this would be the AAA protocol carrying EAP, for instance. > We need a different name for the "EAP caller" which is the > entity that is calling the EAP module, which may be located > on the authenticator or on a separate device such as a AAA server. > A different name sounds okay - but, we do want to make sure what we say is clear about the EMSK never being transported out of the entity deriving it. The text in this paragraph above is not clear to me from that context. Vidya
- RE: Re: KDF Negotiation for AMSK derivation, (continued)
- RE: Re: KDF Negotiation for AMSK derivation Salowey, Joe, March 22 2006
-
RE: Re: KDF Negotiation for AMSK derivation Salowey, Joe, March 22 2006
- Re: Re: KDF Negotiation for AMSK derivation Jari Arkko, March 22 2006
- RE: Re: KDF Negotiation for AMSK derivation Salowey, Joe, March 22 2006
- RE: Re: KDF Negotiation for AMSK derivation Narayanan, Vidya, April 5 2006
Results generated by Tiger Technologies using MHonArc.