| Re: Proposed Resolution of Issue 361: Child Key Expiry | <– Date –> <– Thread –> |
From: Bernard Aboba (bernard_aboba hotmail.com)
|
|
| Date: Wed, 7 Jun 2006 12:50:10 -0700 (PDT) | |
In the above, are you talking about an EMSK compromise after expiry affecting any keys that may still be in use?
If the EMSK expires and the session is still in progress, presumably the result is an EAP re-authentication which results in new child keys.
If so, I'm wondering how viable that is - basically, the point that I'm not clear on is this - if the EMSK is used to derive any keys that are handed out to other entities, depending on the purpose of the key, the EAP server may really have no control over that lifetime.
It can provide a maximum lifetime (Session-Timeout) to the authenticator, requesting EAP re-authentication to occur when the maximum lifetime expires.
The distinction we're making here is between maximum lifetime (controlled by Session-Timeout) and deletion. If the EMSK is deleted on the peer or server, this doesn't cause child keys to be deleted. However, expiry of the maximum lifetime does result in new child keys.
-
Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Yoshihiro Ohba, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Bernard Aboba, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
Results generated by Tiger Technologies using MHonArc.