| Re: Proposed Resolution of Issue 361: Child Key Expiry | <– Date –> <– Thread –> |
From: Narayanan, Vidya (vidyan qualcomm.com)
|
|
| Date: Wed, 7 Jun 2006 13:35:30 -0700 (PDT) | |
> > >In the above, are you talking about an EMSK compromise after expiry > >affecting any keys that may still be in use? > > If the EMSK expires and the session is still in progress, > presumably the result is an EAP re-authentication which > results in new child keys. > > >If so, I'm wondering how > >viable that is - basically, the point that I'm not clear on > is this - > >if the EMSK is used to derive any keys that are handed out to other > >entities, depending on the purpose of the key, the EAP server may > >really have no control over that lifetime. > > It can provide a maximum lifetime (Session-Timeout) to the > authenticator, requesting EAP re-authentication to occur when > the maximum lifetime expires. > > The distinction we're making here is between maximum lifetime > (controlled by > Session-Timeout) and deletion. If the EMSK is deleted on the > peer or server, this doesn't cause child keys to be deleted. > However, expiry of the maximum lifetime does result in new child keys. > Ok. The revised text for section 3.3 then looks good. Vidya
-
Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Yoshihiro Ohba, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Bernard Aboba, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
- Re: Proposed Resolution of Issue 361: Child Key Expiry Narayanan, Vidya, June 7 2006
Results generated by Tiger Technologies using MHonArc.