>
> Vidya said:
>
> "> As noted in [RFC3748] Section 7.10:
> >
> > The EMSK is reserved for future use and MUST
remain on the EAP
> > peer and EAP server where it is derived; it
MUST NOT be
> > transported to, or shared with, additional
parties, or used to
> > derive any other keys."
>
> Are we sticking to this rule that the EMSK MUST NOT be
used
> to derive any other keys? Given that there is agreement
in
> general about potential derivation of keys from the
EMSK,
> what implications does this text have to future
documents
> specifying derived keys from the EMSK?"
>
> [BA] Since this is a quotation from [RFC3748] rather
than
> anything created in this document, we can delete the
quote.
> Don't think it adds much anyway.
>
Ok.
> [Vidya]
>
> >On the EAP server, keying material and parameters
requested by and
> >passed down to the AAA layer may be replicated to
the AAA
> layer on the
> >authenticator.
>
> I understand what the above is trying to say - however,
this
> does conflict with the fact that the EMSK MUST NOT be
> transported to the authenticator (even though it may be
> passed down to the AAA layer on the server). I wonder
if some
> clarification is necessary to avoid confusion.
>
> [BA] How about this?
>
> "On the EAP server, keying material and
parameters requested
> by and passed down to the AAA layer may be replicated
to the
> AAA layer on the authenticator (with the exception of
the EMSK)."
>
Sounds good to me.
Vidya
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap
Arhives: http://lists.
frascone.com/pipermail/eap
|