Strawman -10/EMSK deletion requirement?

Hi Jari,

We seem to agree until we get here  snip:

Avi wrote:

> >It is basically this, how do I know which ones to
generate during
> >network access authentication?  I could have lots
of them.  
> Also perhaps
> >during this session the user requested access to a
new 
> application.  I
> >need a key now.  Should I tear down the session
just so I 
> can get a new
> >EMSK?
> >  
> >

Jari wrote:
> The latter should never happen. If we do the
calculation of 
> AMSKs a priori,
> then it needs to be something enabled by the user's
profile. If he is
> authorized to day (say) access handoff, mobile IP, and
some 
> QoS exchange,
> then we'd generate three AMSKs for that user.


Perhaps you missed my poorly stated point 

What if the user is requesting access to a new application?
which could
also involve the modification of the user's profile. 
If EMSK is not there, then what do I do? Restart the
session? No.

At anyrate I belive that there could be other use cases... I
gave two
reason why:

Just-in-time;
Dynamic-Application provisioning.

> >>2. Do you have a plan how to manage the cache
at the AAA 
> >>server side, if there is no agreement a priori
that EMSKs and 
> >>specific AMSKs are going to be needed?
> >>    
> >>
> >
> >EMSK should be bound to a user session. When the
user 
> session goes away
> >so should the EMSK.  If the user session is
reauthenticated so should
> >the EMSK.
> >  
> >
> Ok. This sounds reasonable. There may be still
tradeoffs
> between keeping one EMSK for all sessions vs. keeping
bunch of
> AMSKs for those sessions that have been authorized to
do
> more than pure access. 

Hmmmmm... A session is an EAP session (which is one Access
Session) and
you should only have one EMSK for that session.  AMSKs are
dervied from
the EMSK belong to that session.


>  But its hard for me to quantify this
> tradeoff, given that we don't know how many
applications we could
> in practice be talking about, and in particular we
don't know what
> fraction of users would be authorized to use those
applications. 
> Just
> some, or would this be something that is by default
turned on for
> everyone?

IMO that would be deployement issue.  We see a very
immediate need for
EMSK and AMSK today which will be used by everyone in the
network -- and
this is the MIP case, but other then that EMSK/AMSK is very
very new.
Wait until 3GPP/2 and OMA learn about it.

 
Avi
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap

Avi Lior wrote:

>Perhaps you missed my poorly stated point 
>
>What if the user is requesting access to a new
application? which could
>also involve the modification of the user's profile. 
>If EMSK is not there, then what do I do? Restart the
session? No.
>
>At anyrate I belive that there could be other use
cases... I gave two
>reason why:
>
>Just-in-time;
>Dynamic-Application provisioning.
>  
>
Ok. I'm starting to be convinced that we need to support
some
form of dynamic behaviour with regards to AMSKs.

--Jari

____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap