List Info

Thread: Strawman -10/EMSK deletion requirement?
Strawman -10/EMSK deletion requirement?
user name
 2006-03-10 05:11:11 
Joe,

See inline.... 

> -----Original Message-----
> From: Salowey, Joe [mailto:jsaloweycisco.com] 
> Sent: Thursday, March 09, 2006 11:51 PM
> To: Avi Lior; Narayanan, Vidya; Jari Arkko
> Cc: eapfrascone.com
> Subject: RE: [eap] Strawman -10/EMSK deletion
requirement?
> 
>  
> 
> > > The
> > > EMSK MUST NOT be transported out of the EAP
(AAA?) Layer 
> and MUST be 
> > > deleted when the corresponding EAP session
expires.
> > 
> > Replace EAP (AAA?) with EAP Authentication Server;
and 
> "corresponding 
> > EAP session expires" with 'corresponding
session has ended'.
> > 
> > Motivation for above: Not sure if EAP session is
defined; and you 
> > delete the EMSK when the session is terminated
either because it 
> > expired or because it was explicitly terminated.
> > 
> 
> [Joe] I think we will probably need mopre definition
around this. 

[Avi] Okay.

> > > Further, an EMSK MUST NOT be used to generate
more than one 
> > > AMSK for a given application. 
> > 
> > I am not sure that the above does not pose a
threat.  
> > Normally we would
> > think that one Application would require one AMSK.
 But since 
> > we are not
> > defining what an application is -- and we
shouldn't IMO 
> enter that rat
> > hole.  Then what if there was some application
that requires an two
> > AMSKs.?  Is there harm?
> > 
> 
> [Joe] If they are generated at the same time I don't
think there is a
> problem.  If there is a delay in generation where the
application
> requires the EMSK to be cached it is less than optimal.
 
> 
[Avi] In another email thread we explored this further and
the way I
understand it is that an Application can have one AMSK key
because:

FOO-AMSK = KGF(EMSK,"FOO" | ... | ...)

"FOO" is a the Key Lable and it must be unique.

FOO-A-AMSK = KGF(EMSK,"FOO-A" |  ... | ...)
FOO-B-AMSK = KGF(EMSK,"FOO-B" |  ... | ...)

Are really two differnet AMSKs and this is legal because
these are
viewed as two separate applications.

And 
FOO-A-AMSK = KGF(EMSK,"FOO" | "A" |
...)
FOO-B-AMSK = KGF(EMSK,"FOO" | "B" |
...)

Generates two distinct keys but SHOULD not be legal. 

I am not sure if this is defined correctly.

Finally,  I am not sure how this has to do with EMSK caching
or not.
 
____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )