RE: Last Call: 'Guidance for AAA Key Management' to BCP (draft-housley-aaa-key-mgmt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> >Can you please provide a pointer?
> 
> Authenticator and peer identication issues are discussed in Section
> 2.2.1 of draft-ietf-eap-keying-15.txt

According to my reading, we rely on this piece of text:

   The following steps enable lower layer identities to be securely
   verified by all parties:

   ...

   [g]  Communicating the lower layer identities between the peer and
     authenticator within phase 0.  This allows the peer and
     authenticator to determine the key scope if a key cache is
     utilized.


Through the exchange of such identifiers one can bind the MSK to the
identity of the authenticator. But.... this has issues, imho. RFC 3748 does
not mandate such a feature on the EAP lower layers. Not sure if any supports
such a thing. Rather than relying on another part of the architecture (phase
0 -- discovery), it's more appropriate to expect EAP to deal with this
identifier exchange (since it is the one who generates the associated MSK),
but it is too late for that now. 

All I'm trying to say is, EAP (RFC 3748) does not appear to support this
particular rule from draft-housley-aaa-key-mgmt. Just an observation.


> So child keys often do persist longer than the parent key, and there is
> no issue with this.  However, the maximum lifetime of the child keys
> cannot be longer than the maximum lifetime of the parent.

This explains it very well. Thank you.

Alper



_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]