>>>>> "Bernard" == Bernard Aboba <bernarda@xxxxxxxxxxxxxxxxxxxxx> writes:
Bernard> O, I definitely think they are session keys. [BA] They
Bernard> are not TSKs according to the definition in the EAP Key
Bernard> Management Framework.
That's true.
But that definition is not normative for draft-housley-aaa-key-mgmt.
Bernard> Wait, what's wrong with giving 100 authenticators 100
Bernard> different keys provided that each authenticator is
Bernard> authorized to claim the identity it plans to claim?
Bernard> Isn't that exactly the sort of thing we do want to do?
Bernard> [BA] The creation of cryptographically separate keys for
Bernard> each authenticator is not sufficient; the EAP Key
Bernard> Management Framework describes the problems that can
Bernard> result without authentication and authorization.
Again, I think that correctness of accounting in this instance is an
additional requirement the key management framework puts on top of
draft-housley-aaa-key-mgmt.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf