[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06

To: "Rafa Marin Lopez" <rafa at um.es>, <hokey at ietf.org>
Subject: Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
From: "Hoeper Katrin-QWKN37" <khoeper at motorola.com>
Date: Wed, 1 Jul 2009 14:25:37 -0400
Delivered-to: hokey at core3.amsl.com
In-reply-to: <4A376404.5030605 at um.es>
List-archive: <http://www.ietf.org/mail-archive/web/hokey>
List-help: <mailto:hokey-request@ietf.org?subject=help>
List-id: HOKEY WG Mailing List <hokey.ietf.org>
List-post: <mailto:hokey@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
References: <012401c9e51f$e93129f0$bb937dd0$ at net> <4A376404.5030605 at um.es>
Thread-index: AcnuY94Bcy2abg3hRnCBdQukfnMqagMFEqyw
Thread-topic: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06

Rafa,

Thank you for your comments.
Please find my replies in line.

I have addressed all your comments in the new 07 draft version that I
just posted. Please have a look at the new version to see whether you
agree with the changes.

Best regards,
Katrin

> -----Original Message-----
> From: hokey-bounces at ietf.org [mailto:hokey-bounces at ietf.org] On Behalf
Of
> Rafa Marin Lopez
> Sent: Tuesday, June 16, 2009 4:21 AM
> To: hokey at ietf.org
> Subject: Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
> 
> Dear all,
> 
> here it's my review of this I-D.
> 
> In general, the I-D is in good shape but I don't understand very well
> why it has to be linked to RADIUS. For example, in the abstract we
have:
> 
> "The document defines a key distribution exchange (KDE)
>    protocol using Remote Authentication Dial In User Service (RADIUS)
>    that can distribute these different types of root keys and
discusses
>    its security requirements."
> 
> As far as I can understand KDE (the defined tokens) could be
transported
> by either RADIUS or Diameter. So, I was wondering why do we need to
> specify RADIUS here in this I-D?. I think the I-D could specify the
> security requirements that an AAA protocol (that could be RADIUS or
> Diameter) should provide to transport KDE.
> 
[KH] I agree. The new I-D considers general AAA protocols, i.e. RADIUS
and Diameter could both be used to provide transportation for the KDE
messages.

> For example section 8.1 could be more general:
> 
> "8.1.  Requirements on AAA Key Transport Protocol"
[KH] Done.
> 
> And sections 5 and 7 could be removed.
[KH] Done.
> 
> What do you think?.
> 
> 
> Here you can find a couple of additional comments:
> 
> In section 4.1
> 
> "The key scope of each distributed key is determined by the sequence
>    of (PID, KT, KL)-tuples in the key hierarchy".
> 
> The delivered key RK should be associated to a particular PID and a
> particular KRS as far as I understand. To me, that would be the
context
> (apart from KT, and KL). Am I missing something?
> 
[KH] I agree, I added a KRS identifier to the key scope. "The key scope
of each distributed key is determined by the sequence of (PID, KT,
KL)-tuples in the key hierarchy and the identifier of the KRS."

> In section 6
> 
> "In implicit bootstrapping the local EAP Re-authentication (ER) server
>    requests the DSRK from the home AAA server during the initial EAP
>    exchange.  Here, the local ER server acts as the KRS and the home
AAA
>    server as the KDS.  In this case, the local ER server requesting
the
>    DSRK MUST include a KDE attribute with the K-flag cleared in the
>    RADIUS Access-Request message that carries the first EAP-Response
> message
>    from the peer.  A value of the RADIUS User-Name attribute is
>    used as the PID.  Upon receiving a valid KDE-Request, the home AAA
>    server includes a KDE attribute with K-flag set in the RADIUS
Access-
>    Accept message that carries the EAP-Success message."
> 
> Note that in this case (implicit bootstrapping), between the
KDE-Request
> and the KDE-Response there will be several roundtrips to complete the
> EAP authentication. Thus let's say that the KDE key distribution will
> need to wait for more than one single roundtrip before finishing (in
> fact, RK is delivered in the same message as MSK no?).
[KH] Text has been changed to "If the EAP exchange is successful, the
home AAA server includes a KDE-Response message in the AAA message that
carries the EAP-Success message."
> 
> Best Regards.
> 
> 
> Glen Zorn wrote:
> > This messages announces the beginning of Working Group Last Call on
> > draft-ietf-hokey-key-mgm-06
> >
(http://www.ietf.org/internet-drafts/draft-ietf-hokey-key-mgm-06.txt).
> The
> > last call period will end on Thursday, 18 June 2009 at 1500 GMT.
> > When submitting comments please reply to this message, leaving the
> subject
> > line intact.  Thank you.
> >
> >
> > _______________________________________________
> > HOKEY mailing list
> > HOKEY at ietf.org
> > https://www.ietf.org/mailman/listinfo/hokey
> >
> >
> 
> 
> --
> ------------------------------------------------------
> Rafael Marin Lopez
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34968398501    e-mail: rafa at um.es
> ------------------------------------------------------
> 
> _______________________________________________
> HOKEY mailing list
> HOKEY at ietf.org
> https://www.ietf.org/mailman/listinfo/hokey

References:
- [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
  - From: Glen Zorn
- Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
  - From: Rafa Marin Lopez

Prev by Date: Re: [HOKEY] draft-ietf-hokey-preauth-ps-08.txt
Next by Date: [HOKEY] I-D Action:draft-ietf-hokey-key-mgm-07.txt
Previous by thread: Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
Next by thread: Re: [HOKEY] WGLC: draft-ietf-hokey-key-mgm-06
Index(es):
- Date
- Thread