For what it is worth, this ex-EAP co-chair also thinks that
the use of EAP keys for applications is a very bad idea.
For a number of reasons. Take this from someone who has actually tried
to do this in the distant past and has realized that it was a bad idea.
But first let me clarify that I'm not criticizing HOKEY for EAP keys in
any way; HOKEY is a fine application for EAP keys. The document that
started this thread can be fixed by better IANA and applicability
sections. I've also changed the subject to reflect the new topic.
Back to the reasons for why application keying based on EAP is a bad
idea. First, there is an applicability statement in RFC 3748 which
discourages the use of EAP for other applications than network access.
We've generally treated this liberally and included things like VPN
access (IKEv2) and mobility services in this as well.
Use of EAP keys in other contexts than the network access itself
presents a number of problems. The primary problem is that while EAP
runs on many, many interfaces and products, the number of networks where
is still relatively small, or at least its nowhere near ubiquitous. This
presents a problem for applications that require EAP-based keys. This
hotel network supports web logins, not EAP so does that mean I would be
unable to use the EAP-based applications? And from the point of view of
an application provider, why would I want to exclude the 99.9% of
current Internet users that are not behind an EAP-based network interface?
The conclusion from this is that application keying should be arranged
independently of network access. Note that in some cases you can use the
same credentials to access a particular application, even if you are not
reusing keys from the network access phase. For instance, IKEv2 and its
EAP capability has been used in some mobility designs. But this is an
independent run of EAP, nothing to do with the network access EAP run
(if there even was one).
Finally, many of the things that you want to do are impossible if you
tie your applications to network access keys. For instance, if you are
mobile you would ideally want to move from one access network to
another. What if one of these access networks does not support EAP for
network access. E.g., Wimax -> 3G? What would this do to your ability to
use an application?
IETF mailing list