In clause 8.7.4 Handling of Key Delivery Assurance (informative) we have:
"• KDA provided from GM to KDC to acknowledge receiving (updated) SA parameter (TEK)
- PULL: the GM acknowledges the reception of the TEK and the connected policy with the third message in the GOUPKEY-PULL exchange according to RFC 6407, section 3.2."
Nevertheless, when the GM sends the (3) message, it can only acknowledge its liveliness and the reception of the SA TEK.
The updated TEK will be sent by the KDC only with message (4) in the KD payload.
How can the GM acknowledge the reception of the (updated) TEK with message (3) considering that the (updated) TEK will be delivered to it only with message (4)?
Proposal
Clarify the acknowledge mechanism for the reception of the updated TEK by the GM to the KDC for a GOUPKEY-PULL exchange.
Discussion
Created
Status
Proposal to go forward as editorial improvement
18 Dec 25
Approval (Editoral)
Discussion in TF on December 18, 2025
The following sentence should be added to the 4th bullet point:
If the KDC sends a keys and policies for a given SPI to a GM, it assumes delivery and shall be accounted in the KDA percentage if KDA is enabled. KDA shall only be given to the publisher via PUSH.
(the following bullet point for PULL is intended as explanation that it doesnt make sense to send KDA in PULL)
18 Dec 25
Discussion (red)
In any case we need to review section 8.7.4 as some sentences are definitely not correct and need to be rephased.
So, we need to further work on this.
15 Oct 25
Accepted
GODI GROUP-PULL does not allow for an explicit KDA response from a GROUP-MEMBER to KDC. Therefore, the KDC needs to count a PULL for a TEK that the KDC has "sent" to the GM needs to be counted towards KDA. The GM is responsible for re-polling if it does not receive the keys requested.
For KDA to work, at least the Publisher needs to support PUSH.
09 Oct 25
Accepted
The observation is true that the fourth message contains the TEK and the policy payload. As message 4 is the last message in the exchange, there is no separate message for the KDA.
Note that the KDA is informative text and is not normatively required. Nevertheless, also informative information should be correct.