When TKIP or CCMP encryption is used, and WTP does the encryption, it
obviously needs the key (TK) for TKIP or CCMP.  However, currently the
AC also sends two other keys, the EAPOL Key Confirmation Key (KCK) and
Key Encryption Key (KEK), to the WTP, even though the WTP does not
seem to need these keys for anything.  The principle of least
privilege would suggest that the AC shouldn't send these keys. Why
not send just the needed keys? Or does the WTP need the KCK/KEK 
for something?