This document describes an abstract mechanism for delivering root keys from an Extensible Authentication Protocol (EAP) server to another network server that requires the keys for offering security protected services@ such as re-authentication@ to an EAP peer. The distributed root key can be either a usage-specific root key (USRK)@ a domain-specific root key (DSRK)@ or a domain-specific usagespecific root key (DSUSRK) that has been derived from an Extended Master Session Key (EMSK) hierarchy previously established between the EAP server and an EAP peer. This document defines a template for a key distribution exchange (KDE) protocol that can distribute these different types of root keys using a AAA (Authentication@ Authorization@ and Accounting) protocol and discusses its security requirements. The described protocol template does not specify message formats@ data encoding@ or other implementation details. It thus needs to be instantiated with a specific protocol (e.g.@ RADIUS or Diameter) before it can be used.