Title: Response to Draft revised Recommendation ITU-T X.1034 Submission Date: 2010-04-02 URL of the IETF Web page: https://datatracker.ietf.org/public/liaison_detail.cgi?detail_id=862
From: Joseph Salowey(IETF EMU WG) <[email protected]> To: ITU-T SG 17([email protected],[email protected],[email protected]) Cc: [email protected] [email protected] [email protected] [email protected] Reponse Contact: [email protected] [email protected] [email protected] Technical Contact: [email protected] Purpose: In response Body: Members of the IETF EAP Method Update working group have reviewed the revised ITU-T X.1034 document. The following is a summary of their comments: 1. Reviewers were not clear on the purpose of the document Reviewers did not really understand the purpose of the document. There are several documents that discuss EAP method requirements and classify EAP methods such as: RFC 4017, NIST SP 800-120. Is the group aware of these documents? What is this document providing beyond what is provided in these documents? 2. Out-of-Date discussion of EAP The main part of the document does not include any reference to much of the recent EAP work such as: RFC 5247 - Extensible Authentication Protocol (EAP) Key Management Framework RFC 5296 - EAP Extensions for EAP Re-authentication Protocol (ERP) RFC 5295 - Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK) RFC 5247 - Extensible Authentication Protocol (EAP) Key Management Framework Also, in numerous places the document uses terminology specific to IEEE 802. For example, the document discusses "types of PTK", and "group key handshake". Non-IEEE 802 technologies typically don't use the term "PTK", and IEEE 802.1X-REV does not include a "group key handshake". Moreover the "general flow of key management" described in Section 8.4 is not general at all, since this does not describe the lower layer key management used in IKEv2 or IEEE 802.16. 3. Out-of-Date discussion of EAP-Methods The appendices discussing EAP methods have improved, however they still contain many discrepancies with the state of the art. Appendix I claims it is presents an evaluation of the most well-known EAP methods. EAP-SRP is abandoned work so it is not clear how this would qualify as well-known. EAP-MD5 cannot be used in environments that require key generation so its evaluation is not all that useful. Some additional methods are discussed in appendix III, but there are not discussed in Appendix I. It is not clear why there are two different appendices or why the focus of appendix I is mostly on Obsolete or abandoned protocols. Appendix I does not appear to provide much value. Appendix III contains many inaccuracies. - RFC 2284 was obsolete by RFC 3748. - EAP-SRP is abandoned work - There is a standards track PSK EAP method EAP-GPSK (RFC 5433), it would be better to include this in the analysis - An improved EAP-AKA mechanism has been published in RFC 5448 - EAP-FAST is also a tunnel method - The PEAP internet draft has been abandoned, current documentation of the PEAP protocol is available from Microsoft. 4. Out of date references - For EAP RFC 3748 should be referenced instead of RFC 2284. - RFC 2716 is been made obsolete by RFC 5216 - The document should reference RFC 5247 - Extensible Authentication Protocol (EAP) Key Management Framework - The EAP-SRP reference is to an expired document - The PEAP reference is to an expired document - RADIUS references should include RFC 3579 Attachment(s): No document has been attached _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
