Hi, I read the whole document again. I think it is in a good shape. Some quick high level comments. I will do a more detailed review(s) later
- I think this should formally update rfc5448bis - "This specification is an optional extension to the EAP-AKA'" While the extension is not mandatory, I think the draft should somewhere say that use of the extension is strongly recommended instead of just stating that it is optional. - "This specification is an optional extension to the EAP-AKA' authentication method which was defined in RFC 5448 (to be superseded by draft-ietf-emu-rfc5448bis)." With RFC5448bis almost done, I think this could be changed to - "This specification is an optional extension to the EAP-AKA' authentication method defined in draft-ietf-emu-rfc5448bis." - "from being able to decrypt all past communications." True, but this could be more specificly described as "from being able to decrypt any past communications." - " 3rd generation AKA " I don't think it is third gen AKA, rather 3G aka in the sense of AKA for 3G - "When AKA (and AKA')" AKA' is not explained anywhere.... - "Perfect Forward Secrecy" vs. "Perfect Forward Security" Draft uses both. PFS is stated to stand for the Security version. I suggest only using one of them. - Whould be good to say something small about active vs. passive attacks early. Just a few sentences that active attacks are much more resource demanding and can be detected. - "This method is referred to as ECDHE" Could say "This method is referred to as ECDHE or ECDH-EE" TLS calls it ECDHE while some other IETF protocols call it ECDH-EE - "i.e., using temporary keys" I suggest "using only temporary keys" to differentiate from ECDH-ES that use one static key pair and one ephemeral key pair. - "Curve25519 group specified in [RFC8031]." I think the group is specified in RFC 7748 - The draft should probably mention X25519 which is the name of the Diffie-Hellman function defined in RFC 7748. Curve25519 is the group. - "as specified in Section 2 of [RFC8031] and Section 6.1 of [RFC7748]." Why refering to two different RFCs? - The security considerations could say a little about detecting active attackers. - "I-D.mattsson-eap-tls13" -> "I-D.ietf-emu-eap-tls13" - "John Mattson" -> "John Mattsson" - "SIM" vs. "USIM" vs. "(U)SIM" The document uses all three. Could maybe cut down to one or two. Cheers, John _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu