On Thu, Oct 31, 2019 at 04:25:57PM +0000, Mohit Sethi M wrote: > Hi Ben, > > Thanks for the customary careful review. Answers in-line: > > On 10/31/19 4:24 PM, Benjamin Kaduk via Datatracker wrote: > > Benjamin Kaduk has entered the following ballot position for > charter-ietf-emu-05-02: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/charter-ietf-emu/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Can we consider just saying "forward secrecy" rather than "perfect forward > secrecy"? The "perfect" nature comes with many caveats in general... > > Makes sense! > > > What's the relationship between "identifiers for fast re-authentication" and > "creation of long-term credentials for the peer based on initial limited-use > credentials"? > > Good question: > > Session-Id is a particular type of identifier that must be exported by EAP > methods according to RFC5247 (https://tools.ietf.org/html/rfc5247). As > implicit from the name, it identifies a particular EAP authentication > session. EAP methods should export this identifier during usual full > authentication as well as abbreviated fast-reauthentication. Some EAP > methods (EAP-SIM, EAP-AKA, EAP-PEAP and EAP-AKA') lacked this information. > There is a draft fixing this (draft-ietf-emu-eap-session-id-00). It is > only dealing with a narrow bug that was discovered during implementation. > > Creation of long-term credentials based on initial limited-use credentials > is not about session identifiers. It tries is trying to address the case > where the initial credentials are time or domain limited (such as device > certificates from manufacturer) and need to be updated with operational > long-term credentials (such as certificates from the local network > operator). Both these credentials can be used for EAP authentication > (albeit with different servers) and will result in different Session-Ids.
That makes sense; thanks for setting it out for me. > > There's a lot of stuff set to happen in Nov 2019; is that all staged and > ready to go? > > Yes! Excellent! -Ben _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
