1. intro
reference for PEAP is missing, too bad the drafts have expired...
3.8 resource constrained environments
This is a bit a fuzzy paragraph. I feel that the SHOULD here invites for
developing 'weaker' methods in order to satisfy this goal. I would
prefer to leave this out altogether. As an alternative you might want to
describe a situation in which the use of a weaker method may be
mitigated by reducing the services that are made available to these
resource challenged devices.
4.2.1.4 peer identity privacy
just username is too limited, all credentials need to be protected, and
arguably all attributes of a user.
4.4 EAP Channel Binding Requirements
Such attacks...., in which key channel binding characteristics are
transported....
I think it is not the 'key channel binding characteristics' that are
transported but rather the 'service characteristics'. I prefer the
wording in clancy-emu-chbind:
" [...] a process in which the EAP client provides
information about the characteristics of the service provided by the
authenticator to the AAA server protected within the EAP method,
allowing the server to verify the authenticator is providing valid
information to the peer. The server can also respond back with
additional information that could be useful for the client to decide
whether or not to continue its session with the authenticator."
4.5 Requirements associated with carrying usernames/passwords
OTP is not a password database.
4.5.1.2 authentication of server
I don't think it is as important to protect the username as the password.
4.5.1.3 server credential revocation checking
Perhaps with the exception of the Grid community there is no use of OCSP
(let alone SCVP) as far as I know, and popular implementations of SSL
don't implement it. I understand the requirement but I am afraid this is
too restrictive and may be prohibitive for implementers. I would suggest
changing the MUST to SHOULD and leave out the paragraph about OCSP and SCVP.
4.6.3 cryptographic binding with TLS tunnel
expand CTK, MSK, EMSK, TEK
expand "domino effects"
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
