Now that draft-ietf-emu-eap-tls13 and draft-ietf-emu-rfc5448bis has been adopted, I think it is time to start discussing the remaining things that the working group has been charted to do.
I think Perfect Forward Secrecy (PFS) and privacy are very important targets for the group. RFC 7258 (Pervasive Monitoring Is an Attack) requires protocols to mitigate pervasive monitoring, when possible. The assumptions from when EAP-AKA was designed have clearly not stood the test of time, IMSI catchers are regularly sniffing cellular identities and attacks on the manufacturers of SIM cards have opened up for large scale pervasive monitoring. draft-ietf-emu-rfc5448bis shows that mitigating pervasive monitoring by adding PFS to EAP-AKA is possible and achievable. As it is well-written, I think it should be the basis for the working group’s work on mitigating pervasive monitoring of EAP-AKA. 3GPP has already specified a solution called SUCI that achieves privacy by encrypting subscriber identities, thereby mitigating the IMSI catcher form of pervasive monitoring. I think draft-ietf-emu-rfc5448bis should be updated so that it refers to the 3GPP SUCI solution for encrypting subscriber identities. The use of identity protection should at least be strongly recommended. Cheers, John _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
