Hi, I reviewed the new -01 version. Looks very good. Some additional comments:
-- Section 1 - Section 5 and 6 is missing from the document structure description. Is this intentional? - OLD "updates to RFC 5448 AKA' and" NEW "updates to RFC 5448 EAP-AKA' and" -- Section 3 - Some of the lines in Figure 1 are not correctly aligned -- Section 3.1 - OLD "distinghuishable" NEW "distinguishable" -- Section 5 - OLD "the right type of identifiers are used" NEW "the right type of identifiers is used" -- Section 5.2 - OLD "signalling" NEW "signaling" (Other parts of the draft is US english, e.g. "authorized") -- Security Consideration I think the security considerations should be updated to be aligned with current security and privacy practices. They security considerations need to talk more about privacy and pervasive monitoring [RFC6973][RFC7258]. - The privacy issues when SUCI is not used should be described (i.e. passive and/or active IMSI catchers are sniffing cellular identities to identify and/or track users). The security considerations should probably also include a strong recommendation to use SUCI. - The lack of perfect forward secrecy in EAP-AKA' and it's effects on pervasive monitoring should be described, e.g. attacks on manufacturers of SIM cards opening up for large scale pervasive monitoring and active attacks. -- Section 8.3 The table in Section 8.3 should be updated to refer to "this document" instead to the to be obsoleted RFC 5448. -- Appendix E - OLD "Milenage" NEW "MILENAGE" - The test vectors in case 1 and case 2 should be as beautifully aligned as case 3 and case 4. Cheers, John _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
