Hi,
I reviewed the new -01 version. Looks very good. Some additional comments:
-- Section 1
- Section 5 and 6 is missing from the document structure description. Is this
intentional?
- OLD "updates to RFC 5448 AKA' and"
NEW "updates to RFC 5448 EAP-AKA' and"
-- Section 3
- Some of the lines in Figure 1 are not correctly aligned
-- Section 3.1
- OLD "distinghuishable"
NEW "distinguishable"
-- Section 5
- OLD "the right type of identifiers are used"
NEW "the right type of identifiers is used"
-- Section 5.2
- OLD "signalling"
NEW "signaling" (Other parts of the draft is US english, e.g. "authorized")
-- Security Consideration
I think the security considerations should be updated to be aligned with
current security and privacy practices. They security considerations need to
talk more about privacy and pervasive monitoring [RFC6973][RFC7258].
- The privacy issues when SUCI is not used should be described (i.e. passive
and/or active IMSI catchers are sniffing cellular identities to identify and/or
track users). The security considerations should probably also include a strong
recommendation to use SUCI.
- The lack of perfect forward secrecy in EAP-AKA' and it's effects on pervasive
monitoring should be described, e.g. attacks on manufacturers of SIM cards
opening up for large scale pervasive monitoring and active attacks.
-- Section 8.3
The table in Section 8.3 should be updated to refer to "this document" instead
to the to be obsoleted RFC 5448.
-- Appendix E
- OLD "Milenage"
NEW "MILENAGE"
- The test vectors in case 1 and case 2 should be as beautifully aligned as
case 3 and case 4.
Cheers,
John
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
