The EAP Method Update (emu) WG in the Security Area of the IETF has been reopened. For additional information, please contact the Area Directors or the WG Chair. EAP Method Update (emu) ----------------------------------------------------------------------- Current status: Proposed WG Chairs: Joseph Salowey <joe@salowey.net> Assigned Area Director: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> Security Area Directors: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> Eric Rescorla <ekr@rtfm.com> Mailing list: Address: emu@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/emu Archive: https://mailarchive.ietf.org/arch/search/?email_list=emu Group page: https://datatracker.ietf.org/group/emu/ Charter: https://datatracker.ietf.org/doc/charter-ietf-emu/ The Extensible Authentication Protocol (EAP) [RFC 3748] is a network access authentication framework used, for instance, in 802.11 and VPN networks and mobile networks. EAP itself is a simple protocol and actual authentication happens in EAP methods. Over 50 different EAP methods exist, including several methods developed in the IETF, and support for EAP exists in a broad set of different devices. Previous larger EAP-related efforts at the IETF included rewriting the base EAP protocol documentation and the development of several standards track EAP methods. EAP methods are generally based on existing other security technologies, such as TLS, SIM cards, and various algorithms. Some of these technologies continue to evolve. The understanding of security threats in today's Internet evolves as well, which has driven some of the evolution in these underlying technologies. At the same time, some new use cases for EAP have been identified, such as broader use of EAP in mobile network authentication. This working group has been chartered to provide updates to some commonly used EAP methods. Specifically, the working group shall produce documents to: - Provide a guidance or update to enable the use of TLS 1.3 in the context of EAP TLS (RFC 5216). Update the security considerations relating to EAP TLS, to document the implications of using new vs. old TLS versions, any recently gained new knowledge on vulnerabilities, and the possible implications of pervasive surveillance. - Update the EAP-AKA' specification (RFC 5448) to ensure that its capability to provide a cryptographic binding to network context stays in sync with what updates may come to the referenced 3GPP specifications through the use of EAP in 5G. Also, the group should document any recently gained new knowledge on vulnerabilities or the possible implications of pervasive surveillance or other new concerns. - Define session identifiers for fast re-authentication for EAP-SIM, EAP-AKA, and EAP-AKA’. The lack of this definition is a recently discovered bug in the original RFCs. - Develop an extension to EAP-AKA' such that Perfect Forward Secrecy can be provided. There may also be privacy improvements that have become feasible with the introduction of recent identity privacy improvements in 3GPP networks. - Gather experience regarding the use of large certificate and certificate chain sizes in the context of EAP-TLS (all versions), as some implementations and access networks may limit the number of EAP packet exchanges that can be handled. Document operational recommendations or other mitigation strategies to avoid issues. In all of the above, it is a requirement that none of the updates break backwards compatibility with existing specifications or implementations. The current EAP-TLS RFCs will not be obsoleted but rather updated with either new information or instructions on what is needed, for instance, to employ a new TLS version. The working group is expected to stay in close collaboration with the EAP deployment community, the TLS working group (for EAP-TLS work), and the 3GPP security architecture group (for EAP-AKA' work). Milestones: Mar 2018 - Working Group Established Apr 2018 - WG adopts initial draft on guidance for EAP TLS with TLS 1.3 Apr 2018 - WG adopts initial draft on EAP-AKA update, RFC5448-bis, including definition session identifiers for fast re-authentication for EAP-AKA' Sep 2018 - WG last call on EAP-AKA update, RFC5448-bis Oct 2018 - WG adopts initial draft on extension to EAP-AKA to support forward secrecy Oct 2018 - WG adopts initial draft on definition of session identifiers for fast re-authentication for EAP-SIM and EAP-AKA Nov 2018 - WG last call on guidance for EAP TLS with TLS 1.3 Dec 2018 - WG adopts initial draft on operational recommendations for large certificate and chain sizes Jan 2019 - WG last call on definition of session identifiers for fast re-authentication in EAP-SIM and EAP-AKA Feb 2019 - WG last call on extension to EAP-AKA to support forward secrecy May 2019 - WG last call on operational recommendations for large certificate and chain sizes
