[Last-Call] Opsdir last call review of draft-ietf-emu-rfc7170bis-15

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Bo Wu
Review result: Has Nits

Hi Authors,

I am the assigned opsdir reviewer for this document.

Overall, the document makes a significant improvement over RFC 7170.

This document obsoletes RFC 7170 (Tunnel Extensible Authentication Protocol
(TEAP) version 1), and improves the protocols with modifications to several
sections of RFC 7170, such as the Introduction, Terminology, TEAP protocol,
Message Formats, IANA Considerations, Message Formats, Security considerations,
and Examples. This document obsoletes Protected Access Credentials (PAC) from
implementation experience and improves the definition of the inner method.

Here are some nits I found:

1.2. Terminology
Inner method-> Inner Method
PKCS: Good to expand on first use.

3.2. TEAP Authentication Phase 1: Tunnel Establishment
TLS-PSK: Good to expand on the first use and add reference.

3.3. Server Certificate Requirements
Redundant word:
Systems SHOULD use a a private Certification Authority (CA) -> Systems SHOULD
use a private Certification Authority (CA)

3.4. Server Certificate Validation
Redundant period:
Further guidance on server identity validation can be found in [RFC9525]
Section 6.. -> Further guidance on server identity validation can be found in
[RFC9525] Section 6..

In Section 3.6.2:
TOTP expand on the first use
Redundant word:

The use of EAP-FAST-GTC as defined in RFC 5421 [RFC5421] is NOT RECOMMENDED
-> The use of EAP-FAST-GTC as defined in [RFC5421] is NOT RECOMMENDED

3.6.4. Limitations on inner methods ->  3.6.4. Limitations on Inner Methods

EAP-TLS, EAP-MSCHAPv2, and perhaps EAP-pwd
I think it is good to add some reference.

3.6.5. Protected Termination and Acknowledged Result Indication
Except as noted below, the Crypto-Binding TLV MUST be exchanged and verified
before the final Result TLV exchange It is not clear to me "except as noted
below" is useful here.

3.11.2. Certificate Content and Uses
The format of a CSR is complex, and contain a substantial amount of
information.
-> The format of a CSR is complex, and contains a substantial amount of
information.

3.11.3. Server Unauthenticated Provisioning Mode
Instead, they should use that mode to set up a secure / authenticated tunnel
-> Instead, they should use that mode to set up a secure authenticated tunnel

Note that server unauthenticated provisioning -> Server Unauthenticated
Provisioning

 4.2.13. Crypto-Binding TLV
OLD:
< 1 Binding Response
New:
1 Binding Response

4.2.19. CSR-Attributes TLV
The base64 encoding in used
-> The base64 encoding is used

4.2.20. Identity-Hint TLV
The Identity-Hint TLV is an optional TLV which can sent
-> The Identity-Hint TLV is an optional TLV which can be sent

When the Identity-Hint is use
-> When the Identity-Hint is in use

The Identity-Hint TLV is used only as a guide to selecting
-> The Identity-Hint TLV is used only as a guide to select

5.3. Computing the Compound MAC
is run then no EMSK or MSK will be generated.
The sentence is incomplete.

5.4. EAP Master Session Key Generation
The label is is the ASCII value for the string without quotes.
->  The label is the ASCII value for the string without quotes.

I think the Appendix sections better to be placed after the References section.

Thanks,
Bo Wu



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux