EAP-based Authentication Service for CoAP
draft-ietf-ace-wg-coap-eap-15

[Ballot comment]
Thanks to Loganaden Velvindron for addressing my DISCUSS and thanks to Dan for addressing my COMMENTs (kept below for archiving).

The whole email thread is at https://mailarchive.ietf.org/arch/msg/ace/WYJryqoMGfUjbCVFOUztAtzKUiE/

# COMMENTS (non-blocking)

## Section 3.1

Where is `Step 0` defined ? I.e., refer to section 3.2.

The text is too assertive about the use of mDNS & DHCPv6 as these protocols cannot currently be used for the discovery (i.e., no option is defined for DHCPv6).

## Section 3.2

Who is `we` ? The authors ? The WG ? The IETF ? Suggest using the passive voice.

## Section 7.1

Is CoAP always over IPv6, i.e., does it always run over 6LO, RFC 7252 seems to allow CoAP over IPv4 ? Else `CoAP goes on top of UDP/TCP, which provides a checksum mechanism over its payload` is not correct as UDP over IPv4 can have no check-sum.

# NITS (non-blocking / cosmetic)

## Use of SVG graphics

Please consider using the aasvg tool to have nice graphics ;-)

# Document Shepherd Writeup

*This version is dated 8 April 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
The Working Group reached broad agreement.


2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was some controversy about whether there was a real world use case for this
  document at all. This seemed to have been based mostly on the EAP Method requirement
  of an MSR, and the most common EAP Method being EAPTLS. Where if you implement TLS for
  EAPTLS, you wouldn't be a real constrained CoAP device anymore. This was clarified in
  the -13 draft with examples of other EAP Methods that produce an MSR that can be used.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  Yes there was one person who objected (see 2. above). It is believed this issue is now
  resolved with the -13 draft.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
There are implementations, e.g. https://github.com/topics/coap-eap

### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?
Yes. It was reviewed by EMU WG.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
N/A

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
N/A

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
N/A

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
Yes. It is ready to be handed off to the responsible Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?
No. There are no remaining issues.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?
Proposed Standard.

12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.

    Authors confirmed they do not know of any IPR: https://mailarchive.ietf.org/arch/msg/ace/mHTFS99rLcr8ItU4Rr_6i7ToLSQ/

13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.

    Confirmed.

14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

    No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == There is 1 instance of lines with non-ascii characters in the document.


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

    No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document date (27 May 2022) is 19 days in the past.  Is this
    intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

    (See RFCs 3967 and 4897 for information about using normative references
    to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '0' on line 632

  -- Looks like a reference, but probably isn't: '1' on line 629

  -- Looks like a reference, but probably isn't: '2' on line 629

  ** Downref: Normative reference to an Informational RFC: RFC 5869

  ** Downref: Normative reference to an Informational RFC: RFC 7967

  == Outdated reference: A later version (-46) exists of
    draft-ietf-ace-oauth-authz-36

  == Outdated reference: draft-ietf-core-resource-directory has been
    published as RFC 9176

  == Outdated reference: draft-ietf-emu-eap-noob has been published as RFC
    9140

  -- Obsolete informational reference (is this intentional?): RFC 6347
    (Obsoleted by RFC 9147)


    Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--).
15. Should any informative references be normative or vice-versa?
Yes.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
None.

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.
No.

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?
None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
No.
20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).
  *  Assignment of EAP lower layer identifier.
IANA registry: https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml.
Requires expert review: Joseph Salowey. Please ask the authors to fill in the IANA
table.

  *  Assignment of the URI /.well-known/coap-eap
IANA registry: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml.
Requires expert review: Mark Nottingham. Please ask the authors to fill in the IANA table.

  *  Assignment of the media type "application/coap-eap"

In order to move forward the draft, I am wondering if the media type registration has been filled in according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5. I believe the IANA section of the document should include a template similar to this: https://datatracker.ietf.org/doc/html/rfc8613#section-13.8. I also believe it would be clear to have the exact table of the registry in the IANA section.

IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
From RFC 6838: "registration requests can be sent to iana@iana.org". A web form for registration requests is also available: http://www.iana.org/form/media-types according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5.


  *  Assignment of the content format "application/coap-eap"
IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
Could you please send the requests to iana@iana.org ?
A web form for registration requests is also available: https://www.iana.org/form/media-types.
Please fill the IANA section with the exact table.

  *  Assignment of the resource type (rt=) "core.coap-eap"
IANA registry: https://www.iana.org/assignments/core-parameters/core-parameters.xhtml.
Requires expert review: Carsten Bormann, Jaime Jimenez, Christian Amsüss.
Could you please send the requests to iana@iana.org ?
According to https://www.rfc-editor.org/rfc/rfc6690.html#section-3.1, can you please let us know if you have followed the described procedure ?

  *  Assignment of the numbers assigned for the cipher suite
      negotiation
Can you please write down the assignment of numbers for the cipher suite negotiation ?

  *  Assignment of the numbers assigned for the numbers of the CBOR
      object in CoAP-EAP
Can you please write down the assignment of numbers of the CBOR object in CoAP-EAP ? In, particular, I would like to know the link to the IANA registry as well as the reference to the registration procedure you followed and the exact table.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html

[Ballot comment]
Thanks for resolving my IANA Considerations concerns.

Comments, preserved from my ballot about -11:

==

I support Orie's DISCUSS position, plus his question about the peculiar SHOULD.

"MSK" is used in Section 1 before being defined in Section 3.2.  (They're also my initials; I thought I was being trolled.)

"HKDF" is used in Section 6.1 before it is defined later in that section.

Sections 9.3 through 9.6 are adding things to existing registries.  There's no need to re-state their registration policies.

In Appendix A, I suggest changing "Analogously" to "Analogous".

[Ballot comment]
Thanks for addressing my comments in https://mailarchive.ietf.org/arch/msg/ace/7dNh63l6ESnGC3attFZQoXnBhKI/

I assume a new version will be published applying these, and am changing the ballot to no objection.

[Ballot discuss]
Thank you for the work on this document.

I have a few comments that I'd like to see addressed before the document moves forward. I don't think any of these are particularly controversial, but they really should be fixed before publication, which is why I mark them as DISCUSS.

Section 3.5.1:

> EAP authentication MAY fail in different situations (e.g., wrong credentials).

Incorrect use of BCP 14 "MAY", I think you mean to use "may" in this case.

Section 6.2:

> CS is the concatenation of the content of the cipher suite negotiation, that is, the list of cipher suites sent by the EAP authenticator (Step 1) to the selected option by the EAP peer (Step 2).

"The list of cipher suites" and "the selected option" is not precise enough on what CS is: you need to specify that CS is the concatenation of two CBOR arrays (with CBOR ints or text strings as elements), as defined in section 5. One could interpret it as being the concatenation of a CBOR array with a CBOR int or tstr. Same comment for the Master Salt, which should be made consistent with the text for Master Secret, and instead now says:

> CS is the concatenation of the content of the cipher suite negotiation, in the request and response. If any of the messages did not contain the CBOR array, the null string is used.

Section 6.2: You should explicitly mention that ID Context is not provided for the OSCORE Security Context derivation.

[Ballot comment]
I support Murray's and Orie's DISCUSSes.

Section 3.2:

>  In this step, the EAP peer MAY create an OSCORE security context (see Section 6.2). The required Master Session Key (MSK) will be available once the EAP authentication is successful in step 7.

But MSK is necessary to derive the OSCORE security context - that means the EAP peer cannot create it in this step, right? What did I miss?

Section 5:

> cipher suite: It contains an array including the list of the proposed or selected COSE algorithms for OSCORE.

This is a nit (and my personal interpretation of verbs in CBOR terminology) - I would remove "it contains". cipher suite "is" an array. "containing" is used for arrays or maps, which would make this an array of arrays. Same for the other parameters, I would just replace "contains" with "is".

Section 6.1:

> This list is included in the payload after the EAP message through a CBOR as explained previously.

Missing text (CBOR ...? object? array?). I would also recommend to remove "previously" and replace with the precise reference (Section 5?)

Section 6.2: I would suggest adding a pointer to Section 3.2.1 of RFC 8613 somewhere in this section to mention that once Master Secret and Master Salt are derived you can use them to derive the rest of the OSCORE Security Context.

[Ballot comment]
Thanks for working on this specification. No objection, but supporting Murray's discuss as I also would like to see proper instruction for the DE to execute on the ask.

[Ballot discuss]

# Éric Vyncke, INT AD, comments for draft-ietf-ace-wg-coap-eap-11

Thank you for the work put into this document. I like the idea of using EAP to authenticate and secure CoAP.

Please find below one blocking DISCUSS points (easy to address by the shepherd), some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits.

Thanks to Loganaden Velvindron for the shepherd's detailed write-up including the WG consensus *but it lacks* the justification of the intended status. It is also to vague, hence a DISCUSS ballot.

Other thanks to Eliot Lear, the IoT directorate reviewer (at my request), please consider this int-dir review:
https://datatracker.ietf.org/doc/review-ietf-ace-wg-coap-eap-11-iotdir-telechat-lear-2024-10-19/
and a previous early review https://datatracker.ietf.org/doc/review-ietf-ace-wg-coap-eap-08-iotdir-early-lear-2023-07-05/
Glad to read the follow-up email discussions with Eliot and the authors.

I hope that this review helps to improve the document,

Regards,

-éric


# DISCUSS (blocking)

As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is just a request to have a discussion on the following topics:

## Shepherd write-up

There are too many "XXX: check with co-authors' included critical questions about IPR disclosure and willingness to be cited as authors. I.e., I do no think that it is up to the IESG to check these points on their own.

I also find that answers to question 1 and 2 as contradicting each others...

[Ballot comment]

# COMMENTS (non-blocking)

## Section 3.1

Where is `Step 0` defined ? I.e., refer to section 3.2.

The text is too assertive about the use of mDNS & DHCPv6 as these protocols cannot currently be used for the discovery (i.e., no option is defined for DHCPv6).

## Section 3.2

Who is `we` ? The authors ? The WG ? The IETF ? Suggest using the passive voice.

## Section 7.1

Is CoAP always over IPv6, i.e., does it always run over 6LO, RFC 7252 seems to allow CoAP over IPv4 ? Else `CoAP goes on top of UDP/TCP, which provides a checksum mechanism over its payload` is not correct as UDP over IPv4 can have no check-sum.

# NITS (non-blocking / cosmetic)

## Use of SVG graphics

Please consider using the aasvg tool to have nice graphics ;-)

[Ballot discuss]
The absence of an answer to question #21 in the shepherd writeup is telling.  For a Designated Expert review registry, of which this document creates two (in Sections 9.1 and 9.2), BCP 26 says:

  The required documentation and review criteria, giving clear guidance
  to the designated expert, should be provided when defining the
  registry.

This appears to be absent here.  Is there any guidance for the DE that might be appropriate?

[Ballot comment]
I support Orie's DISCUSS position, plus his question about the peculiar SHOULD.

"MSK" is used in Section 1 before being defined in Section 3.2.  (They're also my initials; I thought I was being trolled.)

"HKDF" is used in Section 6.1 before it is defined later in that section.

Sections 9.3 through 9.6 are adding things to existing registries.  There's no need to re-state their registration policies.

In Appendix A, I suggest changing "Analogously" to "Analogous".

[Ballot comment]
All of these should be easy comments to resolve.  (I'd thank the secdir reviewer, but apparently it was me, LOL)

Shepherd write up:  This is more than 2 years old and looks to be both incomplete and out of date.  I'll note that he made a comment on the media type registration process (which may/may not have been followed).

Introduction:  I'm not sure why the expansion of MSK was deleted (v9 and v11), but I'd suggest replacing 'MSK' with 'Message Session Key (MSK)' here.  This will allow the use of MSK in other sections (3 times that I counted).

Section 3.5.2, title and first sentence:  'non-responding' vs 'non-responsive' (I'm not sure if this is common terminology, or a typo)

Section 3.5.3, para 3, second to last sentence:  'However, the EAP peer' should be 'However, if the EAP peer'?

[Ballot comment]
# Internet AD comments for draft-ietf-ace-wg-coap-eap-11
CC @ekline

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### S3.2

* "counter' which is an incrementing unique number for every new EAP
  request.

  I assume this is actually "for every new EAP request within an EAP
  session" kind of thing?

[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-wg-coap-eap-11
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-wg-coap-eap-11.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Discuss

Thanks Loganaden Velvindron for the shepherd writeup, I note his comments on media type issues, which I echo in my review.

I also note IANA review state is "Review Needed".

### well known uri

It does not appear that mnot's comments here were addressed: https://mailarchive.ietf.org/arch/msg/ace/HHSVWFPuPknnlZhojilF0AyD9To/

I agree with his comments.

See: https://datatracker.ietf.org/doc/html/rfc8615#section-3

I suggest adding a comment to the effect of... "/.well-known/coap-eap" (or /.well-known/coap/eap)  is used with "coap" / "coap+ws" or other entries which are already present here: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

It seemed like the authors intended to address these comments: https://mailarchive.ietf.org/arch/msg/ace/rFm-eTKhaVoD8VWqQKTyeM61SxA/

Please confirm the current registration requests are as intended (apologies if I failed to trace the mailing list discussion properly)

### media type

I do not see a request for review for this media type registration here:
https://mailarchive.ietf.org/arch/browse/media-types/?q=coap-eap

Please seek a review per the guidance here: https://wiki.ietf.org/group/art/TypicalARTAreaIssues#media-types

In particular this part:

> Submit your actual registration (not a pointer to it) for review on the ietf-types@iana.org discussion list. Do this before you're ready to request publication of your draft.

I will change this part of my discuss to no objections in a week or so... assuming no concerns are raised.
Please make sure to copy-paste the full sections 9.5 (not just a pointer to them) in your mail to media-types.

[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-ace-wg-coap-eap-11
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-ace-wg-coap-eap-11.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Discuss

Thanks Loganaden Velvindron for the shepherd writeup, I note his comments on media type issues, which I echo in my review.

I also note IANA review state is "Review Needed".

### well known uri

It does not appear that mnot's comments here were addressed: https://mailarchive.ietf.org/arch/msg/ace/HHSVWFPuPknnlZhojilF0AyD9To/

I agree with his comments.

See: https://datatracker.ietf.org/doc/html/rfc8615#section-3

I suggest adding a comment to the effect of... "/.well-known/coap-eap" (or /.well-known/coap/eap)  is used with "coap" / "coap+ws" or other entries which are already present here: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml

It seemed like the authors intended to address these comments: https://mailarchive.ietf.org/arch/msg/ace/rFm-eTKhaVoD8VWqQKTyeM61SxA/

Please confirm the current registration requests are as intended (apologies if I failed to trace the mailing list discussion properly)

### media type

I do not see a request for review for this media type registration here:
https://mailarchive.ietf.org/arch/browse/media-types/?q=coap-eap

Please seek a review per the guidance here: https://wiki.ietf.org/group/art/TypicalARTAreaIssues#media-types

In particular this part:

> Submit your actual registration (not a pointer to it) for review on the ietf-types@iana.org discussion list. Do this before you're ready to request publication of your draft.

I will change this part of my discuss to no objections in a week or so... assuming no concerns are raised.
Please make sure to copy-paste the full sections 9.5 and following (not just a pointer to them) in your mail to media-types.

[Ballot comment]

## Comments

### media types

```
1112   IANA has added the media types "application/coap-eap" to the "Media
1113   Types" registry.  The registration procedure is "Expert Review".
1114   Section 4 defines the format.
```

Thanks for the pointer to section 4, and the explanation in figure 7.

```
1153   *  Change Controller: IESG
```

Change controller should be IETF.

```
1144   *  Person and email address to contact for further information: See
1145       "Authors' Addresses" section.
```

Consider using a working group mailing list here instead (see recent registration requests on the media type list for details)

### use of null string in Master Secret

```
746   *  CS is the concatenation of the content of the cipher suite
747       negotiation, that is, the list of cipher suites sent by the EAP
748       authenticator (Step 1) to the selected option by the EAP peer
749       (Step 2).  If any of the messages did not contain the CBOR array
750       (default algorithms), the null string is used.
```

I don't understand this part.
Under which cases would the use of the null string be expected here?


### Redundant normative requirement?

```
180   is an EAP state machine that can run any EAP method.  For this
181   specification, the EAP method MUST be able to derive keying material.
```

```
219   An EAP method that does not export keying material MUST NOT be used.
```

deriving keying material vs exporting keyint material?

### When SHOULD state be kept forever?

Also how long is "some time"?

```
508   If, for any reason, one of the entities becomes non-responding, the
509   CoAP-EAP state SHOULD be kept only for some time before it is
510   removed.  The removal of the CoAP-EAP state in the EAP authenticator
```

### Array -> Algorithms

```
987   is "Expert Review".  The columns of the registry are Value, Array,
```

"Array" is a less than excellent column name... in this case, the column should be called "Algoritms"... right?

### When should tstr be used for ciphersuite?

```
620                     ?  1 : [+ int/tstr],  ; cipher suite
```

I assume the values here should come from the CoAP-EAP Cipher Suites registry, where 0 is the default.
I don't see any guidance on how or when a tstr "CoAP-EAP Cipher Suite" should be used... so I wonder how it will be interpretted by implementations.

### CDDL in CoAP-EAP Informational Elements

```
1052   *  Value: 1
1054   *  Name: cipher suite
1056   *  Description: List of the proposed or selected COSE algorithms for
1057       OSCORE
```

Should there be CBOR type information for each entry in this registry?
Consider the "CBOR Type" column here: https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
...and note that "array (of array of uint)" is not CDDL, you can perhaps provide the DEs with guidance to protect against such issues in the future.

### Content Encoding

Per https://www.rfc-editor.org/errata_search.php?eid=4954

```
1163       +-----------------------+----------+------+-------------------+
1164       | Media Type            | Encoding | ID  | Reference        |
1165       +-----------------------+----------+------+-------------------+
1166       | application/coap-eap  | -        | TBD  | [[this document]] |
1167       +-----------------------+----------+------+-------------------+
```

Encoding -> Content Encoding? (This is probably already clear to IANA)

## Nits

### expand on first use

```
129   EAP methods transported in CoAP MUST generate cryptographic material
130   [RFC5247] in an MSK for this specification.  The MSK is used as the
```

### awkward sentence

missing of / are-> is ?

```
146   as the EAP authenticator.  In these cases, EAP methods that do not
147   require many exchanges, have short messages and use cryptographic
148   algorithms that are manageable by constrained devices are preferable.
149   The benefits of the EAP framework in IoT are highlighted in
150   [EAP-framework-IoT].
```

### extra of

```
160   Readers are expected to be familiar with the terms and concepts of
161   described in CoAP [RFC7252], EAP [RFC3748] [RFC5247] and OSCORE
162   [RFC8613]
```

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-ace-wg-coap-eap-10. If any part of this review is inaccurate, please let us know. We had also previously reviewed -09 of this draft.

The IANA understands that, upon approval of this document, there are eight actions which we must complete.

First, a new registry group, CoAP-EAP protocol, will be created and will have [ RFC-to-be ] as its reference.

Second, in the new CoAP-EAP protocol registry group created above, a new registry will be created called CoAP-EAP Cipher Suites. The registration procedure for the new registry will be Expert Review as defined in RFC8126. There are initial registrations in the new registry as follows:

Value Array Description Reference
-----+-----+-----------+----------
-24 N/A Reserved for Private Use [ RFC-to-be ]
-23 N/A Reserved for Private Use [ RFC-to-be ]
-22 N/A Reserved for Private Use [ RFC-to-be ]
-21 N/A Reserved for Private Use [ RFC-to-be ]
0 10, -16 AES-CCM-16-64-128, SHA-256 [ RFC-to-be ]
1 1, -16 A128GCM, SHA-256 [ RFC-to-be ]
2 3, -43 A256GCM, SHA-384 [ RFC-to-be ]
3 24, -16 ChaCha20/Poly1305, SHA-256 [ RFC-to-be ]
4 24, -45 ChaCha20/Poly1305, SHAKE256 [ RFC-to-be ]

Third, in the new CoAP-EAP protocol registry group created above, a new registry will be created called CoAP-EAP Information Element. The registration procedure for the new registry will be Expert Review as defined in RFC8126 except for values from 65000 to 65535 which are Reserved for Experimental Use as also defined in RFC8126. There are initial registrations in the new registry as follows:

Value: 0
Name: Reserved

Value: 1
Name: cipher suite
Description: List of the proposed or selected COSE algorithms for OSCORE
Reference: [ RFC-to-be ]

Value: 2
Name: RID-C
Description: It contains the Recipient ID of the EAP peer
Reference: [ RFC-to-be ]

Value: 3
Name: RID-I
Description: It contains the Recipient ID of the EAP authenticator
Reference: [ RFC-to-be ]

Value: 4
Name: Session-Lifetime
Description: Contains the time the session is valid in seconds
Reference: [ RFC-to-be ]

Fourth, in the Well-Known URIs registry located at:

https://www.iana.org/assignments/well-known-uris/

a single new registration will be made as follows:

URI Suffix: coap-rap
Reference: [ RFC-to-be ]
Status: Permanent
Change controller: IETF
Related Information:
Date Registered: [ TBD-at-Registration ]
Date Modified:

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

Fifth, in the EAP Lower Layers registry on the Extensible Authentication Protocol (EAP) Registry group located at:

https://www.iana.org/assignments/eap-numbers/

a single new registration will be made as follows:

Value: [ TBD-at-Registration ]
Lower Layer: CoAP-EAP
Reference: [ RFC-to-be ]

As this also requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

Sixth, in the application namespace of the Media Type registry located at:

https://www.iana.org/assignments/media-types/

A single media type will be registered as follows:

Name: coap-eap
Template: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

Seventh, in the CoAP Content Formats registry on the Constrained RESTful Environments (CoRE) Parameters registry group located at:

https://www.iana.org/assignments/core-parameters/

a single registration in the First Come First Served range will be made as follows:

Content Type: application/coap-eap
Content Coding:
ID: [ TBD-at-Registration ]
reference: [ RFC-to-be ]

Eighth, in the Resource Type (rt=) Link Target Attribute Values registry in the Constrained RESTful Environments (CoRE) Parameters registry group located at:

https://www.iana.org/assignments/core-parameters/

a single new registration will be made as follows:

Value: core.coap-eap
Description: CoAP-EAP resource
Reference: [ RFC-to-be ]
Notes:

We understand that these eight actions are the only ones required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2024-09-19):

From: The IESG
To: IETF-Announce
CC: ace-chairs@ietf.org, ace@ietf.org, draft-ietf-ace-wg-coap-eap@ietf.org, loganaden@gmail.com, paul.wouters@aiven.io
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (EAP-based Authentication Service for CoAP) to Proposed Standard


The IESG has received a request from the Authentication and Authorization for
Constrained Environments WG (ace) to consider the following document: -
'EAP-based Authentication Service for CoAP'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-09-19. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document specifies an authentication service that uses the
  Extensible Authentication Protocol (EAP) transported employing
  Constrained Application Protocol (CoAP) messages.  As such, it
  defines an EAP lower layer based on CoAP called CoAP-EAP.  One of the
  main goals is to authenticate a CoAP-enabled IoT device (EAP peer)
  that intends to join a security domain managed by a Controller (EAP
  authenticator).  Secondly, it allows deriving key material to protect
  CoAP messages exchanged between them based on Object Security for
  Constrained RESTful Environments (OSCORE), enabling the establishment
  of a security association between them.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/



No IPR declarations have been submitted directly on this I-D.

The EAP Lower Layers and the CoAP Content-Formats registrations has been approved. Well-Known URIs registration has been approved as well, with non-blocking comments from the expert: - I was a bit surprised that the spec didn't update the coap spec to put the new resource under /.well-known/coap/eap -- but that's up to the authors. - It would be good if the specification would identify the URI scheme(s) that it can be used with (per 8615 s 3).

The EAP Lower Layers registration has been approved.

Issues have been identified by the CoAP Content-Formats expert: I believe the draft would need a few updates to clarify the new media type and the precise request. * application/coap-eap is registered but never used (i.e. referred to by name) from any other section. * I couldn't find an explicit format/syntax definition for this new media type. * Is it equal to the CBOR data format defined in Section 4? If so, then section 4 should mention at least the name of the new media type and section 8.5 ideally should give a quick pointer to section 4 for the format definition. * the text in 8.6 should better refer to Section 12.3 of [RFC 7252] for the registry; link to [RFC 6690] is not so useful here. The text says "Expert Review" but that's only for the 0-255 range. For this range some additional motivation is required why it needs to be there, and this is missing. For the 256-9999 range the procedure is "IETF review" -> did you mean to select this range? It would be ok to continue the registration with the current draft, if the authors want to make text clarifications later on and not now. A number in the 256-9999 is for sure ok (if that's intended), for example 260, but for 0-255 range some reason/rationale needs to be provided. The Well-Known URIs registration has been approved, with non-blocking comments from the expert: - I was a bit surprised that the spec didn't update the coap spec to put the new resource under /.well-known/coap/eap -- but that's up to the authors. - It would be good if the specification would identify the URI scheme(s) that it can be used with (per 8615 s 3).

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-ace-wg-coap-eap-09. If any part of this review is inaccurate, please let us know.

IANA has a question about the third, fourth, and seventh actions requested in the IANA Considerations section of this document.

IANA understands that, upon approval of this document, there are eight actions which we must complete.

First, a new registry group is to be created called "CoAP-EAP Protocol".

Second, a new registry is to be created called CoAP-EAP Cipher Suites in the new CoAP-EAP Protocol registry group. The registry will be managed via Expert Review as defined in RFC8126. There are initial registrations in the new registry as follows:

Value Array Description Reference
-----+-----+-----------+----------
-24 N/A Reserved for Private Use [ RFC-to-be ]
-23 N/A Reserved for Private Use [ RFC-to-be ]
-22 N/A Reserved for Private Use [ RFC-to-be ]
-21 N/A Reserved for Private Use [ RFC-to-be ]
0 10, -16 AES-CCM-16-64-128, SHA-256 [ RFC-to-be ]
1 1, -16 A128GCM, SHA-256 [ RFC-to-be ]
2 3, -43 A256GCM, SHA-384 [ RFC-to-be ]
3 24, -16 ChaCha20/Poly1305, SHA-256 [ RFC-to-be ]
4 24, -45 ChaCha20/Poly1305, SHAKE256 [ RFC-to-be ]

Third, a new registry is to be created called CoAP-EAP Information Elements in the new CoAP-EAP Protocol registry group. There are initial registrations in the new registry as follows:

Value Name Description Reference
-----+-----+-----------+-----------
1 cipher suite List of the proposed or selected COSE algorithms for OSCORE [ RFC-to-be ]
2 RID-C It contains the Recipient ID of the EAP peer [ RFC-to-be ]
3 RID-I It contains the Recipient ID of the EAP authenticator [ RFC-to-be ]
4 Session-Lifetime Contains the time the session is valid in seconds [ RFC-to-be ]

IANA Question --> Is value 0 reserved or unused?

IANA Question --> IANA understands that values 0 - 64999 are managed via expert review and that values 65000 - 65535 are marked for experimental use as defined in section 4.2 of RFC 8126. Is this correct?

Fourth, in the Well-Known URI registry located at:

https://www.iana.org/assignments/well-known-uris/

a single new registration will be made as follows:

URI suffix: coap-eap
Change controller: IETF
Reference: [ RFC-to-be ]
Status:
Related information: None

IANA Question --> What should be the value for "Status" for this registration?

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated and completed the required Expert Review.

Fifth, in the EAP Lower Layers registry in the Extensible Authentication Protocol (EAP) Registry group at:

https://www.iana.org/assignments/eap-numbers/

a single new registration is to be made as follows:

Value: [ TBD-at-Registration ]
Lower Layer: CoAP-EAP
Reference: [ RFC-to-be ]

As this also requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Sixth, in the application namespace of the Media Types registry located at:

https://www.iana.org/assignments/media-types/

a single new registration will be made as follows:

Name: coap-eap
Template: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

IANA notes that there is an online application for media types located at:

https://www.iana.org/form/media-types

Seventh, in the CoAP Content Formats registry in the Constrained RESTful Environments (CoRE) Parameters registry group located at:

https://www.iana.org/assignments/core-parameters/

a single new registration will be made as follows:

Content Type: application/coap-eap
Content Coding:
ID: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

IANA Question --> What range should this registration come from in the CoAP Content Formats registry? Please see the four available ranges at:

https://www.iana.org/assignments/core-parameters/

As this also requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated the required Expert Review via a separate request. The expert has requested for some clarifications, which has been forwarded. This review must be completed before the document's IANA state can be changed to "IANA OK."

Eighth, in the Resource Type (rt=) Link Target Attribute Values registry also in the Constrained RESTful Environments (CoRE) Parameters registry group located at:

https://www.iana.org/assignments/core-parameters/

a single new registration will be made as follows:

Value: core.coap-eap
Description: CoAP-EAP resource
Reference: [ RFC-to-be ]
Notes:

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

Issues have been identified by the CoAP Content-Formats expert: I believe the draft would need a few updates to clarify the new media type and the precise request. * application/coap-eap is registered but never used (i.e. referred to by name) from any other section. * I couldn't find an explicit format/syntax definition for this new media type. * Is it equal to the CBOR data format defined in Section 4? If so, then section 4 should mention at least the name of the new media type and section 8.5 ideally should give a quick pointer to section 4 for the format definition. * the text in 8.6 should better refer to Section 12.3 of [RFC 7252] for the registry; link to [RFC 6690] is not so useful here. The text says "Expert Review" but that's only for the 0-255 range. For this range some additional motivation is required why it needs to be there, and this is missing. For the 256-9999 range the procedure is "IETF review" -> did you mean to select this range? It would be ok to continue the registration with the current draft, if the authors want to make text clarifications later on and not now. A number in the 256-9999 is for sure ok (if that's intended), for example 260, but for 0-255 range some reason/rationale needs to be provided.
     
The Well-Known URIs registration has been approved, with non-blocking comments from the expert:
- I was a bit surprised that the spec didn't update the coap spec to put the new resource under /.well-known/coap/eap -- but that's up to the authors.
- It would be good if the specification would identify the URI scheme(s) that it can be used with (per 8615 s 3).

Issues have been identified by the CoAP Content-Formats expert:

I believe the draft would need a few updates to clarify the new media type and the precise request.

* application/coap-eap is registered but never used (i.e. referred to by name) from any other section.
* I couldn't find an explicit format/syntax definition for this new media type.
* Is it equal to the CBOR data format defined in Section 4? If so, then section 4 should mention at least the name of the new media type and section 8.5 ideally should give a quick pointer to section 4 for the format definition.
* the text in 8.6 should better refer to Section 12.3 of [RFC 7252] for the registry; link to [RFC 6690] is not so useful here.
The text says "Expert Review" but that's only for the 0-255 range. For this range some additional motivation is required why it needs to be there, and this is missing.
For the 256-9999 range the procedure is "IETF review" -> did you mean to select this range?

It would be ok to continue the registration with the current draft, if the authors want to make text clarifications later on and not now.
A number in the 256-9999 is for sure ok (if that's intended), for example 260, but for 0-255 range some reason/rationale needs to be provided.

The following Last Call announcement was sent out (ends 2024-01-25):

From: The IESG
To: IETF-Announce
CC: ace-chairs@ietf.org, ace@ietf.org, draft-ietf-ace-wg-coap-eap@ietf.org, loganaden@gmail.com, paul.wouters@aiven.io
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (EAP-based Authentication Service for CoAP) to Proposed Standard


The IESG has received a request from the Authentication and Authorization for
Constrained Environments WG (ace) to consider the following document: -
'EAP-based Authentication Service for CoAP'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-01-25. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document specifies an authentication service that uses the
  Extensible Authentication Protocol (EAP) transported employing
  Constrained Application Protocol (CoAP) messages.  As such, it
  defines an EAP lower layer based on CoAP called CoAP-EAP.  One of the
  main goals is to authenticate a CoAP-enabled IoT device (EAP peer)
  that intends to join a security domain managed by a Controller (EAP
  authenticator).  Secondly, it allows deriving key material to protect
  CoAP messages exchanged between them based on Object Security for
  Constrained RESTful Environments (OSCORE), enabling the establishment
  of a security association between them.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/



No IPR declarations have been submitted directly on this I-D.

# Document Shepherd Writeup

*This version is dated 8 April 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
The Working Group reached broad agreement.


2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
No.The consensus was particularly rough.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)
No. There was no threat of appeal.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
There is an implementation. XXX: Check with co-authors.

### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?
Yes. It was reviewed by EMU WG.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
N/A

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
N/A

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
N/A

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
Yes. It is ready to be handed off to the responsible Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?
No. There are no remaining issues.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?
Proposed Standard.
12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.
XXX: Check with co-authors.
13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.
XXX: Check with authors.
14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.
  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

    No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == There is 1 instance of lines with non-ascii characters in the document.


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

    No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document date (27 May 2022) is 19 days in the past.  Is this
    intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

    (See RFCs 3967 and 4897 for information about using normative references
    to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '0' on line 632

  -- Looks like a reference, but probably isn't: '1' on line 629

  -- Looks like a reference, but probably isn't: '2' on line 629

  ** Downref: Normative reference to an Informational RFC: RFC 5869

  ** Downref: Normative reference to an Informational RFC: RFC 7967

  == Outdated reference: A later version (-46) exists of
    draft-ietf-ace-oauth-authz-36

  == Outdated reference: draft-ietf-core-resource-directory has been
    published as RFC 9176

  == Outdated reference: draft-ietf-emu-eap-noob has been published as RFC
    9140

  -- Obsolete informational reference (is this intentional?): RFC 6347
    (Obsoleted by RFC 9147)


    Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--).
15. Should any informative references be normative or vice-versa?
Yes.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
None.

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.
No.

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?
None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
No.
20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).
  *  Assignment of EAP lower layer identifier.
IANA registry: https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml.
Requires expert review: Joseph Salowey. Please ask the authors to fill in the IANA
table.

  *  Assignment of the URI /.well-known/coap-eap
IANA registry: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml.
Requires expert review: Mark Nottingham. Please ask the authors to fill in the IANA table.

  *  Assignment of the media type "application/coap-eap"

In order to move forward the draft, I am wondering if the media type registration has been filled in according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5. I believe the IANA section of the document should include a template similar to this: https://datatracker.ietf.org/doc/html/rfc8613#section-13.8. I also believe it would be clear to have the exact table of the registry in the IANA section.

IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
From RFC 6838: "registration requests can be sent to iana@iana.org". A web form for registration requests is also available: http://www.iana.org/form/media-types according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5.


  *  Assignment of the content format "application/coap-eap"
IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
Could you please send the requests to iana@iana.org ?
A web form for registration requests is also available: https://www.iana.org/form/media-types.
Please fill the IANA section with the exact table.

  *  Assignment of the resource type (rt=) "core.coap-eap"
IANA registry: https://www.iana.org/assignments/core-parameters/core-parameters.xhtml.
Requires expert review: Carsten Bormann, Jaime Jimenez, Christian Amsüss.
Could you please send the requests to iana@iana.org ?
According to https://www.rfc-editor.org/rfc/rfc6690.html#section-3.1, can you please let us know if you have followed the described procedure ?

  *  Assignment of the numbers assigned for the cipher suite
      negotiation
Can you please write down the assignment of numbers for the cipher suite negotiation ?

  *  Assignment of the numbers assigned for the numbers of the CBOR
      object in CoAP-EAP
Can you please write down the assignment of numbers of the CBOR object in CoAP-EAP ? In, particular, I would like to know the link to the IANA registry as well as the reference to the registration procedure you followed and the exact table.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html

# Document Shepherd Writeup

*This version is dated 8 April 2022.*

Thank you for your service as a document shepherd. Among the responsibilities is
answering the questions in this writeup to give helpful context to Last Call and
Internet Engineering Steering Group ([IESG][1]) reviewers, and your diligence in
completing it, is appreciated. The full role of the shepherd is further
described in [RFC 4858][2], and informally. You will need the cooperation of
authors to complete these checks.

Note that some numbered items contain multiple related questions; please be sure
to answer all of them.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?
The Working Group reached broad agreement.


2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
No.The consensus was particularly rough.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)
No. There was no threat of appeal.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
There is an implementation. XXX: Check with co-authors.

### Additional Reviews

5. Does this document need review from other IETF working groups or external
  organizations? Have those reviews occurred?
Yes. It was reviewed by EMU WG.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
N/A

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
N/A

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
N/A

### Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
Yes. It is ready to be handed off to the responsible Area Director.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. Do any such issues remain that would merit specific
    attention from subsequent reviews?
No. There are no remaining issues.

11. What type of RFC publication is being requested on the IETF stream (Best
    Current Practice, Proposed Standard, Internet Standard, Informational,
    Experimental, or Historic)? Why is this the proper type of RFC? Do all
    Datatracker state attributes correctly reflect this intent?
Proposed Standard.
12. Has the interested community confirmed that any and all appropriate IPR
    disclosures required by [BCP 78][7] and [BCP 79][8] have been filed? If not,
    explain why. If yes, summarize any discussion and conclusion regarding the
    intellectual property rights (IPR) disclosures, including links to relevant
    emails.
XXX: Check with co-authors.
13. Has each Author or Contributor confirmed their willingness to be listed as
    such? If the number of Authors/Editors on the front page is greater than 5,
    please provide a justification.
XXX: Check with authors.
14. Identify any remaining I-D nits in this document. (See [the idnits tool][9]
    and the checkbox items found in Guidelines to Authors of Internet-Drafts).
    Simply running the idnits tool is not enough; please review the entire
    guidelines document.
  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

    No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == There is 1 instance of lines with non-ascii characters in the document.


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

    No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document date (27 May 2022) is 19 days in the past.  Is this
    intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

    (See RFCs 3967 and 4897 for information about using normative references
    to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '0' on line 632

  -- Looks like a reference, but probably isn't: '1' on line 629

  -- Looks like a reference, but probably isn't: '2' on line 629

  ** Downref: Normative reference to an Informational RFC: RFC 5869

  ** Downref: Normative reference to an Informational RFC: RFC 7967

  == Outdated reference: A later version (-46) exists of
    draft-ietf-ace-oauth-authz-36

  == Outdated reference: draft-ietf-core-resource-directory has been
    published as RFC 9176

  == Outdated reference: draft-ietf-emu-eap-noob has been published as RFC
    9140

  -- Obsolete informational reference (is this intentional?): RFC 6347
    (Obsoleted by RFC 9147)


    Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--).
15. Should any informative references be normative or vice-versa?
Yes.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
None.

17. Are there any normative downward references (see [RFC 3967][10],
    [BCP 97][11])? If so, list them.
No.

18. Are there normative references to documents that are not ready for
    advancement or are otherwise in an unclear state? If they exist, what is the
    plan for their completion?
None.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
No.
20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][12]).
  *  Assignment of EAP lower layer identifier.
IANA registry: https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml.
Requires expert review: Joseph Salowey. Please ask the authors to fill in the IANA
table.

  *  Assignment of the URI /.well-known/coap-eap
IANA registry: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml.
Requires expert review: Mark Nottingham. Please ask the authors to fill in the IANA table.

  *  Assignment of the media type "application/coap-eap"

In order to move forward the draft, I am wondering if the media type registration has been filled in according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5. I believe the IANA section of the document should include a template similar to this: https://datatracker.ietf.org/doc/html/rfc8613#section-13.8. I also believe it would be clear to have the exact table of the registry in the IANA section.

IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
From RFC 6838: "registration requests can be sent to iana@iana.org". A web form for registration requests is also available: http://www.iana.org/form/media-types according to https://www.rfc-editor.org/rfc/rfc6838.html#section-5.


  *  Assignment of the content format "application/coap-eap"
IANA registry: https://www.iana.org/assignments/media-types/media-types.xhtml.
Requires expert review: Ned Freed, Alexey Melnikov, Murray Kucherawy.
Could you please send the requests to iana@iana.org ?
A web form for registration requests is also available: https://www.iana.org/form/media-types.
Please fill the IANA section with the exact table.

  *  Assignment of the resource type (rt=) "core.coap-eap"
IANA registry: https://www.iana.org/assignments/core-parameters/core-parameters.xhtml.
Requires expert review: Carsten Bormann, Jaime Jimenez, Christian Amsüss.
Could you please send the requests to iana@iana.org ?
According to https://www.rfc-editor.org/rfc/rfc6690.html#section-3.1, can you please let us know if you have followed the described procedure ?

  *  Assignment of the numbers assigned for the cipher suite
      negotiation
Can you please write down the assignment of numbers for the cipher suite negotiation ?

  *  Assignment of the numbers assigned for the numbers of the CBOR
      object in CoAP-EAP
Can you please write down the assignment of numbers of the CBOR object in CoAP-EAP ? In, particular, I would like to know the link to the IANA registry as well as the reference to the registration procedure you followed and the exact table.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp78
[8]: https://www.rfc-editor.org/info/bcp79
[9]: https://www.ietf.org/tools/idnits/
[10]: https://www.rfc-editor.org/rfc/rfc3967.html
[11]: https://www.rfc-editor.org/info/bcp97
[12]: https://www.rfc-editor.org/rfc/rfc8126.html