Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)
draft-ietf-emu-aka-pfs-12

[Ballot comment]
Thanks for this work.  Thanks also to Sean Turner for the ARTART review.

And thanks for resolving the DISCUSS question around the document's status.  The rest of my original comment is left here for reference.

===

Section 7:

The use of "RECOMMENDED" in Section 7 is peculiar.  As prescriptive interoperability or security advice, to whom does it apply?

Section 8:

BCP 26 strongly urges that a Specification Required registry has advice for the Designated Experts, but this document contains none.  Is there nothing to say here?

Francesca's point also needs attention.

===

Additional comments from incoming ART AD, Orie Steele:

6.5.2

> The peer identifier SHALL comply
  with the privacy-friendly requirements of [RFC9190].

ought to be a MUST?

Section 7

  > As discussed earlier (see Section 1 and Section 4.3, forward secrecy
  is an important countermeasure against well-resourced adversaries
  that who may get access to the long-term keys, see Section 1.  Many
  of the attacks against these keys can be best dealt [mitigated] with improved
  processes, e.g., [restricting] limiting the access to the key material within the
  [a] factory or personnel, etc.  But not all attacks can be entirely ruled
  out for well-resourced adversaries, irrespective of what the
  technical algorithms and protection measures are.  And the likelihood
  of practically feasible attacks has increased.  To assume that a
  breach is inevitable or has likely already occurred [NSA-ZT], and to
  minimize impact when breaches occur [NIST-ZT] are essential zero
  trust principles.  One type of breach is key compromise or key
  exfiltration.

I'd recommend rewording much of this section.

7.1

Perhaps there is a better word than "forget", consider "destroy", possibly with a call out defense against forensic analysis.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-emu-aka-pfs-12; we had previously reviewed draft-ietf-emu-aka-pfs-11 as well. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which we must complete.

First, in the Attribute Types (Skippable Attributes 128-255) registry in the EAP-AKA and EAP-SIM Parameters registry group located at:

https://www.iana.org/assignments/eapsimaka-numbers/

two new registrations are to be made as follows:

Value: [ TBD-at-Registration ]
Description: AT_PUB_ECDHE
Reference: [ RFC-to-be ]

Value: [ TBD-at-Registration ]
Description: AT_KDF_FS
Reference: [ RFC-to-be ]

This document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry; we had previously completed the required Expert Review.

Second, a new registry is to be created called the EAP-AKA' AT_KDF_FS Key Derivation Function Values registry. The new registry is to be located on the EAP-AKA and EAP-SIM Parameters registry page located at:

https://www.iana.org/assignments/eapsimaka-numbers/

The new registry will be managed via Specification Required as defined in RFC 8126. There are initial registrations in the new registry as follows:

Value Description Reference
0 Reserved [ RFC-to-be ]
1 EAP-AKA' with ECDHE and X25519 [ RFC-to-be ]
2 EAP-AKA' with ECDHE and P-256 [ RFC-to-be ]
3-65535 Unassigned

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2024-03-06):

From: The IESG
To: IETF-Announce
CC: draft-ietf-emu-aka-pfs@ietf.org, emu-chairs@ietf.org, emu@ietf.org, paul.wouters@aiven.io, peter@akayla.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)) to Proposed Standard


The IESG has received a request from the EAP Method Update WG (emu) to
consider the following document: - 'Forward Secrecy for the Extensible
Authentication Protocol Method for
  Authentication and Key Agreement (EAP-AKA' FS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-03-06. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document updates RFC 9048, the improved Extensible
  Authentication Protocol Method for 3GPP Mobile Network Authentication
  and Key Agreement (EAP-AKA'), with an optional extension providing
  ephemeral key exchange.  Similarly, this document also updates the
  earlier version of the EAP-AKA' specification in RFC 5448.  The
  extension EAP-AKA' Forward Secrecy (EAP-AKA' FS), when negotiated,
  provides forward secrecy for the session keys generated as a part of
  the authentication run in EAP-AKA'.  This prevents an attacker who
  has gained access to the long-term key from obtaining session keys
  established in the past, assuming these have been properly deleted.
  In addition, EAP-AKA' FS mitigates passive attacks (e.g., large scale
  pervasive monitoring) against future sessions.  This forces attackers
  to use active attacks instead.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/3097/
  https://datatracker.ietf.org/ipr/3098/



The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc4187: Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) (Informational - Internet Engineering Task Force (IETF))
    rfc5448: Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA') (Informational - Internet Engineering Task Force (IETF))
    rfc7624: Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement (Informational - Internet Architecture Board (IAB))
    rfc9048: Improved Extensible Authentication Protocol Method for 3GPP Mobile Network Authentication and Key Agreement (EAP-AKA') (Informational - Internet Engineering Task Force (IETF))

[Ballot comment]
Hi,

Thanks for this document, just one relatively minor suggestion.  I suggest dropping the first paragraph of the abstract and just keep the second.  The first paragraph seems to be about justifying why this document exists which I think is much better placed in the introduction, or a background subsection of the introduction.  This shortens the abstract to just describing what the document is.

Regards,
Rob

[Ballot comment]
Thanks for this work.  Thanks also to Sean Turner for the ARTART review.

Section 7:

The use of "RECOMMENDED" in Section 7 is peculiar.  As prescriptive interoperability or security advice, to whom does it apply?

Section 8:

BCP 26 strongly urges that a Specification Required registry has advice for the Designated Experts, but this document contains none.  Is there nothing to say here?

Francesca's point also needs attention.

===

Additional comments from incoming ART AD, Orie Steele:

6.5.2

> The peer identifier SHALL comply
  with the privacy-friendly requirements of [RFC9190].

ought to be a MUST?

Section 7

  > As discussed earlier (see Section 1 and Section 4.3, forward secrecy
  is an important countermeasure against well-resourced adversaries
  that who may get access to the long-term keys, see Section 1.  Many
  of the attacks against these keys can be best dealt [mitigated] with improved
  processes, e.g., [restricting] limiting the access to the key material within the
  [a] factory or personnel, etc.  But not all attacks can be entirely ruled
  out for well-resourced adversaries, irrespective of what the
  technical algorithms and protection measures are.  And the likelihood
  of practically feasible attacks has increased.  To assume that a
  breach is inevitable or has likely already occurred [NSA-ZT], and to
  minimize impact when breaches occur [NIST-ZT] are essential zero
  trust principles.  One type of breach is key compromise or key
  exfiltration.

I'd recommend rewording much of this section.

7.1

Perhaps there is a better word than "forget", consider "destroy", possibly with a call out defense against forensic analysis.

[Ballot comment]
Thank you to Carl Wallace for the SECDIR review.

** Section 1.  Editorial
  However, the danger of resourceful attackers attempting to gain
  information about long-term keys is still a concern because many
  people use the service and these keys are high-value targets.

What service?  Could this text be clearer?

** Section 1.  Editorial.
  While strong protection of manufacturing and other processes is
  essential in mitigating the risks, there is one question that we as
  protocol designers can ask.  Is there something that we can do to
  limit the consequences of attacks, should they occur?

I’m not sure what this paragraph adds.  Consider if it is really needed.

** Section 1.  Editorial.
  This document specifies an extension that helps defend against one
  aspect of pervasive surveillance.  This is important, given the large
  number of users such practices may affect.  It is also a stated goal
  of the IETF to ensure that we understand the surveillance concerns
  related to IETF protocols and take appropriate countermeasures
  [RFC7258].

This text largely repeats what was said in the paragraph before last (which also cited RFC7258).  Consider if it is really needed.

** Section 1. 
  While optional, the use of this extension is strongly
  recommended.

Is this something better left to 3GPP in their profiling of this work?

** Section 1.  Editorial

  Forward secrecy [DOW1992] is on the list of
  features for the next release of 3GPP (5G Phase 2)

-- “Forward Secrecy” has been used multiple times by this point in the text.  Why is the referenced introduced here instead on first use?

-- Can an informative reference be provided for “5G Phase 2”?

** Section 3.

  The use of this extension is at the discretion of the authenticating
  parties.

Wasn’t this more strongly worded in Section 1 (i.e., “While optional, the use of this extension is strongly recommended.”).  Does it needed to be repeated?

** Section 3.  Editorial.

  It should be noted that FS and defenses against passive
  attacks do not solve all problems, but they can provide a partial
  defense that increases the cost and risk associated with pervasive
  surveillance.

Hasn’t this already been said in Section 1 (i.e., “This prevents an attacker who has ...”)

** Section 6.4
  The term "support" here means that the group MUST be implemented and
  MUST be possible to use during a protocol run.

What is a “protocol run”?  Could it be turned off with configuration?

** Section 7.

It is RECOMMENDED that EAP-AKA methods without
  forward secrecy be phased out in the long term.

It is not clear what this means to implementers.  What is “long term”?

** Section 7.  Typo. s/comprimised/compromised/

** Section 7.  Editorial.  In the spirit of more precise and inclusive language, consider if the term “Man in the Middle” can be replaced with another term.

[Ballot comment]
Thank you for this document, and also to Bo Wu for the OpsDir review: https://datatracker.ietf.org/doc/review-ietf-emu-aka-pfs-10-opsdir-lc-wu-2023-03-20/

I'll note that the document was updated 10 July 2023, after the OpsDir review (10 March 2023), but the (IMO) very reasonable suggestions were not taken:
"With only IETF technical background, it seems more readable if UICC, HSS can expand on the first-time use."

I hope / trust the the authors will consider and address these.

[Ballot comment]
Thanks for this work.  Thanks also to Sean Turner for the ARTART review.

Section 7:

The use of "RECOMMENDED" in Section 7 is peculiar.  As prescriptive interoperability or security advice, to whom does it apply?

Section 8:

BCP 26 strongly urges that a Specification Required registry has advice for the Designated Experts, but this document contains none.  Is there nothing to say here?

Francesca's point also needs attention.

[Ballot discuss]
[For the IESG to discuss]

Further to Eric's point, I don't follow why this document, which specifies a protocol with interoperability properties, isn't a Proposed Standard.  I get that it's updating/based on previous Informational documents, but it seems to me the fact that the original documents were Informational was done in error because they're a Technical Specification as defined by BCP 9.  The fact that it describes an optional extension also doesn't mean it's not a Technical Specification.

[Ballot comment]
Thanks for this work.  Thanks also to Sean Turner for the ARTART review.

Section 7:

The use of "RECOMMENDED" in Section 7 is peculiar.  As prescriptive interoperability or security advice, to whom does it apply?

Section 8:

BCP 26 strongly urges that a Specification Required registry has advice for the Designated Experts, but this document contains none.  Is there nothing to say here?

[Ballot comment]
Thank you for the work on this document.

Many thanks to Sean Turner for his ART ART review: https://mailarchive.ietf.org/arch/msg/art/Aua-Uh5CRr9oDEIanfD6qw8WqVM/.

I only have two very minor comments.

Section 6.1: AT_PUB_ECDHE. The way Length is defined in RFC4187 (specifying the length of the attribute in multiple of 4 bytes), and given the length of the ECDHE public key in the attribute value (currently 32 or 33 bytes), you probably should mention something about padding. I expect something analogous to what RFC4187 defines for AT_IDENTITY "Because the length of the attribute must be a multiple of 4 bytes, the sender pads the identity with zero bytes when necessary."

Section 8: IANA Considerations. The section doesn't spell out the fields of the "EAP-AKA' AT_KDF_FS Key Derivation Function Values" registry (Value, Description, Reference), although those are pretty obvious from the table itself. What I think is really missing is the expert guidelines - as RFC8126 specifies, the policy "Specification required" still requires review and approval by a designated expert. "As with Expert Review, clear guidance to the designated expert should be provided when defining the registry". What criteria is the expert supposed to base their decision on when deciding if a new value should be registered?

I have reviewed the proposed registration in draft-ietf-emu-aka-pfs and it
seems ok to me.

In addition, I noticed one typo in the IANA considerations section (8).
The text:
This extension of EAP-AKA' shares its attribute space and subtypes
with Extensible Authentication Protocol Method for Global System for
Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)
[RFC4186], EAP-AKA [RFC4186], and EAP-AKA' [RFC9048].

has a wrong RFC number for EAP-AKA. It should be " EAP-AKA [RFC4187]".

Br, Vesa

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-emu-aka-pfs-11. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the Attribute Types (Skippable Attributes 128-255) registry on the EAP-AKA and EAP-SIM Parameters registry page located at:

https://www.iana.org/assignments/eapsimaka-numbers/

two new values are to be registered as follows:

Value: [ TBD-at-registration ]
Description: AT_PUB_ECDHE
Reference: [ RFC-to-be ]

Value: [ TBD-at-registration ]
Description: AT_KDF_FS
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, a new registry is to be created called the EAP-AKA' AT_KDF_FS Key Derivation Function Values registry. The new registry will be created on the EAP-AKA and EAP-SIM Parameters registry page located at:

https://www.iana.org/assignments/eapsimaka-numbers/

The new registry will be managed via Specification Required as defined by [ RFC8126 ].

There are initial registrations in the new registry as follows:

Value Description Reference
-------+-------------------------------+-------------
0 Reserved [ RFC-to-be ]
1 EAP-AKA' with ECDHE and X25519 [ RFC-to-be ]
2 EAP-AKA' with ECDHE and P-256 [ RFC-to-be ]
3-65535 Unassigned [ RFC-to-be ]

The IANA Functions Operator understands that these two actions are the only ones required to be completed upon approval of this document.

Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Specialist

The following Last Call announcement was sent out (ends 2023-08-01):

From: The IESG
To: IETF-Announce
CC: draft-ietf-emu-aka-pfs@ietf.org, emu-chairs@ietf.org, emu@ietf.org, paul.wouters@aiven.io, peter@akayla.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)) to Informational RFC


The IESG has received a request from the EAP Method Update WG (emu) to
consider the following document: - 'Forward Secrecy for the Extensible
Authentication Protocol Method for
  Authentication and Key Agreement (EAP-AKA' FS)'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2023-08-01. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Many different attacks have been reported as part of revelations
  associated with pervasive surveillance.  Some of the reported attacks
  involved compromising the smart card supply chain, such as attacking
  Universal Subscriber Identity Module (USIM) card manufacturers and
  operators in an effort to compromise long-term keys stored on these
  cards.  Since the publication of those reports, manufacturing and
  provisioning processes have received much scrutiny and have improved.
  However, resourceful attackers are always a cause for concern.
  Always assuming a breach, such as long-term key compromise, and
  minimizing the impact of breach are essential zero trust principles.

  This document updates RFC 9048, the improved Extensible
  Authentication Protocol Method for 3GPP Mobile Network Authentication
  and Key Agreement (EAP-AKA'), with an optional extension providing
  ephemeral key exchange.  Similarly, this document also updates the
  earlier version of the EAP-AKA' specification in RFC 5448.  The
  extension EAP-AKA' Forward Secrecy (EAP-AKA' FS), when negotiated,
  provides forward secrecy for the session keys generated as a part of
  the authentication run in EAP-AKA'.  This prevents an attacker who
  has gained access to the long-term key from obtaining session keys
  established in the past, assuming these have been properly deleted.
  In addition, EAP-AKA' FS mitigates passive attacks (e.g., large scale
  pervasive monitoring) against future sessions.  This forces attackers
  to use active attacks instead.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/3097/
  https://datatracker.ietf.org/ipr/3098/

Hi authors,

Can you respond to Sean Turner's nits and maybe push out a -11 update ?

See https://www.spinics.net/lists/ietf/msg115454.html

Then I think we are ready to let the IESG ballot

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has completed its review of draft-ietf-emu-aka-pfs-10. If any part of this review is inaccurate, please let us know.

The IANA Functions Operator understands that, upon approval of this document, there are two actions which we must complete.

First, in the Attribute Types (Skippable Attributes 128-255) registry on the EAP-AKA and EAP-SIM Parameters registry page located at:

https://www.iana.org/assignments/eapsimaka-numbers/

two, new registrations are to be made as follows:

Value: [ TBD-at-Registration ]
Description: AT_PUB_ECDH
Reference: [ RFC-to-be ]

Value: [ TBD-at-Registration ]
Description: AT_KDF_FS
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, a new registry is to be created called the EAP-AKA' AT_KDF_FS Key Derivation Function Values registry. The new registry will be managed via Specification Required as defined in [RFC8126]. The new registry will be located on the EAP-AKA and EAP-SIM Parameters registry page located at:

https://www.iana.org/assignments/eapsimaka-numbers/

Initial registrations in the new registry are as follows:

Value Description Reference
-------+-------------------------------+-------------
0 Reserved [ RFC-to-be ]
1 EAP-AKA' with ECDHE and X25519 [ RFC-to-be ]
2 EAP-AKA' with ECDHE and P-256 [ RFC-to-be ]
3-65535 Unassigned [ RFC-to-be ]

The IANA Functions Operator understands that these two actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Specialist

The following Last Call announcement was sent out (ends 2023-03-13):

From: The IESG
To: IETF-Announce
CC: draft-ietf-emu-aka-pfs@ietf.org, emu-chairs@ietf.org, emu@ietf.org, paul.wouters@aiven.io, peter@akayla.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)) to Informational RFC


The IESG has received a request from the EAP Method Update WG (emu) to
consider the following document: - 'Forward Secrecy for the Extensible
Authentication Protocol Method for
  Authentication and Key Agreement (EAP-AKA' FS)'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2023-03-13. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Many different attacks have been reported as part of revelations
  associated with pervasive surveillance.  Some of the reported attacks
  involved compromising the smart card supply chain, such as attacking
  SIM card manufacturers and operators in an effort to compromise
  shared secrets stored on these cards.  Since the publication of those
  reports, manufacturing and provisioning processes have gained much
  scrutiny and have improved.  However, the danger of resourceful
  attackers for these systems is still a concern.  Always assuming
  breach such as key compromise and minimizing the impact of breach are
  essential zero-trust principles.

  This specification updates RFC 9048, the improved Extensible
  Authentication Protocol Method for 3GPP Mobile Network Authentication
  and Key Agreement (EAP-AKA'), with an optional extension.  Similarly,
  this specification also updates the earlier version of the EAP-AKA'
  specification in RFC 5448.  The extension, when negotiated, provides
  Forward Secrecy for the session key generated as a part of the
  authentication run in EAP-AKA'.  This prevents an attacker who has
  gained access to the long-term pre-shared secret in a Subscriber
  Identity Module (SIM) card from being able to decrypt any past
  communications.  In addition, if the attacker stays merely a passive
  eavesdropper, the extension prevents attacks against future sessions.
  This forces attackers to use active attacks instead.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/3097/
  https://datatracker.ietf.org/ipr/3098/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

This document reflects strong consensus from members of the working group
interested in improving the EAP-AKA' method.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

Consensus was strong. There were zero objections raised to moving this work forward.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No threats or extreme discontent have been offered.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There is at least one closed-source implementation of this specification. The
authors have indicated business interest in implementing this specification in
the near future.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

This document is built on AKA, but it does not modify AKA. 3GPP, which
specifies AKA and uses the underlying RFC 5448 and 9048, have seen this
work and provided feedback.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

NA

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

NA

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

NA

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes. This document directly addresses a demonstrated security threat. It's a clear
update to RFC 9048, yet it retains backward compatibility. The use of ECDHE in the
document appears correct. The document is ready for the responsible AD's review.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

The security area issues list has been reviewed by the shepherd. The document
has not yet been reviewed by the security area directorate.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

The document is requesting publication as Informational. It updates only
two Informational documents (RFC 5448, 9048). Informational status seems
the most suitable as the documents being updated are themselves Informational,
and this document specifies a common but optional means to add forward
secrecy to the underlying EAP method (EAP-AKA').

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

Yes. There are two IPR disclosures in the datatracker for this document. See:
https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-emu-aka-pfs
These IPR disclosures were also called out during WGLC, but did not elicit any
concerns.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes. The three authors are colleagues and all are willing to be noted as authors. A fourth
author listed in earlier versions of the I-D requested to be removed from the authors list.
(This will be seen when a -11 version is posted.)

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

The draft has been reviewed for nits. The content guidelines have been reviewed
against this document as well.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

The informative and normative references look appropriate.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All the normative references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

No

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

No

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

The document updates, but does not change the status of any existing RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

The document adds two values to the existing registry for EAP-AKA and EAP-SIM
Parameters in the Attribute Types (Skippable Attributes 128-255)
section. It also creates a new registry for "EAP-AKA' AT_KDF_FS Key Derivation
Function Values" under the EAP-AKA and EAP-SIM Parameters with Specification
Required and initial contents provided.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

No new registries that require Designated Expert Review.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]:
https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

# Document Shepherd Write-Up for Group Documents

*This version is dated 4 July 2022.*

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

This document reflects strong consensus from members of the working group
interested in improving the EAP-AKA' method.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

Consensus was strong. There were zero objections raised to moving this work forward.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

No threats or extreme discontent have been offered.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

There is at least one closed-source implementation of this specification. The
authors have indicated business interest in implementing this specification in
the near future.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

This document is built on AKA, but it does not modify AKA. 3GPP, which
specifies AKA and uses the underlying RFC 5448 and 9048, have seen this
work and provided feedback.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

NA

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

NA

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

NA

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes. This document directly addresses a demonstrated security threat. It's a clear
update to RFC 9048, yet it retains backward compatibility. The use of ECDHE in the
document appears correct. The document is ready for the responsible AD's review.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

The security area issues list has been reviewed by the shepherd. The document
has not yet been reviewed by the security area directorate.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

The document is requesting publication as Informational. It updates only
two Informational documents (RFC 5448, 9048). Informational status seems
the most suitable as the documents being updated are themselves Informational,
and this document specifies a common but optional means to add forward
secrecy to the underlying EAP method (EAP-AKA').

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

Yes. There are two IPR disclosures in the datatracker for this document. See:
https://datatracker.ietf.org/ipr/search/?submit=draft&id=draft-ietf-emu-aka-pfs
These IPR disclosures were also called out during WGLC, but did not elicit any
concerns.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes. The three authors are colleagues and all are willing to be noted as authors. A fourth
author listed in earlier versions of the I-D requested to be removed from the authors list.
(This will be seen when a -11 version is posted.)

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

The draft has been reviewed for nits. The content guidelines have been reviewed
against this document as well.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

The informative and normative references look appropriate.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

All the normative references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

No

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

No

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

The document updates, but does not change the status of any existing RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

The document adds two values to the existing registry for EAP-AKA and EAP-SIM
Parameters in the Attribute Types (Skippable Attributes 128-255)
section. It also creates a new registry for "EAP-AKA' AT_KDF_FS Key Derivation
Function Values" under the EAP-AKA and EAP-SIM Parameters with Specification
Required and initial contents provided.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

No new registries that require Designated Expert Review.

[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://trac.ietf.org/trac/ops/wiki/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://trac.ietf.org/trac/iesg/wiki/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]:
https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/