The EAP Method update (EMU) working group in the IETF has reviewed the
document "ITU-T Recommendation X.1034" that is the subject of a liaison
statement submitted on 2008-08-06. Does the ITU-T have further plans in this
area, such as more EAP method analysis or definition? If so, perhaps more
coordination between the IETF and the ITU-T in this area is needed. The
members of EMU WG provided the following comments, which we hope are useful in
finalizing the contents of X.1034.
A. Comments on section 3.2
1. It is not clear if the definition of PFS aligns with the definition in
other documents such as from the "Handbook of applied cryptography"
2. The server compromised-based attack appears not to be an attack, but rather
a way to mitigate the server compromised attack. These definitions are not
B. Comments on section 6.1
1. In figure 1 - Replace TDP with TCP, SCP with SCTP and "UDP or IP" with "UDP
2. Throughout the document replace DIAMETER with Diameter.
3. The following sentence is misleading: "the authenticator exchanges random
numbers with the supplicant to obtain a fresh cryptographic key; thus
resulting in perfect forward secrecy." Fresh keys are not sufficient to
fulfill the criteria for PFS.
C. Comments on section 7.2 and 7.5
1. The "Prevention of domino effect or Denning Sacco attack" is a property of
the system and not specific to the EAP method.
2. Authorization is not communicated in EAP. It is communicated from the
Authentication server to the authenticator based on the identity authenticated
3. The requirement for "Protection against server compromised dictionary
attack" is not clear. If encrypted storage is all that is necessary then why
is this a property of a protocol and not just a specific implementation
4. Section 7.5 states that the appendix can be used to select from many
existing EAP methods, however section I only analyzes a small subset of EAP
D. Comments on table I-1:
General: EAP-MD5 and EAP-SRP are not widely deployed. This section claims to
analyze "well-known" EAP methods, however it only analyzes two of the many
methods that are deployed. There are EAP methods that provide additional
properties but they are not listed in the table. There are more detailed
investigations available, such as
i. EAP-SRP is not defined in RFC 2945. There is no current documentation for
an EAP-SRP (There was a draft that expired many years ago). It is not clear
what this evaluation was done against.
i. EAP-MD5 does not provide mutual authentication or resistance to dictionary
ii. EAP-MD5 does not provide protection from dictionary attacks. EAP-MD5 can
be used with passwords.
iii. In general EAP-MD5 is not very useful since it does not generate session
keys. It would be more appropriate to include EAP-GPSK.
i. EAP-TLS Can provide user identity privacy (RFC 5216, section 2.1.4)
ii. EAP-TLS provides fragmentation support
iii. EAP-TLS does not use passwords and hence it is more appropriate to say
that password-based issues are not applicable.
iv. RFC 5216 provides unique naming for keys and sessions for EAP-TLS
i. EAP-AKA provides support for user privacy
ii. EAP-AKA does not use passwords and hence it is more appropriate to say
that this issue is not applicable.
iii. RFC 5247 provides unique naming for keys and sessions in EAP-AKA
E. Comments on Bibliography
1. RFC-2716 is obsolete, EAP-TLS is defined in RFC 5216
2. draft-ietf-eapkeying-21.txt has been published as RFC 5247