Liaison statement
Response to Draft revised Recommendation ITU-T X.1034

Submission date 2010-04-02
From IETF EMU WG (J. Salowey)
To ITU-T SG 17 (,,
Response contact,,
Technical contact
Purpose In response
Attachments (None)
Members of the IETF EAP Method Update working group have reviewed the
revised ITU-T X.1034 document.  The following is a summary of their

1. Reviewers were not clear on the purpose of the document

Reviewers did not really understand the purpose of the document.  There
are several documents that discuss EAP method requirements and classify
EAP methods such as: RFC 4017, NIST SP 800-120. 

Is the group aware of these documents? What is this document providing
beyond what is provided in these documents?

2. Out-of-Date discussion of EAP 

The main part of the document does not include any reference to much of
the recent EAP work such as:

RFC 5247 - Extensible Authentication Protocol (EAP) Key Management
Framework RFC 5296 - EAP Extensions for EAP Re-authentication Protocol
(ERP) RFC 5295 - Specification for the Derivation of Root Keys from an
Extended Master Session Key (EMSK) RFC 5247 - Extensible Authentication
Protocol (EAP) Key Management Framework

Also, in numerous places the document uses terminology specific to
802.   For example, the document discusses "types of PTK", and "group
key handshake".  Non-IEEE 802 technologies typically don't use the term
"PTK", and IEEE 802.1X-REV does not include a "group key handshake".
Moreover the "general flow of key management" described in Section 8.4
is not general at all, since this does not describe the lower layer key
management used in IKEv2 or IEEE 802.16.

3. Out-of-Date discussion of EAP-Methods

The appendices discussing EAP methods have improved, however they still
contain many discrepancies with the state of the art.  Appendix I
claims it is presents an evaluation of the most well-known EAP
EAP-SRP is abandoned work so it is not clear how this would qualify as
well-known.  EAP-MD5 cannot be used in environments that require key
generation so its evaluation is not all that useful.  Some additional
methods are discussed in appendix III, but there are not discussed in
Appendix I.   It is not clear why there are two different appendices
why the focus of appendix I is mostly on Obsolete or abandoned
protocols.  Appendix I does not appear to provide much value. 

Appendix III contains many inaccuracies.  

- RFC 2284 was obsolete by RFC 3748.  
- EAP-SRP is abandoned work
- There is a standards track PSK EAP method EAP-GPSK (RFC 5433), it
would be better to include this in the analysis
- An improved EAP-AKA mechanism has been published in RFC 5448
- EAP-FAST is also a tunnel method
- The PEAP internet draft has been abandoned, current documentation of
the PEAP protocol is available from Microsoft.  

4. Out of date references 

- For EAP RFC 3748 should be referenced instead of RFC 2284.
- RFC 2716 is been made obsolete by RFC 5216
- The document should reference RFC 5247 - Extensible Authentication
Protocol (EAP) Key Management Framework
- The EAP-SRP reference is to an expired document
- The PEAP reference is to an expired document
- RADIUS references should include RFC 3579