IETF Logo Mail Archive

[auth48] Re: AUTH48: RFC-to-be 9965 <draft-ietf-emu-eap-arpa-10> for your review

Alan DeKok <alan.dekok@inkbridge.io> Wed, 29 April 2026 11:46 UTC

Return-Path: <alan.dekok@inkbridge.io>
X-Original-To: auth48archive@mail2.ietf.org
Delivered-To: auth48archive@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49876E598A3D; Wed, 29 Apr 2026 04:46:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777463219; bh=7+jrEw89wsh/A1bMro1WALTFlOkzBqCaQkumpt2n+EY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=mSV7Sfy2zEZrij2Px+V1YqRUxD2K+bMP+gQ+41mfT3BaY8X5vD3/qaiMRB1TKTI6A vQz+FPCSL+jpI0gCEBTJyTL95z1TWgeD+r3z3aNS1Ag4h7BFr1JAKdv42sQtzxEkes 6zJcGg9ca/j8Q5YFoZmXYYjyz8L51GzL+AWDIS5k=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=inkbridge.io header.b="O/iKODHu"; dkim=pass (2048-bit key) header.d=inkbridge.io header.b="auPP09Ik"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TymNZWDwhvw0; Wed, 29 Apr 2026 04:46:58 -0700 (PDT)
Received: from mail2.networkradius.com (mail2.networkradius.com [184.95.211.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1119DE5989FE; Wed, 29 Apr 2026 04:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z3TzB+GXixwprNy5y7wPqP9X7oq7uj0I+EDND44TCJ8=; b=O/iKODHuYGyonp1UAmssd0cgkA fqriarT5rluAfUb2XSKlQ+zyrR6ZmE9sVSP9cl9vPMrRHd+EY3Wr0DOb8i5xKx1wxJXFAxZWBQuLj ISjZ/22GuINr4ct/0Seaal5/SpXQoY5dBC3v2ZBJMEhwk0TZFWHHvr08tyzMf01AXL99xlVVAz4sZ hSzvj39jKnemVYORhNiz8s8KJat0HDGHRNGvG5jDszIuK+Lspx8SvInVmY9Jpv13XyIBsaOezHuiy s8c+/QAbskC0JJfKe51NhcbeRPnQBFZSAZI1Qmkqvv3INDw1kpuFLeK20h0otNZMr+KOaLsS8a+yi QsDw3vNQ==;
Received: from mail.servers.fr.internal.networkradius.com ([192.168.42.56]:35118 helo=mail.networkradius.com) by mail2.networkradius.com with esmtp (Exim 4.97) (envelope-from <alan.dekok@inkbridge.io>) id 1wI3NX-00000000o5A-49jt; Wed, 29 Apr 2026 11:46:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; t=1777463215; bh=Z3TzB+GXixwprNy5y7wPqP9X7oq7uj0I+EDND44TCJ8=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=auPP09IkTDJ91+4vL4VtmLyCp/EEBfKEquskHZD+1L6jBhwutFet16Idg/C9FhM0D J6I3mT9/SnB26Hk4WDuMa6tY2FXBg2/rNpS5puoQ9uuMVW0zmEWj4loE8EVp6fNoZb DCT/ES7LhbHwPe/+QE69yD1DAFbf5PVG1n2wlR7nXCMk0gL5EBItAyqZjzAfhUk4gr R+2LfbX8gIVEzYhxPECb6qE6eUwK5fTTCAWZBZsxpEYUCove4/+2BBP97OobQxhF0X Bl2YSKswsznWsCvDqvFWeys3fskv9Ex77RelO2ETcZ4yPCXrqinCFviuEkIWDy3xBx N1bi8W2NbswUg==
Received: from smtpclient.apple (24-246-4-149.cable.teksavvy.com [24.246.4.149]) by mail.networkradius.com (Postfix) with ESMTPSA id B27666C; Wed, 29 Apr 2026 11:46:54 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_ABF7358D-43C9-4B6D-92BE-94CBD9496FD6"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
From: Alan DeKok <alan.dekok@inkbridge.io>
In-Reply-To: <20260428045200.5BB6B2CCE7A@rfcpa.rfc-editor.org>
Date: Wed, 29 Apr 2026 07:46:42 -0400
Message-Id: <AE4F1940-DED6-4B7E-B409-A7E9AA6103A7@inkbridge.io>
References: <20260428045200.5BB6B2CCE7A@rfcpa.rfc-editor.org>
To: rfc-editor@rfc-editor.org
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: URXFMFE472E3HL7ALMIHH2XIAF4ZQQ64
X-Message-ID-Hash: URXFMFE472E3HL7ALMIHH2XIAF4ZQQ64
X-MailFrom: alan.dekok@inkbridge.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: emu-ads@ietf.org, emu-chairs@ietf.org, peter@akayla.com, paul.wouters@aiven.io, auth48archive@rfc-editor.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [auth48] Re: AUTH48: RFC-to-be 9965 <draft-ietf-emu-eap-arpa-10> for your review
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/ef1vk182KbtACHFYvEn6-chNKCA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Owner: <mailto:auth48archive-owner@rfc-editor.org>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Subscribe: <mailto:auth48archive-join@rfc-editor.org>
List-Unsubscribe: <mailto:auth48archive-leave@rfc-editor.org>

On Apr 28, 2026, at 12:52 AM, rfc-editor@rfc-editor.org wrote:
> 1)  <!-- [rfced] We had the following questions related to the document's title:
> 
> a) Please note that the title of the document has been updated as
> follows:
> 
> Abbreviations have been expanded per Section 3.6 of RFC 7322 ("RFC
> Style Guide"). Please review.
> 
> Original:
> The eap.arpa. domain and EAP provisioning
> 
> Current:
> The eap.arpa. Domain and Extensible Authentication Protocol (EAP) Provisioning

  This is OK.

> b) Please confirm that no period should appear at the end of the
> abbreviated title (that appears in the running header of the PDF
> output).
> 
> Current:
> eap.arpa
> -->

  It would be better as:   The eap.arpa. Domain

> 2) <!-- [rfced] Please insert any keywords (beyond those that appear in
> the title) for use on https://www.rfc-editor.org/search. -->
> 
> 
> 3) <!--[rfced] Would it make sense to update as follows?
> 
> Original:
> Without credentials, the device cannot obtain network access in order
> to be provisioned with credentials.
> 
> Perhaps:
> Without pre-provisioned credentials, the device cannot obtain network
> access in order to be provisioned with credentials.

  Yes.

> Or maybe "Without these credentials"?
> -->      
> 
> 
> 4) <!--[rfced] Please confirm the use of the period in the following
>     (i.e., outside the quotation marks).  Seems to be related to
>     domain use.
> 
> Original:
> The EPI is an NAI which is a subdomain of "eap.arpa".
> 
> Perhaps:
> The EPI is an NAI that is a subdomain of "eap.arpa.".
> -->

  The change is correct, thanks.

> 
> 5) <!-- [rfced] We had a few questions about the following:
> 
> Original:
>   NOTE: the "arpa" domain is controlled by the IAB.  Allocation of the
>   eap.arpa. domain name requires agreement from the IAB.
> 
> a) We have updated this text as follows as requested in the RFC Editor
> Note.  Please review and let us know if you have any objections.
> 
> Current:
> As the controller of the "arpa" domain, the IAB has approved the
> allocation of eap.arpa.
> 
> b) We were curious if the reader might need a pointer to where this
> agreement could be found?  Or any further citation needed here?
> -->

  I don't know of any official statement from the IAB.  It would be worth double-checking with the IAB that they are aware of this request, and have approved it.

> 6) <!--[rfced] Please clarify the use of "the EAP registry" in this text:
>     Original: ...However, the EAP registry does not follow the domain
>     name conventions specified in...
> -->        

  It should be instead:

However, the names in the EAP Method Type registry [EAP-METHOD] do not follow the domain name formats specified in ...

[EAP_METHOD]: https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4

> 
> 7) <!--[rfced] In the following, is "EAP peers" intentionally repeated?
>     Please review and let us know if a rephrase is necessary.
> 
> Original:
> Having described the format and contents of NAIs in the eap.arpa realm
> to define the EPI, we now describe how those EPIs are used by EAP
> peers and EAP peers to signal provisioning information
> 
> Perhaps:
> Having described the format and contents of NAIs in the eap.arpa realm
> to define the EPI, we now describe how those EPIs are used by EAP
> peers to signal provisioning information.
> -->        

  It should be "... by EAP peers and EAP servers to ..."

  i.e. it's a forward reference to 3.4.1 (EAP peers) and 3.4.2 (EAP servers)
 
> 8) <!--[rfced] We had a few questions regarding this text:
> 
> Original:
> An EAP server supporting this
> specification MUST examine the identity to see if it uses a realm
> located under eap.arpa. 
> 
> a) Would it make sense to update this text as follows (to clarify the
> trailing "." character?
> 
> Perhaps A:
> An EAP server supporting this
> specification MUST examine the identity to see if it uses a realm
> located under the eap.arpa. domain.
> 
> Perhaps B:
> An EAP server supporting this
> specification MUST examine the identity to see if it uses a realm
> located under the eap.arpa realm.         

  (B) is correct.

> b) Would it make sense to reword the following?
> 
> Perhaps:
> An EAP server implementing this specification...
> -->

  Yes.  "implementing" is better than "supporting".

> 
> 9) <!-- [rfced] We had two questions about the following text:
> 
> Original:
> For example, both EAP-MSCHAPv2 (PEAP) and EAP-PWD [RFC5931]
>   perform cryptographic exchanges where both parties knowing a shared
>   password. 
> 
> a) We see that [RFC5931] uses "EAP-pwd" rather than "EAP-PWD".  Please
> review and let us know if any updates are necessary.

 We can use EAP-pwd throughout.

> Current:
>   For example, both EAP-MSCHAPv2 (PEAP) and EAP-PWD [RFC5931] perform
>   cryptographic exchanges where both parties knowing a shared password.
> 
> b) Should MSCHAPv2 be expanded to Microsoft Challenge Handshake
> Authentication Protocol version 2?  If so, how does it interact with
> the parenthetical (PEAP)?
> -->

  We shouldn't expand MSCHAPv2.  The "EAP-MSCHAPv2" is the name of an EAP type.

> 10) <!--[rfced] Please review the use of 802.11u in the following.  As all
>     other instances are to 802.11X, is this use intentional?  If so,
>     should a pointer to 802.11u be added?

  We can add a reference to 802.11u.

> Original:
> The captive portal can advertise support for the eap.arpa. domain via
> an 802.11u realm.
> -->
> 
> 
> 11) <!--[rfced] We had several questions related to the IANA
>     Considerations in this document.
> 
> a) We note that Section 5 (IANA Considerations) describes some of
> what's to come in the subsections of Section 5.  This pointed out to
> us that perhaps Sections 5.3, 5.3.1, 5.4, and 5.5 should actually be
> subsections of Section 5.2 (i.e., what registry does "...this
> registry" in Section 5.3 refer to?).
> 
> Original:
>   A number of IANA actions are required.  There are two registry
>   updates in order to define the eap.arpa. domain.  A new registry is
>   created.  The "noob@eap-noob.arpa" registry entry is deprecated.
> 
> Current:
> This document describes a number of IANA actions:
> 
> - There are two registry updates in order to define the
> eap.arpa. domain (see Section 5.1).
> 
> - A new registry is created (see Section 5.2).
> 
> - The "noob@eap-noob.arpa" registry entry is deprecated (see Section 5.1.1).
> 
> Perhaps:
> This document describes a number of IANA actions:
> 
> -IANA has made two registry updates in order to define the
> eap.arpa. domain (see Section 5.1).
> 
> -IANA has created a new registry (see Section 5.2).
> 
> 
> With the reorganization of the sections as mentioned above?  Please
> review and advise.

  The proposed changes are good, thanks.

> b) Note that we have updated mentions of ".arpa registry" to point
> instead to the ".ARPA Zone Management" registry.

  That's fine.

> Please review and advise if this was not what was intended.
> 
> c) For the ease of the reader, we have added some citations as well as
> an informative reference to the Special-Use Domain Names registry.
> Please let us know any objections.

  No objections.

> d) In point 6 of Section 5.1.2.1, we see:
> 
> Original:
> Either behavior will have no impact on this specification.
> 
> Would the behavior have an effect on this document (or the content
> therein)?  Please review.

  No.  Perhaps:

Either behavior will have no impact on implementations of this specification.

> e) We see that the "EAP Provisioning Identifiers" registry uses
> "Method-Type" while the registry itself uses "Method Type" (with no
> hyphen).  May we update uses of Method-Type to read as Method Type
> throughout?  Note that we will communicate this change (as well as any
> other changes related to IANA registries) to IANA once AUTH48
> completes.
> -->

  Yes.  "Method Type" is fine.

> 
> 12)  <!--[rfced] Please clarify the antecedent of the pronoun "it" in the
>      following:
> 
> Original:
> This specification allows for unauthenticated EAP peers to obtain
> network access, however limited.  As with any unauthenticated process,
> it can be abused. Implementations should take care to limit the use of
> the provisioning network."
> -->

OLD:
	it

NEW
	this access

> 
> 13) <!--[rfced] In the following, is "to" missing?  Or is there another
>     way to rephrase?
> 
> Original:
> for any one device, rate limit its access the provisioning network.
> 
> Perhaps:
> for any one device, rate limit its access to the provisioning network.

  Yes.

> 14) <!--[rfced] We note that RFC 7170 has been obsoleted by RFC 9930.  We
>     have updated to the latter.  Please let us know any
>     objections. -->

  No objection.

> 15) <!--[rfced] We had the following questions related to terminology use
>     throughout the document:
> 
> a) We see that eap.arpa. domain is used consistently throughout.
> 
> However, we see the following with regard to .arpa:
> 
> "arpa" domain 
> ".arpa" domain
> 
> Should these be made consistent between themselves or more similar to
> eap.arpa. (i.e., no double quotes and trailing period)?

  Yes, no double quotes, and trailing period is correct.

> Further, please review the following with regard to the trailing period:
> 
> Original:
> ...the NAI SHOULD be of the form "action@name.eap.arpa".
> -->

  No trailing period here.

> 16) <!--[rfced] FYI - We see that an extra space is being inserted after
>     "eap.arp." in some places (e.g., titles).  We will dig into to
>     see if there is some formatting we can implement to remove the
>     added space. -->

  :)  I understand.  I suspect that the tools see the trailing "." as the end of a sentence.  Oh well.

v2.45.0 | Report a Bug | By Email | System Status