[Emu] AD Review of draft-ietf-emu-eaptlscert-05

Roman Danyliw <rdd@cert.org> Wed, 14 October 2020 19:30 UTC

Return-Path: <rdd@cert.org>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C1F343A0FF2 for <emu@ietfa.amsl.com>; Wed, 14 Oct 2020 12:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AYhyIQY-GFtM for <emu@ietfa.amsl.com>; Wed, 14 Oct 2020 12:30:54 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78BF93A0FEB for <emu@ietf.org>; Wed, 14 Oct 2020 12:30:54 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu []) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09EJUrUV031665 for <emu@ietf.org>; Wed, 14 Oct 2020 15:30:53 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 09EJUrUV031665
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1602703853; bh=vg5k4OLjupcVS5gI0/xKtOZZCgDgkrIJ7zTVRYmR3Ck=; h=From:To:Subject:Date:From; b=IGEoCWqerbS6wV7QX2/MkURqhQk1ZN2BhEmGkin1AxXe7L91VwVKCEuBhBaLAOklK JPP0Sd1Ikf4MFo+cq9CURM2El6Q4+Lh86pu3oVABo6RcA84T6rsIbdGatCpxkoZAXm K39UP/dxyXyw8C7IDbSYOmK8ucHgTLYrfVZ6Y77k=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu []) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09EJUpVs009630 for <emu@ietf.org>; Wed, 14 Oct 2020 15:30:51 -0400
Received: from MORRIS.ad.sei.cmu.edu ( by MURIEL.ad.sei.cmu.edu ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 14 Oct 2020 15:30:51 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Wed, 14 Oct 2020 15:30:51 -0400
From: Roman Danyliw <rdd@cert.org>
To: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: AD Review of draft-ietf-emu-eaptlscert-05
Thread-Index: AdaiYCbKlD7KN0eKSBqq6vltBDWi5w==
Date: Wed, 14 Oct 2020 19:30:50 +0000
Message-ID: <3ea21ac7a0134aed95b56e64b6e104be@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/ABvCFmTeDioJrHy8g-OORJyIIEw>
Subject: [Emu] AD Review of draft-ietf-emu-eaptlscert-05
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 19:30:56 -0000


I performed an AD review of draft-ietf-emu-eaptlscert-05.  This document is in good shape.  Thanks for writing this practical guidance for operators and implementers.  I have minor feedback below that can be addressed concurrently with IETF LC.

Section 3.  Editorial.  s/A certificate chain .... can have 2 - 6 intermediate certificates/A certificate chain ... can commonly have 2 - 6 intermediate certificates/

Section 4.1.1.  Editorial. s/1st/first/

Section 4.2.2.  s/more strict/stricter/

Section 4.3.  Editorial. s/Another second reason/Another reason/

Section 4.3.  Per "unlimited communication from an unauthenticated device as EAP could otherwise be use for bulk data transfer" doesn't parse - ("... devices as EAP ...", also, is it that an unauthenticated devices can use resources?)

Section 4.3.  Would 100 round trips ensure that certificates chains as there are currently deployed (in size) do not get dropped?  I'm inquiring about the basis of the 100 round-trip threshold.