RE: Last Call: draft-harkins-emu-eap-pwd (EAP Authentication UsingOnly A Password) to Informational RFC

["Glen Zorn" <gwz@net-zen.net>]

Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com] writes:
 
> I object to this document being published as a Proposed Standard.  When
> this document was discussed in the EMU meeting at IETF-71 there was
> much
> concern raised with respect to existing IPR in the area of secure
> password methods used by this draft.  Additionally, soon after its
> initial publication and announcement on the CFRG list, flaws were found
> with the draft.  The authors were very responsive in addressing the
> issues, but this points out that the algorithms used in this draft have
> had less review than other secure password mechanisms developed over
> the
> years.  Another approach to a secure password only EAP method, EAP-EKE,
> has been proposed in draft-sheffer-emu-eap-eke-02.  This method is
> based
> on EKE, which is already in use, has a long history of review, and has
> much better understood IPR considerations.  Given that there is an
> alternative to consider I do not support publishing EAP-PWD in the
> standards track.

IMHO, this question is orthogonal (& largely immaterial) to the one at hand.
It's one thing for the IETF to reach consensus that the draft be
Informational; it is a completely different thing for the publication path
to be changed without either notification of (other than the Last Call
announcement itself) or consultation with the authors.  If this was _not_ a
simple error, then the action was arbitrary & capricious, not to mentioned
underhanded & must certainly be considered as grounds for dismissal of the
(as yet unnamed) person or persons responsible, unless the IETF has recently
converted to an authoritarian regime.  As an aside, it seems that
draft-green-secsh-ecc has suffered the same fate, suggesting that this is
neither an error nor an isolated occurrence.

...