EAP Type Code Allocation Review Template As noted in RFC 3748, for EAP methods to obtain a Type Code, Expert Review with Specification is required. The following list of issues is provided as a guideline to potential expert reviewers and method authors. Result ------ Is the request for allocation of a Type Code APPROVED or DENIED? Justification ------------- 1. Does the method document its security properties in sufficient manner, as required by Section 7.2 of RFC 3748? 1a. Mechanism. Is the mechanism explained? 1b. Security claims. Are the claimed and not claimed properties listed? 1c. Justifications for the claims? Is an explanation or reference provided to each of the claims? 1d. Key strength. Is the key strength documented? 1e. Indication of vulnerabilities. Are the known vulnerabilities documented? [Note: it seems unreasonable to require the documentation of unknown vulnerabilities :-) The "known" may of course be "known to reviewer" or "known to author" or "known to the community", but that appears to be best we can do.] 2. Compliance with EAP packet formats 2a. Does the method comply with the packet formats defined in Section 4 of RFC 3748? 3. Compliance with EAP behaviour 3a. Does the method comply with Success/Failure usage as defined in Sections 2, 2.2, and 4.2? 3b. Does the method comply with sequence usage as defined in Section 2.1 of RFC 3748? 3c. Does the method comply with request/response processing rules as defined in Section 4.1 of RFC 3748? 3d. Does the method comply with retransmission rules as defined in Section 4.3 of RFC 3748? 3e. Does the method comply with the usage defined for Identity, as defined in Section 5.1 of RFC 3748? 3f. Does the method comply with the usage defined for Notification, as defined in Section 5.2 of RFC 3748? 3g. Does the method comply with the usage defined for Nak and Expanded-Nak as defined in Section 5.3 of RFC 3748? 3h. Does the method comply with the MIC usage requirements from Sections 3.1, 7.5, and 7.8 of RFC 3748? 4. Compliance with IANA requirements 4a. Does the method comply with EAP-based IANA requirements defined in Section 6 of RFC 3748? That is, if it requests the allocation of new numbers in the EAP namespace [not applicable if the numbers have already been allocated], is the type of the document and process appropriate for the desired action? 4b. Does the method comply with other IANA requirements in the IETF standards track RFCs? For instance, does the method attempt to allocate TLS extensions (which would only be possible for standards track RFCs)? 5. Compliance with the EAP Key Management Framework 5a. Description of key hierarchy. Is the key hierarchy documented? Does the specification describe how the MSK and EMSK are calculated? Are the MSK and EMSK cryptogprahically independent? 5b. Does the specification describe how the Peer-ID and Server-ID are determined (if supported)? 5c. Does the specification define the Method-ID?