IETF Logo Mail Archive

Re: [Curdle] draft-ietf-curdle-rc4-die-die-die-06 review

Daniel Migault <daniel.migault@ericsson.com> Thu, 09 August 2018 13:52 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C9C8130E70 for <curdle@ietfa.amsl.com>; Thu, 9 Aug 2018 06:52:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbMQ9OjuG9W1 for <curdle@ietfa.amsl.com>; Thu, 9 Aug 2018 06:52:12 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E41761277D2 for <curdle@ietf.org>; Thu, 9 Aug 2018 06:52:11 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id s12-v6so4561470ljj.0 for <curdle@ietf.org>; Thu, 09 Aug 2018 06:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=JVzsb/TDUw6//dgzllU9fjacltE0kiwl9PJHYS9Th9c=; b=rXLqgiPUtZMv7EzhIDs7OYVpfIdihBhQB2hZj7yCNXsd90CTbcu7ermcBPvNlZ0Fua 9e9RYiqLc/F03SkgaEzKBrOTFv2WhU5CggUiHrxCCz3Ca2IkfPFyOvWS2Ygu0t4xbHIi m7t1/hQrgWIN1FGFaWcrkHaww41Th+ZC8Azjppqn42zZerQJwnjJxyOx6Lyg7h0zUHEL fwdjyK64C80+Pz4JMBej+WsIkVqGRBoHEYuq9jV84CallRVrwip+nO70ffW9jTynFCOr 40nbDaNr/uCAfUBNKlcu01RI2nHDf5aOVO7BOaeMFW1Qkxg7FN/mW9aygUHK4oUS9lzK vbFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=JVzsb/TDUw6//dgzllU9fjacltE0kiwl9PJHYS9Th9c=; b=Qxk3nYiilpnpmkMsUYvnGR8da88+WWkFm2PKJJcO9QJnFDqSzs2OkPheXcUeE/0SEz Geuw61fk6L6qq5Jtkf2xPrd5+6z9FoliQwDndyT7ztkVtzWBpLgkmYV48cIZ4kwz+wD1 bFjcR79HLCOLpDAXQLFfxtiuDBXgfiN2W6FsqS3mc2UOS1bn0xZMQLGUqhAwVqzTCsPV 7PSM/osypsQCi+i7w8IicFYFBkfAODUqqZdsqLbSqDv3iBsOZ1UTfky4VJiUXDvrCDkf YNhAw9lRYEOfm5SBlDXbZIivg8v2UbelRpGzFbllKuJHMzXytSw4NGpjitWHaDe+5QWB BQfA==
X-Gm-Message-State: AOUpUlF+tXrLJ/B4anNJbaHkfGcY5TmtNUTvzgnS0FZop+14Fj8pK/be S6oHxom1a6SpyuB8dRCLrzorJstLxmyssFu8f3NxRQ==
X-Google-Smtp-Source: AA+uWPzKaPohhorADSzNw/OLAEydJq/WrIKOp5EaJxhvGrHlGaXHughNhsT//o21Wp0uBVZJ4aq5qzCTkMvylVjEEBc=
X-Received: by 2002:a2e:5b4a:: with SMTP id p71-v6mr1761792ljb.91.1533822730183; Thu, 09 Aug 2018 06:52:10 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:5295:0:0:0:0:0 with HTTP; Thu, 9 Aug 2018 06:52:09 -0700 (PDT)
In-Reply-To: <CAFDEUTcmQqZ-3SubDNJVDZjzovNLXq1Q+G5FyVrV5VON0V4Wqw@mail.gmail.com>
References: <CADZyTkkv=m7N2ztwfqz2M4C=maai1-Djyfwrf4TzL3Pt=-ujdg@mail.gmail.com> <CADZyTkn-AtKgn4Z28NUfu1fOjN6XV43m1uNWf_ge3T6_0o0pbQ@mail.gmail.com> <CADZyTk=_MU7rB2JiXqcc+nzx4SocEZCXa7NUcd+gwYVKmQANKA@mail.gmail.com> <CAFDEUTcmQqZ-3SubDNJVDZjzovNLXq1Q+G5FyVrV5VON0V4Wqw@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 09 Aug 2018 09:52:09 -0400
X-Google-Sender-Auth: jmZz4RR5R0ZfEECkTKmyRLylIS4
Message-ID: <CADZyTkky2YHYyB7CCqN+DG+mtUqm7D8xO3WHNcvy-L1YMhZJFg@mail.gmail.com>
To: Loganaden Velvindron <logan@hackers.mu>
Cc: curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb28a3057300ee20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/G2XJFonc49uNUygT20YBWq_ZDQY>
Subject: Re: [Curdle] draft-ietf-curdle-rc4-die-die-die-06 review
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 13:52:26 -0000

Hi,

I think that should be fine now - I can see that we both of us has approved
the link. Thanks for updating the document! Let us know if you encounter
any issues!

Yours,
Daniel

On Thu, Aug 9, 2018 at 7:06 AM, Loganaden Velvindron <logan@hackers.mu>
wrote:

> Please find attached the revised xml file for rev 07, with the
> feedback received.
>
> I'm going to upload once the chairs clear this:
> https://datatracker.ietf.org/submit/status/97172/
>
>
>
> On Tue, Jul 17, 2018 at 9:58 PM, Daniel Migault
> <daniel.migault@ericsson.com> wrote:
> > Hi,
> >
> > We would like to thank Loganaden Velvindron for volunteering to co-author
> > and move the draft forward.
> >
> > Yours,
> > Daniel
> >
> > On Fri, Jul 6, 2018 at 5:13 PM, Daniel Migault <
> daniel.migault@ericsson.com>
> > wrote:
> >>
> >> Hi,
> >>
> >> We would like to move the draft to the IESG, however, the draft has not
> >> been updated to address the comments received on the mailing list. We
> have
> >> privately contacted the author 3 times with the email address provided
> to
> >> the draft, but we did not receive any response. The purpose of this
> email is
> >> to first try to contact the author of draft via another channel and
> >> understand if he has any plan to move the draft forward. In addition, we
> >> would also like to see if there is any interest by some members of the
> group
> >> to co-author the draft and move the draft forward. For those interested
> in
> >> co-authoring the draft, please contact us privately.
> >>
> >> Our goal is to have all drafts - that is the two remaining drafts in
> WGLC
> >> - submitted by end of august.
> >>
> >> Yours,
> >> Rich and Daniel
> >>
> >> On Tue, May 15, 2018 at 1:00 PM, Daniel Migault
> >> <daniel.migault@ericsson.com> wrote:
> >>>
> >>> Hi,
> >>>
> >>> Please find my review for draft-ietf-curdle-rc4-die-die-die-06 [1]. I
> >>> have also proposed text, so please comment the review in the mail. I am
> >>> willing to start a WGLC as soon as the draft is being updated.
> >>>
> >>> Yours,
> >>> Daniel
> >>>
> >>>
> >>> [1] https://tools.ietf.org/html/draft-ietf-curdle-rc4-die-die-die-06
> >>>
> >>>
> >>> RFC-Editor:
> >>>
> >>> I personally find the ton of the sentence a bit aggressive, thus I
> would
> >>> remove it or just leave the RFC reference.
> >>>
> >>> """
> >>> Non-ASCII characters are allowed in RFCs as per RFC 7997.
> >>> """
> >>>
> >>> I see deprecation and move to historic status as very similar to
> >>> draft-ietf-curdle-des-des-des-die-die-die-05 and I assume that is
> correct.
> >>>
> >>> Abstract:
> >>>
> >>> The sentence below is a bit hard to parse.
> >>> ""
> >>> and formally obsoletes and moves to
> >>>    Historic RFC 4345.
> >>> ""
> >>>
> >>> I would propose instead:
> >>>
> >>> """
> >>> This document deprecates RC4 in Secure Shell (SSH).  Therefore, this
> >>>    document updates RFC 4253, and moves to Historic RFC 4345.
> >>> """
> >>>
> >>> 1. Introduction
> >>>
> >>>
> >>> """
> >>> RC4 is broken""
> >>> """
> >>>
> >>> Although English is not my main language, it sounds a bit abrupt to me
> >>> and it might be preferred to sue something around the lines of
> >>> draft-ietf-curdle-des-des-des-die-die-die-05:
> >>>
> >>> RC4 encryption is steadily weakening in cryptographic strength, and the
> >>> deprecation process should be begun for their use in SSH.
> >>>
> >>>
> >>> It seems to me that sections 1, 2 3 could be merged. I would propose
> the
> >>> following text. I am providing comments in <mglt></mglt>.
> >>>
> >>>
> >>>
> >>> 1. Introduction
> >>>
> >>>
> >>> The usage of RC4 suites ( also designated as arcfour ) for SSH are
> >>> specified in RFC 4253 and RFC 4345. RFC 4253 specifies the allocation
> of the
> >>> "arcfour" cipher for SSH. RFC 4345 specifies and allocates the the
> >>> "arcfour-128" and "arcfour-256" ciphers for SSH.
> >>>
> >>> RC4 encryption is steadily weakening in cryptographic strength
> >>> [RFC7457][draft-ietf-curdle-des-des-des-die-die-die-05], and the
> deprecation
> >>> process should be begun for their use in Secure Shell (SSH) [RFC4253].
> >>> Accordingly, RFC 4253 is updated to note the deprecation of the RC4
> ciphers
> >>> and RFC 4345 is moved to Historic as all ciphers it specifies MUST NOT
> be
> >>> used.
> >>>
> >>> <mglt>I believe that this document is very closed to
> >>> [draft-ietf-curdle-des-des-des-die-die-die-05] and as such a
> reference to it
> >>> should be mentioned. </mglt>
> >>>
> >>>
> >>> 2.  Requirements Notation
> >>>
> >>>  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> >>> "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
> >>> document are to be interpreted as described in BCP 14 [RFC2119,
> RFC8174]
> >>> when, and only when, they appear in all capitals, as shown here.
> >>>
> >>> 3. Updates to RFC 4253
> >>>
> >>> RFC 4253 is updated to prohibit arcfour's use in SSH.
> >>>
> >>> <mglt>
> >>> """
> >>> The last sentence of the paragraph on RC4 (called "arcfour"
> >>>    in [RFC4253]) in Section 6.3 of [RFC4253]
> >>> """
> >>>
> >>> I believe that it might be clearer to quote the text as it is not easy
> to
> >>> locate it. I would propose the text below. </mglt>
> >>>
> >>> RFC 4253 allocate the "arcfour" cipher in Section 6.3 by defining a
> list
> >>> of defined ciphers where the "arcfour" cipher appears as optional as
> >>> mentioned below:
> >>>
> >>> """
> >>>       arcfour          OPTIONAL          the ARCFOUR stream cipher
> >>>                                          with a 128-bit key
> >>> """
> >>>
> >>> The current document updates the status of the "arcfour" ciphers in the
> >>> list of RFC 4253 Section 6.3 by moving it from OPTIONAL to MUST NOT.
> >>>
> >>> """
> >>>       arcfour          MUST NOT          the ARCFOUR stream cipher
> >>>                                          with a 128-bit key
> >>> """
> >>>
> >>> RFC 4253 defines the "arcfour" ciphers with the text mentioned below:
> >>> """
> >>>    The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys.
> >>>    The Arcfour cipher is believed to be compatible with the RC4 cipher
> >>>    [SCHNEIER].  Arcfour (and RC4) has problems with weak keys, and
> >>>    should be used with caution.
> >>> """
> >>>
> >>> The current document updates RFC 4253 Section 6.3 by replacing th etext
> >>> above with the following text:
> >>>
> >>> """
> >>>    The "arcfour" cipher is the Arcfour stream cipher with 128-bit keys.
> >>>    The Arcfour cipher is believed to be compatible with the RC4 cipher
> >>>    [SCHNEIER].  Arcfour (and RC4) is steadily weakening in
> cryptographic
> >>> strength [RFC7457][draft-ietf-curdle-des-des-des-die-die-die-05], and
> >>>    MUST NOT be used.
> >>> """
> >>>
> >>> 4. IANA Considerations
> >>>
> >>> <mglt>There is a reference to 3DES i think should be removed. In
> >>> addition, IANA cannot be required to update RFCs. IANA is assigned to
> update
> >>> the SSH registries. With [IANA] being an informational reference to
> >>> https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml,
> I
> >>> would propose the following text :</mglt>
> >>>
> >>> The IANA is requested to update the Encryption Algorithm Name  Registry
> >>> of the Secure Shell (SSH) Protocol Parameters [IANA]. The Registration
> >>> procedure is IETF Review which is achieved by this document. The
> registry
> >>> should be updated as follows:
> >>>
> >>> Encryption Algorithm Name     Reference     Note
> >>> arcfour                          [RFC-TBD]
> >>> arcfour128                     [RFC-TBD]
> >>> arcfour256                     [RFC-TBD]
> >>>
> >>>
> >>> Where TBD is the RFC number assigned to the document.
> >>>
> >>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > Curdle mailing list
> > Curdle@ietf.org
> > https://www.ietf.org/mailman/listinfo/curdle
> >
>
> _______________________________________________
> Curdle mailing list
> Curdle@ietf.org
> https://www.ietf.org/mailman/listinfo/curdle
>
>

v2.23.0 | Report a Bug | By Email