IETF Logo Mail Archive

Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour-fixes-02: informational or proposed?

Brian E Carpenter <brc@zurich.ibm.com> Thu, 02 June 2005 11:47 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdoAL-0004Ia-CP; Thu, 02 Jun 2005 07:47:13 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdoAJ-0004IQ-4E for ietf@megatron.ietf.org; Thu, 02 Jun 2005 07:47:11 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA05378 for <ietf@ietf.org>; Thu, 2 Jun 2005 07:47:10 -0400 (EDT)
Received: from mtagate4.de.ibm.com ([195.212.29.153]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DdoUI-0008Ch-TV for ietf@ietf.org; Thu, 02 Jun 2005 08:07:52 -0400
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate4.de.ibm.com (8.12.10/8.12.10) with ESMTP id j52Bl0tc166456 for <ietf@ietf.org>; Thu, 2 Jun 2005 11:47:00 GMT
Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com [9.149.165.229]) by d12nrmr1607.megacenter.de.ibm.com (8.12.10/NCO/VER6.6) with ESMTP id j52BkxDo079580 for <ietf@ietf.org>; Thu, 2 Jun 2005 13:46:59 +0200
Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av04.megacenter.de.ibm.com (8.12.11/8.13.3) with ESMTP id j52BkxLp021285 for <ietf@ietf.org>; Thu, 2 Jun 2005 13:46:59 +0200
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12av04.megacenter.de.ibm.com (8.12.11/8.12.11) with ESMTP id j52Bkwxk021266; Thu, 2 Jun 2005 13:46:59 +0200
Received: from zurich.ibm.com (sig-9-146-220-72.de.ibm.com [9.146.220.72]) by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id NAA41042; Thu, 2 Jun 2005 13:46:58 +0200
Message-ID: <429EF1AE.1040805@zurich.ibm.com>
Date: Thu, 02 Jun 2005 13:46:54 +0200
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en, fr, de
MIME-Version: 1.0
To: Jeffrey Altman <jaltman@columbia.edu>
References: <tslfyw1hpaw.fsf@cz.mit.edu> <429E0F70.6040708@columbia.edu>
In-Reply-To: <429E0F70.6040708@columbia.edu>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e8c5db863102a3ada84e0cd52a81a79e
Content-Transfer-Encoding: 7bit
Cc: saag@mit.edu, ietf-ssh@netbsd.org, ietf@ietf.org
Subject: Re: [saag] [Sam Hartman] draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Jeffrey Altman wrote:
> My personal opinion is that if there is a protocol that has been widely
> deployed but which for whatever reason the IETF does not want to
> encourage its adoption, the RFC should be published immediately as
> HISTORIC.
> 
> Jeffrey Altman

My personal opinion is that RFC 2026 doesn't really allow this,
except by a very strange process in which the IESG first authorizes
publication as Informational and then immediately authorizes
re-classification as Historic.

Whenever 2026 gets updated, this could be clarified.

In any case, in such a case (if the IESG agrees) the mechanism
is to publish with an appropriate IESG Note included, to give
the health warning. That is much more important than whether
it's labelled info or historic.

But the substantive question about rc4 remains.

     Brian

> 
> 
> Sam Hartman wrote:
> 
> 
>>Hi.  I believe the following request is of interest to secsh and saag.
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>Subject:
>>draft-harris-ssh-arcfour-fixes-02: informational or proposed?
>>From:
>>Sam Hartman <hartmans-ietf@mmit.edu.cnri.reston.va.us>
>>Date:
>>Wed, 01 Jun 2005 14:35:07 -0400
>>To:
>>ietf@ietf.org
>>
>>To:
>>ietf@ietf.org
>>CC:
>>iesg@ietf.org
>>
>>Return-Path:
>><ietf-bounces@ietf.org>
>>Received:
>>from solipsist-nation ([unix socket]) by solipsist-nation (Cyrus
>>v2.1.16-IPv6-Debian-2.1.16-10) with LMTP; Wed, 01 Jun 2005 14:37:25 -0400
>>X-Sieve:
>>CMU Sieve 2.2
>>Return-Path:
>><ietf-bounces@ietf.org>
>>Received:
>>from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by
>>suchdamage.org (Postfix) with ESMTP id 581AA1383D for
>><ietf@mailboxes.suchdamage.org>; Wed, 1 Jun 2005 14:37:23 -0400 (EDT)
>>Received:
>>from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by
>>megatron.ietf.org with esmtp (Exim 4.32) id 1DdY3t-00074x-D9; Wed, 01
>>Jun 2005 14:35:29 -0400
>>Received:
>>from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org
>>with esmtp (Exim 4.32) id 1DdY3r-00073R-2v; Wed, 01 Jun 2005 14:35:27 -0400
>>Received:
>>from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org
>>(8.9.1a/8.9.1a) with ESMTP id OAA13323; Wed, 1 Jun 2005 14:35:23 -0400 (EDT)
>>Received:
>>from stratton-three-sixty-nine.mit.edu ([18.187.6.114]
>>helo=carter-zimmerman.mit.edu) by ietf-mx.ietf.org with esmtp (Exim
>>4.33) id 1DdYNe-0002lY-42; Wed, 01 Jun 2005 14:55:59 -0400
>>Received:
>>by carter-zimmerman.mit.edu (Postfix, from userid 8042) id 36E3DE0063;
>>Wed, 1 Jun 2005 14:35:07 -0400 (EDT)
>>Message-ID:
>><tsloeaqgc2s.fsf@cz.mit.edu>
>>User-Agent:
>>Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
>>X-Scan-Signature:
>>c1c65599517f9ac32519d043c37c5336
>>X-BeenThere:
>>ietf@ietf.org
>>X-Mailman-Version:
>>2.1.5
>>Precedence:
>>list
>>List-Id:
>>IETF-Discussion <ietf.ietf.org>
>>List-Unsubscribe:
>><https://www1.ietf.org/mailman/listinfo/ietf>,
>><mailto:ietf-request@ietf.org?subject=unsubscribe>
>>List-Post:
>><mailto:ietf@ietf.org>
>>List-Help:
>><mailto:ietf-request@ietf.org?subject=help>
>>List-Subscribe:
>><https://www1.ietf.org/mailman/listinfo/ietf>,
>><mailto:ietf-request@ietf.org?subject=subscribe>
>>Sender:
>>ietf-bounces@ietf.org
>>Errors-To:
>>ietf-bounces@ietf.org
>>X-Spam-Checker-Version:
>>SpamAssassin 3.0.2 (2004-11-16) on solipsist-nation.suchdamage.org
>>X-Spam-Status:
>>No, score=-1.7 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2
>>MIME-Version:
>>1.0
>>
>>
>>
>>Hi, folks.  The IESG has received a last call comment recommending
>>that the new rc4 cipher for ssh be published as informational rather
>>than as a proposed standard because of weaknesses in rc4.  It would be
>>inappropriate to make a decision based on one comment so I am
>>soliciting comments on this point.
>>
>>The argument in favor of publishing this document at proposed is that
>>the existing arcfour cipher is part of a standard and that many other
>>IETF protocols use rc4 in standards track documents.
>>
>>
>>Please submit comments to ietf@ietf.org or iesg@ietf.org on this issue
>>by 2005-06-28.
>>
>>Included below is a partial bibliography of RC4 attacks provided to
>>the IESG by the person making the original comment.
>>
>>
>>
>>S. Fluhrer, I. Mantin, & A. Shamir, "Weaknesses in the Key Scheduling
>>Algorithm of RC4", Proceedings of 8th Annual International Workshop
>>on Selected areas in Cryptography (SAC 2001), Toronto, ON, CA,
>>August 2001.
>>
>>J. D. Golic, "Linear Statistical Weakness of RC4 Key Generator",
>>Procedings of EuroCrypt 1997, Konstanz, DE, May 1997.
>>
>>S. Fluhrer & D. McGrew, "Statistical Analysis of the RC4 Key
>>Generator", Proceedings of 7th International Workshop on Fast
>>Software Encryption (FSE 2000), New York, NY, US, April 2000.
>>
>>S. Mister & S.E. Tavares, "Cryptanalysis of RC4-like Ciphers",
>>Proceedings of 5th Annual International Workshop on Selected
>>Areas in Cryptography (SAC 1998), Kingston, ON, CA, August 1998.
>>
>>L. Knudsen, W. Meier, B. Preneel, V. Rijmen, & S. Verdoolaege,
>>"Analysis Method for RC4", Proceedings of AsiaCrypt 1998.
>>
>>R. Wash, "Lecture Notes on Stream Ciphers and RC4", unpublished,
>>Case Western Reserve University, OH, US
>>http://acm.cwru.edu/files/2002%20Spring/talks/latex_samp2_4_09_02.pdf
>>
>>S. Paul & B. Preneel, "Analysis of Non-fortuitous Predictive States
>>of the RC4 Key Generator", Proceedings of 4th International Conference
>>on Cryptology in India (IndoCrypt 2003), New Delhi, IN, December 2003.
>>
>>_______________________________________________
>>Ietf mailing list
>>Ietf@ietf.org
>>https://www1.ietf.org/mailman/listinfo/ietf
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>saag mailing list
>>saag@mit.edu
>>https://jis.mit.edu/mailman/listinfo/saag
>>
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Ietf mailing list
>>Ietf@ietf.org
>>https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email