IETF Logo Mail Archive

Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?

Simon Josefsson <jas@extundo.com> Wed, 01 June 2005 18:59 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdYR5-0004Fv-9n; Wed, 01 Jun 2005 14:59:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DdYR3-0004Fn-Dv; Wed, 01 Jun 2005 14:59:25 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA15565; Wed, 1 Jun 2005 14:59:17 -0400 (EDT)
Received: from 178.230.13.217.in-addr.dgcsystems.net ([217.13.230.178] helo=yxa.extundo.com ident=root) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DdYkn-00044n-Gr; Wed, 01 Jun 2005 15:19:53 -0400
Received: from latte.josefsson.org (c494102a.s-bi.bostream.se [217.215.27.65]) (authenticated bits=0) by yxa.extundo.com (8.13.4/8.13.4/Debian-1) with ESMTP id j51Iwfow010629 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 1 Jun 2005 20:58:50 +0200
From: Simon Josefsson <jas@extundo.com>
To: Sam Hartman <hartmans-ietf@mmit.edu.cnri.reston.va.us>
References: <tsloeaqgc2s.fsf@cz.mit.edu>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:21:050601:ietf@ietf.org::YCp2UCqCvcHkWD/d:1I8
X-Hashcash: 1:21:050601:iesg@ietf.org::/wQ25Dnr4rmiAQtA:1ags
X-Hashcash: 1:21:050601:hartmans-ietf@mmit.edu.cnri.reston.va.us::3NCTkyygsxvWsgn3:1hdm
Date: Wed, 01 Jun 2005 20:58:35 +0200
In-Reply-To: <tsloeaqgc2s.fsf@cz.mit.edu> (Sam Hartman's message of "Wed, 01 Jun 2005 14:35:07 -0400")
Message-ID: <iluis0xc3ac.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Status: No, score=0.1 required=5.0 tests=FORGED_RCVD_HELO autolearn=failed version=3.0.3
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on yxa-iv
X-Virus-Scanned: ClamAV version 0.84, clamav-milter version 0.84e on yxa.extundo.com
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Cc: iesg@ietf.org, ietf@ietf.org
Subject: Re: draft-harris-ssh-arcfour-fixes-02: informational or proposed?
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Sam Hartman <hartmans-ietf@mmit.edu.cnri.reston.va.us> writes:

> Hi, folks.  The IESG has received a last call comment recommending
> that the new rc4 cipher for ssh be published as informational rather
> than as a proposed standard because of weaknesses in rc4.  It would be
> inappropriate to make a decision based on one comment so I am
> soliciting comments on this point.
>
> The argument in favor of publishing this document at proposed is that
> the existing arcfour cipher is part of a standard and that many other
> IETF protocols use rc4 in standards track documents.

A similar argument could be made for MD5.  I don't think it is a
strong argument.

If there is a known public weakness today, publishing it as a standard
seem like a poor idea to me.

FWIW, my general comment is that the IETF should not promote RC4.
Technically better alternatives exists; and the cryptographic/IPR
history of RC4 doesn't improve the case for it.  I have similar
thoughts on the use of RC4 in SASL DIGEST-MD5.

Cheers,
Simon

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email