Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Stephen Farrell <> Wed, 26 August 2015 09:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 61FCB1A00BC for <>; Wed, 26 Aug 2015 02:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i-6P5MN_gfhL for <>; Wed, 26 Aug 2015 02:42:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF1AD1A1A07 for <>; Wed, 26 Aug 2015 02:42:18 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0BD35BE5D; Wed, 26 Aug 2015 10:42:17 +0100 (IST)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6AqZctC82tDD; Wed, 26 Aug 2015 10:42:16 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 1B53ABDF9; Wed, 26 Aug 2015 10:42:10 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1440582130; bh=cQcfQHE1o2f5s2xYjaDANYGmag1b3kNAVwuX2zIETQ0=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=RGPxaQzijxWIj7RjdT62dhUCCIN/x3c1mgtVcRc5ZvCX2kHHUnIWsd81WK0IWVjKs +PP1DTL6MUJTjFss0Vi5f/T4ZK/b7xju4+UzqGSFZa+3yspFGpSKEouLqY2W9TIcbg wmO1k83NIGTFG1QlMGtYThLRnapbGENZmYddSqgo=
Message-ID: <>
Date: Wed, 26 Aug 2015 10:42:10 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Nico Williams <>
References: <> <> <> <> <> <> <> <> <> <> <20150826055240.GD13302@localhost>
In-Reply-To: <20150826055240.GD13302@localhost>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Aug 2015 09:42:21 -0000

Hi Nico,

On 26/08/15 06:52, Nico Williams wrote:

> We know RC4 is weak and we want to use something else that's better
> instead.  Clearly, we can ban RC4, but that isn't a magic wand that
> makes everyone start using AES or what have you.  Still, we plow on
> because hey, some TLS implementors will understand the SMTP OS situation
> and won't break that application.  But! if we merrily write text telling
> TLS implementors to remove RC4, many of them will, and in the process
> they will make security/interop for SMTP demonstrably worse (as Viktor
> has shown).
> It seems we can't be moderate in how we approach cipher obsolescence,
> perhaps because... we're embarrassed to have obsolete ciphers around so
> long after they became obsolete?  That's not a good excuse for throwing
> a big switch.  A good excuse for throwing the switch is any case where
> merely offering weak crypto introduces a downgrade attack, but that's
> not the case here.
> "Look ma'!, we banned the bad thing" is clever marketing.  For a short
> while.  "Look ma'!, we're getting off the old thing and onto the new,
> and we're giving people time so we don't make things worst in the
> short-term" is a mouthful and ma' will have to think about it before
> deciding that we're doing the right thing, but it is the right thing.
> We totally can live with an outright ban on RC4.  That not all TLS
> implementors will adhere to.  Or accept the loss of security/interop for
> SMTP.  If implementors willfully diverge from the spec, then the spec is
> probably wrong.  If implementors faithfully implement a spec, and as a
> result applications break, the spec is probably wrong.  The only hope
> for an outright ban is that breakage causes people to go fix it.  But
> with SMTP OS it's not always clear to users that there's breakage, and
> when it is clear (mail won't flow) it isn't always easy to go fix it.

I'm sorry but you're entirely ignoring the use of RC4 in the web
which was a very important part of this. While there may be a rump
of smtp servers that are broken and that won't upgrade soon, there
was a very large proportion of the web using RC4 before we deprecated
it, and now there is far less, with no breakage. (See Richard's
presentation at saag in Prague.) That change wasn't caused by us, but
we did the right thing to help it along with RFC7465.

Another of the lessons of OS (or rather, of more seriously considering
deployment realities) is that we sometimes need to think outside our
own silos. That goes for mail folks and web folks and others too.
(I'm not saying you're one or other of those, but your mail was very


> Nico