Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Bodo Moeller <bmoeller@acm.org> Thu, 02 October 2014 10:44 UTC

Return-Path: <SRS0=9UCi=6Z=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09CC1A02E2 for <tls@ietfa.amsl.com>; Thu, 2 Oct 2014 03:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.714
X-Spam-Level:
X-Spam-Status: No, score=-1.714 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id os_G8XJDHTM8 for <tls@ietfa.amsl.com>; Thu, 2 Oct 2014 03:44:11 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.24]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1DDC1A02DD for <tls@ietf.org>; Thu, 2 Oct 2014 03:44:10 -0700 (PDT)
Received: from mail-yh0-f53.google.com (mail-yh0-f53.google.com [209.85.213.53]) by mrelayeu.kundenserver.de (node=mreue101) with ESMTP (Nemesis) id 0M4qlR-1YRTXG2ss1-00yvFe; Thu, 02 Oct 2014 12:44:08 +0200
Received: by mail-yh0-f53.google.com with SMTP id b6so590373yha.12 for <tls@ietf.org>; Thu, 02 Oct 2014 03:44:06 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.54.101 with SMTP id h65mr35532091yhc.47.1412246646668; Thu, 02 Oct 2014 03:44:06 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Thu, 2 Oct 2014 03:44:06 -0700 (PDT)
In-Reply-To: <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io>
References: <20141002005804.2760C1AE9D@ld9781.wdf.sap.corp> <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io>
Date: Thu, 2 Oct 2014 12:44:06 +0200
Message-ID: <CADMpkc+j5kL1G=NA9phQy=nLAEUA1u8jfnNT=2wDp_S=kOTjNQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=bcaec508f598b5c5a905046e4b34
X-Provags-ID: V02:K0:DdA+LBRcd74sSgXFQu0EtVJs9r/wrZ+8nQh1Pm5EhP+ JEWFhZhWWTKBEzmf5mGyP8TWRL6wNfpmJsZDLV4Ei4qnyqirMJ swp/EIvXQ4CQXUNR7oX1wHQulbEjPtbxQgN9eD9+yIpSshbuCc LvW7TH4OmD9e8cWgWyMtNX8dqYU/I7BSnlgtOpQSOTBmfGpTBK lmYoGpUAE5vJr31fhjdoPtX4nLjLfr9Z1hYrfoJa/jAsiQ8T8q 5P3O0yurhzG2/6i9FRft6nII5N1PPTGJiX+SkqEYKjlnqXjq98 Q5wb+T0V5mwYdGavfrCObqmEmyMAPTQZKQT0I9+j3+ZwENkuRF AUagYPQx6gWEUL6QjVsHAUGOyr005eCWoRiPTC8eA0fE0c2H6B GzzDC5NvVlF6FFNtAPO8eGgBQT0EnT6F9qiY/NcpGtVj9E1XdC NMF7V
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/09_t1pshmr3aOnimLM94rhhguDk
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 10:56:31 -0000

Alyssa Rowan <akr@akr.io>io>:

This draft absolutely must not be watered down. We should treat weak
> crypters as broadly equivalent to NULL. That is what this does.
>

NULL is not currently a MUST NOT ... of course, having a cipher suite that
intently and expressly does not encrypt is clearer than having a cipher
suite that offers weak encryption, so it could make sense to have a MUST
NOT for RC4 even as NULL remains around for use cases that need it.

Anyone is entirely free to ignore confidentiality if they don't judge it's
> important in their scenario - but that doesn't mean it's a good idea for
> the internet at large, or that they weren't warned about the risk and chose
> to use it anyway.
>

Translated from prose, I think you're saying SHOULD NOT.

Bodo