Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 04 October 2014 18:08 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7AA81A0126 for <tls@ietfa.amsl.com>; Sat, 4 Oct 2014 11:08:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-PHLf3rTYdR for <tls@ietfa.amsl.com>; Sat, 4 Oct 2014 11:08:22 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 87A241A0127 for <tls@ietf.org>; Sat, 4 Oct 2014 11:08:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0A326BE59 for <tls@ietf.org>; Sat, 4 Oct 2014 19:08:05 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oVWRMnyWEqO for <tls@ietf.org>; Sat, 4 Oct 2014 19:08:04 +0100 (IST)
Received: from [10.87.48.7] (unknown [86.41.50.146]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E82CEBE20 for <tls@ietf.org>; Sat, 4 Oct 2014 19:08:03 +0100 (IST)
Message-ID: <54303783.2020705@cs.tcd.ie>
Date: Sat, 04 Oct 2014 19:08:03 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: tls@ietf.org
References: <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7E83@USMBX1.msg.corp.akamai.com> <CADMpkcJEt4e7LJAY+FsFcbyQE2x3SXsaOW3bffV4U2oN9EUKrg@mail.gmail.com> <542D850E.2060900@akr.io> <CADMpkc+Zbu64wek2HayW2tCf+d1ZYLocMp2PzXncyS=fHPDwsg@mail.gmail.com> <542DB1D4.4020601@akr.io> <20141003042418.GS13254@mournblade.imrryr.org> <CACsn0cnr49RHoNDhy=x7+Da=v4X=6rSMWKazA-ZObPTsuZnsGA@mail.gmail.com> <20141003133043.GV13254@mournblade.imrryr.org> <7BAC95F5A7E67643AAFB2C31BEE662D020DE17B869@SC-VEXCH2.marvell.com> <20141004033546.GG13254@mournblade.imrryr.org>
In-Reply-To: <20141004033546.GG13254@mournblade.imrryr.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/6SPsX-7edN895WdnDcYLNTyzeKs
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Oct 2014 18:08:31 -0000

Hi Viktor,

(No hats and without taking a position on the draft itself yet...)

On 04/10/14 04:35, Viktor Dukhovni wrote:
> Well, I for one am not.   Disabling RC4 does more harm than good
> with opportunistic TLS.

Not sure I agree with that specific point. Disabling RC4 could be
a configuration or code change, depending.

If a code change is needed to disable RC4 then its going to be fine
to use a better alg. I don't see there's a real case where there's
no better alg to code up than RC4.

If disabling RC4 is a config change, then in almost all cases the
result should be a better alg being selected. There could I guess
be cases where there's nothing better to configure, but frankly, I
doubt that that's really a significant set of TLS installations.
(Note that's not to say that those currently using RC4 are not
significant - I'd say a lot of those could in principle change but
just haven't yet.)

And if anyone is going to disable RC4 and as a result end up with
cleartext, then we should just get them a new foot-gun:-)

So I don't think that the opportunistic security design really helps
to decide SHOULD NOT vs MUST NOT for this draft.

S.