Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Stephen Farrell <> Fri, 24 October 2014 01:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6BA941AD62B for <>; Thu, 23 Oct 2014 18:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Cup7ewkeeAaX for <>; Thu, 23 Oct 2014 18:07:56 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 34C1D1AD61D for <>; Thu, 23 Oct 2014 18:07:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3571DBE2F; Fri, 24 Oct 2014 02:07:53 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w1SDKIZ1-SeS; Fri, 24 Oct 2014 02:07:52 +0100 (IST)
Received: from [] (unknown []) by (Postfix) with ESMTPSA id 0568CBE20; Fri, 24 Oct 2014 02:07:52 +0100 (IST)
Message-ID: <>
Date: Fri, 24 Oct 2014 02:07:51 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "Salz, Rich" <>, "" <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Oct 2014 01:08:01 -0000


On 23/10/14 21:49, Salz, Rich wrote:
>> I think there is a significant difference between the security (in
>> particular confidentiality) one gets with good and dodgy algorithms
>> which is sufficient to argue that the OS design pattern is
>> inappropriate to use with such dodgy algs.
> I'm having trouble parsing things.  You don't mean "both good and
> dodgy," but rather "good compared with dodgy" or "good contrasted
> with dodgy"

Yep. I badly write:-) Fair comment though, I wasn't clear so
apologies. As you guessed, what I meant was:

  OS is a fine design pattern. Algorithms can be considered-good
  or dodgy. AES is considered-good. RC4 is dodgy. OS requires
  considered-good algorithms (I think). With dodgy algorithms
  (esp. with ciphertext-only attacks expected soon) OS is no
  better than cleartext for confidentiality. So we ought say
  to not use RC4 when following the OS design pattern.

> Sorry, you IE folks are just too good with words for a poor old yank
> like me :)

And meaninglessly but with more apologies this time to the
estates of Beckett and Joyce:

  Pervasive monitors record, having no alternative, nothing new.
  We may be startled as by a violation of our own privacy.
  As if it wasn't broken already.

Hopefully the latter is sufficiently .ie to pass mustard. And
now you've suggested it, I quite like the idea of Joyce
transcribing PM recordings, and sending those to Beckett the


> -- Principal Security Engineer, Akamai Technologies IM:
> Twitter: RichSalz