Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 24 October 2014 01:08 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BA941AD62B for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 18:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cup7ewkeeAaX for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 18:07:56 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 34C1D1AD61D for <tls@ietf.org>; Thu, 23 Oct 2014 18:07:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3571DBE2F; Fri, 24 Oct 2014 02:07:53 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1SDKIZ1-SeS; Fri, 24 Oct 2014 02:07:52 +0100 (IST)
Received: from [10.87.48.12] (unknown [86.46.20.206]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0568CBE20; Fri, 24 Oct 2014 02:07:52 +0100 (IST)
Message-ID: <5449A667.9040105@cs.tcd.ie>
Date: Fri, 24 Oct 2014 02:07:51 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9Fp8k_uizgtjnS6sxP8w3mmLKeo
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 01:08:01 -0000

Hiya,

On 23/10/14 21:49, Salz, Rich wrote:
>> I think there is a significant difference between the security (in
>> particular confidentiality) one gets with good and dodgy algorithms
>> which is sufficient to argue that the OS design pattern is
>> inappropriate to use with such dodgy algs.
> 
> I'm having trouble parsing things.  You don't mean "both good and
> dodgy," but rather "good compared with dodgy" or "good contrasted
> with dodgy"

Yep. I badly write:-) Fair comment though, I wasn't clear so
apologies. As you guessed, what I meant was:

  OS is a fine design pattern. Algorithms can be considered-good
  or dodgy. AES is considered-good. RC4 is dodgy. OS requires
  considered-good algorithms (I think). With dodgy algorithms
  (esp. with ciphertext-only attacks expected soon) OS is no
  better than cleartext for confidentiality. So we ought say
  to not use RC4 when following the OS design pattern.

> Sorry, you IE folks are just too good with words for a poor old yank
> like me :)

And meaninglessly but with more apologies this time to the
estates of Beckett and Joyce:

  Pervasive monitors record, having no alternative, nothing new.
  We may be startled as by a violation of our own privacy.
  As if it wasn't broken already.

Hopefully the latter is sufficiently .ie to pass mustard. And
now you've suggested it, I quite like the idea of Joyce
transcribing PM recordings, and sending those to Beckett the
analyst:-)

Cheers,
S.


> 
> -- Principal Security Engineer, Akamai Technologies IM:
> rsalz@jabber.me Twitter: RichSalz
>