Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Yoav Nir <ynir.ietf@gmail.com> Tue, 21 October 2014 10:57 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F841A19EA for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 03:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M50sCTpcyZXs for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 03:57:40 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8A1E1A19E2 for <tls@ietf.org>; Tue, 21 Oct 2014 03:57:24 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id r20so1550039wiv.4 for <tls@ietf.org>; Tue, 21 Oct 2014 03:57:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9M1tVeArqBKdnTjvygiMBGu3PWYvSn3HXrUjvJj3CIw=; b=KN5SfwRDBFkGS+0Uyz8C0GkdfQzzAVQM1wxLl9wxYpugrwGTf52ZQ0ypJ7wF5t8dLj koEZfbXcKN2S3o0Zj3AlIyB3rcZc0+3OxMZ7JIUGx1dxnTmhbQ1M18W6nS4UAbLj5yCG rQYpWj0EC9cxQmjreNvjoGpuqj4vCQAds/YRmwPo7y0xmwRYi329GCC7ZVjzc+ooCAs1 NdZo0PdumAi6sTzkH28/gDWRybm3yuguOWYZ6+bhLp2cpFQ7R41+lAYBARZx+nUrv0Fm GSJcS/dzU6mzlSM99jEhjcxszIOwy6MuAF/FUhZo8pzy1whJ3jAZeYpxEjwg9LdthVlo ChqA==
X-Received: by 10.180.207.77 with SMTP id lu13mr28714660wic.12.1413889038966; Tue, 21 Oct 2014 03:57:18 -0700 (PDT)
Received: from [172.24.248.215] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id td9sm12713253wic.15.2014.10.21.03.57.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Oct 2014 03:57:18 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <358BD1AE-8354-41EB-9E85-69741DF00F69@akr.io>
Date: Tue, 21 Oct 2014 13:57:13 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <74F5F716-A220-4C92-AD8C-1CB3A8AC55DC@gmail.com>
References: <20141001231254.5238.71176.idtracker@ietfa.amsl.com> <20141004033546.GG13254@mournblade.imrryr.org> <20141002175446.6EB7B1AEA6@ld9781.wdf.sap.corp> <54B025040D4F68B1E49919B8@nifty-silver.us.oracle.com> <CAOgPGoCnbHHa-PVUpyon4gp-UHZo622Y3M2fQHLWwuNv8vKnvg@mail.gmail.com> <cce9c5f96fe944d5b4f6007d1c4a1bb2@BL2PR03MB419.namprd03.prod.outlook.com> <, > <CACsn0cmKojpfZFkaM8OBTZEpL0u_KFr6JEvHykm7uYE5UwRDLQ@mail.gmail.com> <1413868526423.88894@microsoft.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C495B@USMBX1.msg.corp.akamai.com> <358BD1AE-8354-41EB-9E85-69741DF00F69@akr.io>
To: Alyssa Rowan <akr@akr.io>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/YgkBVkVqOZbmkYzsaujRKu3J3uU
Cc: tls@ietf.org
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 10:57:42 -0000

+1

Outright prohibit RC4. If someone still supports RC4, then they’re not compliant with the RFC, nothing more, nothing less.

And if some auditors take it upon themselves to threaten administrators into removing support for RC4, then for once they’re doing something we can all get behind.

Yoav

> On Oct 21, 2014, at 11:10 AM, Alyssa Rowan <akr@akr.io> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 21 October 2014 06:58:23 BST, "Salz, Rich" <rsalz@akamai.com> wrote:
> 
>> +1
>> 
>> Kill RC4 or put our face on it and face the public embarrassment.
> 
> Strong +1. I couldn't be stronger here.
> 
> I think we have rough consensus to publish this draft as-is right now, despite a couple of vocal but wrong-headed objections. I don't think further discussion makes RC4 any more, or less, weak, but delay keeps people using it for longer and that is bad.
> 
> If this WG cannot even achieve rough consensus about turning off a weak 20-year-old piece-of-crap cipher everyone knows is bad and which many fear will soon be (according to some sources has already been) broken catastrophically and irretrievably, then we have a much deeper problem and this WG is going to look utterly ineffectual and useless - which would mean taking our security, and pushing it somewhere else which can deal with it.
> 
> If you're waiting for a catastrophic break to be published to disable a cipher when it's already a decade overdue and you've been warned it's weak, then sorry but you're a complete idiot, attackers have saved all your juicy ciphertexts for the promised day, and will just sit there looking back at your (and your customers') precious data.
> 
> Anyone is free to ignore an RFC: just remember Chris, we warned you RC4 was weak; we told you that you MUST NOT use it in the clearest possible language. If you want to ignore that, you're facing the music when a break is published. Keeping RC4 enabled is the kind of thing you should, and will, fail audits for.
> 
> Don't make me get the whips out! ;-)
> 
> - --
> /akr
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
> 
> iQI3BAEBCgAhBQJURhUGGhxBbHlzc2EgUm93YW4gPGFrckBha3IuaW8+AAoJEOyE
> jtkWi2t6088P/imVPNrVpDrcyG0Gsl/5sMCqasrzSfDEG8ZJZNUNGQ3msCA1SzYr
> XEx4FVHVX2/0fwrDftIU/N+1ECiV+l6PQf7Xoeh6XBr0P8gxMocb49J2rlZGhV9c
> aZPfz40wktglMJYNlXoKu2GsoUTOaBY+DUiOygpB0nerix9k06FXcuu26y3eGyB+
> bMlL2oxNvrpYJtbBNrPaRAKr1xee8AwaQzWkWoqeqjBJjwCKGp98SUS96jpXddp3
> P55CDs15LsMP2dHJtkM6xS1OZWAHEZwG+3BSGJOgrkMD1hMstwNAFtJxTmOc/BRs
> uFbUpYISxp1s+6ZZYH94e8Nzcr0mF6AYS3AjAXTZDGzl62LQajafxLVA13Bokoia
> KHvvxylIvDNqSYu4nysJrjOX8rnrDk1m7dPZBG1Yj++4zJZ5KbxBUhzjYooX0yzp
> IWIeveDOswD4n8oTKeRN3CnwYc25GLHhyg+jGrs5ullFNKwTh12G726XTd8FeGOO
> AdMO0T23qhj2JpzOT2v8fd2+03FEWhkc24w/2BrdtfwZWOwN1CG9kaIMnkUzOefd
> 50Myy1Iws33P6tOm4X/v7vvtDLQo+aZbfHebkU4289j4D1e+e50QfWR+AYqhOOI7
> dKkVMIiZALHTnlLFn9dMO2UIjlYffaugjQNBvppcqWviarYW4zi5cVNi
> =t57m
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls