IETF Logo Mail Archive

Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))

Yoav Nir <ynir.ietf@gmail.com> Sat, 19 April 2014 19:42 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89DC51A0096 for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHibZy_AYtoW for <tls@ietfa.amsl.com>; Sat, 19 Apr 2014 12:41:59 -0700 (PDT)
Received: from mail-ee0-x230.google.com (mail-ee0-x230.google.com [IPv6:2a00:1450:4013:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id E839A1A0078 for <tls@ietf.org>; Sat, 19 Apr 2014 12:41:58 -0700 (PDT)
Received: by mail-ee0-f48.google.com with SMTP id b57so2545745eek.7 for <tls@ietf.org>; Sat, 19 Apr 2014 12:41:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=SQqNMgzlH4HM0f0Dt08fYTKw7FQNQY6fWSnaGg7uZr8=; b=hs7wsVepCAJ6AlxuNuvAKjBPLxHAz3ROcv4rSGOk/hOxcIEMH+rDZ4etjrALzF5Pcc CdRLPNm1aQNlUjfVU4UFMMhTT+JFQct/IWh9SMXUwDClzavnXQS1lZqg1drucY/W5fqI 2n/WfjjYgVEMiYmPv/q6mBX/osiddhDHj2jkZ7zTfgdLkUZl79+KM29apM2fQYDyU6hd Ebz6hOL3/E8FiLtDk4HbkNUc/zu4MCaQkdYrai/ZstW1q/lkv0iAuOki7cdHPs078TAB v2pP5NLDo51o9dLFYkZJWgJeqrP3PjvBOYdV5QOcrNILFfZfpSKA+WvhgBXCqsV8J9U6 bkgA==
X-Received: by 10.15.102.74 with SMTP id bq50mr33009074eeb.21.1397936514070; Sat, 19 Apr 2014 12:41:54 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id y7sm88177495eev.5.2014.04.19.12.41.51 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 12:41:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D9D3599D-0D05-4A6E-8A71-4A38C5431F8B"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
Date: Sat, 19 Apr 2014 22:41:50 +0300
Message-Id: <38332C9B-D2B3-48DB-B794-866B619E152F@gmail.com>
References: <CACsn0cnZFScA1WnitpHH--6_Kd0spfLQvmvniyCSnUmvr8xVhg@mail.gmail.com> <20140419131019.GA29561@roeckx.be> <AFC6B628-8D22-4B06-B2B8-7B047515FFB3@gmail.com>
To: Fabrice <fabrice.gautier@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/kKxPJkGBAoQ37Rzwc-A0vuPlqh4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RC4 depreciation path (Re: Deprecating more (DSA?))
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Apr 2014 19:42:00 -0000

On Apr 19, 2014, at 10:32 PM, Fabrice <fabrice.gautier@gmail.com> wrote:

>> On Apr 19, 2014, at 6:10, Kurt Roeckx <kurt@roeckx.be> wrote:
>> 
>>> Sadly, our ability to force upgrades is very limited.
>> 
>> And I think publishing an RFC isn't actually really going to help
>> much.  
> 
> Not much, but a little bit. I think there are still a lot of people (including myself) that are not convinced that the severity of the attacks against RC4 justify removing it yet. I'm not an expert enough to be able to tell if the various published papers about RC4 are mostly theoretical issues, or practical ones. 
> 
> If the IETF comes out with an RFC officially deprecating it, that's one more thing telling me this is serious enough that it should really be looked at.

+1

An RFC can help me convince management to let me make RC4 off by default.

Totally removing it from the product?  Probably not. On the IPsec side of it we still have “Export” ciphers like 40-bit DES, but making it off by default goes a long way towards making it not deployed.

Yoav

v2.23.0 | Report a Bug | By Email