Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Ralph Holz <holz@net.in.tum.de> Wed, 08 October 2014 21:27 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90CB1A0410 for <tls@ietfa.amsl.com>; Wed, 8 Oct 2014 14:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.85
X-Spam-Level:
X-Spam-Status: No, score=-3.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfO13HQrqn8Y for <tls@ietfa.amsl.com>; Wed, 8 Oct 2014 14:27:42 -0700 (PDT)
Received: from smtp1.informatik.tu-muenchen.de (mail-out1.informatik.tu-muenchen.de [131.159.0.8]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4366E1A039C for <tls@ietf.org>; Wed, 8 Oct 2014 14:27:42 -0700 (PDT)
Received: from [192.168.178.34] (109.125.75.212.dynamic.cablesurf.de [109.125.75.212]) by mail.net.in.tum.de (Postfix) with ESMTPSA id 18DC319CA810 for <tls@ietf.org>; Wed, 8 Oct 2014 23:27:39 +0200 (CEST)
Message-ID: <5435AC4A.8010205@net.in.tum.de>
Date: Wed, 08 Oct 2014 23:27:38 +0200
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: tls@ietf.org
References: <20141002005804.2760C1AE9D@ld9781.wdf.sap.corp> <BA2DFF33-7B0C-4E87-9C0E-215933AED88F@akr.io> <2A0EFB9C05D0164E98F19BB0AF3708C71D2F8F7E83@USMBX1.msg.corp.akamai.com> <CADMpkcJEt4e7LJAY+FsFcbyQE2x3SXsaOW3bffV4U2oN9EUKrg@mail.gmail.com> <542D850E.2060900@akr.io> <64cfd9c21a3f430287b7a0d30908b007@BL2PR03MB419.namprd03.prod.outlook.com>
In-Reply-To: <64cfd9c21a3f430287b7a0d30908b007@BL2PR03MB419.namprd03.prod.outlook.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/n-Sk4SSVKBS4Q8PVfZ28-Nsa9tA
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 21:27:44 -0000

Hi,

> 2. "TLS servers MUST NOT select an RC4 cipher suite" is too
> strict/constraining/hard to deploy/etc. If we removed this MUST NOT,
> this would not be a prohibiting-rc4 draft, but a best practice
> recommendation. We have TLS-BCP for recommendations. The idea of
> prohibiting-rc4 is to completely remove a weak cipher suite.

The BCP MUST NOTs RC4.

It also MUST NOTs the NULL cipher, but says clearly that some scenarios
require it, and these are not in scope.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18010
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF