Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

[Geoffrey Keating <geoffk@geoffk.org>]

Andrei Popov <Andrei.Popov@microsoft.com> writes:

> 2. "TLS servers MUST NOT select an RC4 cipher suite" is too
> strict/constraining/hard to deploy/etc.
> If we removed this MUST NOT, this would not be a prohibiting-rc4
> draft, but a best practice recommendation. We have TLS-BCP for
> recommendations. The idea of prohibiting-rc4 is to completely remove
> a weak cipher suite.

I support this, and especially the logic behind it.

> 3. But there are other weak cipher suites: EXPORT, DES, RC2, MD5... 
> Totally agree; these need to be removed as well. However, we've been
> discussing prohibiting-rc4 for over a year now. I think we should
> let this draft proceed so that we can make some progress. I don't
> mind authoring a new I-D (or I-Ds) prohibiting EXPORT, DES, RC2, MD5
> ciphers.

I support this and the logic behind it too.

I would also support creating a new I-D.  TLS 1.1 already says about
the EXPORT ciphersuites:

   TLS 1.1 implementations MUST NOT negotiate
   these [EXPORT] cipher suites in TLS 1.1 mode.  However, for backward
   compatibility they may be offered in the ClientHello for use with TLS
   1.0 or SSLv3-only servers.  TLS 1.1 clients MUST check that the
   server did not choose one of these cipher suites during the
   handshake.  

RFC 5469 says that for DES and IDEA,

   If a TLS library implements these cipher suites, it
   SHOULD NOT enable them by default.  Experience has also shown that
   rarely used code is a source of security and interoperability
   problems, so existing implementations SHOULD consider removing these
   cipher suites.

which is a bit less then the absolute prohibition I'd like, and not
all implementations have actually disabled these ciphers---indeed some
servers in the wild will still negotiate these ciphersuites,
particularly TLS_RSA_WITH_DES_CBC_SHA.

We don't seem to have anything about MD5.