Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Ronald del Rosario <rrosario@five9.com> Thu, 09 October 2014 17:10 UTC
Return-Path: <rrosario@five9.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2A71AD3C2 for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 10:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_cT_PyvNaRY for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 10:10:00 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0139.outbound.protection.outlook.com [65.55.169.139]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0771AD3C4 for <tls@ietf.org>; Thu, 9 Oct 2014 10:06:05 -0700 (PDT)
Received: from BY2FFO11FD023.protection.gbl (10.1.14.33) by BY2FFO11HUB006.protection.gbl (10.1.14.164) with Microsoft SMTP Server (TLS) id 15.0.1039.16; Thu, 9 Oct 2014 17:06:02 +0000
Received: from mx02.five9.com (198.105.204.3) by BY2FFO11FD023.mail.protection.outlook.com (10.1.15.212) with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Thu, 9 Oct 2014 17:06:02 +0000
Received: from MB03.five9.com (10.7.8.143) by mx02.five9.com (10.7.15.112) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 9 Oct 2014 10:05:10 -0700
Received: from MB02.five9.com ([fe80::ede6:8312:5207:4046]) by mb03.five9.com ([fe80::4d18:3a9c:2936:eea8%16]) with mapi id 14.03.0158.001; Thu, 9 Oct 2014 10:06:01 -0700
From: Ronald del Rosario <rrosario@five9.com>
To: "mrex@sap.com" <mrex@sap.com>, Hubert Kario <hkario@redhat.com>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Thread-Index: AQHP4aKTa2Q4hqaWq0uxWUf2L1RqIJwj+Q2AgAQKQ4A=
Date: Thu, 09 Oct 2014 17:06:00 +0000
Message-ID: <D05C0DA3.159B2%rrosario@five9.com>
References: <1381566393.7039054.1412626641999.JavaMail.zimbra@redhat.com> <20141006202411.5FB491AEB1@ld9781.wdf.sap.corp>
In-Reply-To: <20141006202411.5FB491AEB1@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [10.7.8.130]
Content-Type: multipart/related; boundary="_004_D05C0DA3159B2rrosariofive9com_"; type="multipart/alternative"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:198.105.204.3; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(24454002)(377454003)(199003)(189002)(561944003)(77096002)(44976005)(83506001)(53416004)(92726001)(67866002)(86362001)(16236675004)(46102003)(19580405001)(50986999)(84326002)(64706001)(2656002)(20776003)(99936001)(92566001)(87936001)(21056001)(15975445006)(76176999)(66926002)(54356999)(575784001)(17760045003)(512944002)(19580395003)(85852003)(80022003)(15202345003)(15974865002)(19627595001)(19617315012)(76482002)(31966008)(2501002)(18206015026)(230783001)(71186001)(85306004)(95666004)(106466001)(120916001)(106116001)(36756003)(6806004)(99396003)(107046002)(4396001)(85436002)(24704002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2FFO11HUB006; H:mx02.five9.com; FPR:; MLV:sfv; PTR:mx02.five9.com; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BY2FFO11HUB006;
X-Forefront-PRVS: 0359162B6D
Received-SPF: Pass (protection.outlook.com: domain of five9.com designates 198.105.204.3 as permitted sender) receiver=protection.outlook.com; client-ip=198.105.204.3; helo=mx02.five9.com;
Authentication-Results: spf=pass (sender IP is 198.105.204.3) smtp.mailfrom=rrosario@five9.com;
X-OriginatorOrg: five9.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/vBgsdKB9oSkZBSUtpPrqVtXafcw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 17:10:03 -0000
"I'm not sure how representative that cloudflare statistic is. But if this is anywhere near the real numbers, that the current "MUST NOT" for server would be clear fear-mongering rather than providing the target audience a sensible information about the trade-off and realistic perspective on the insignificance of the perceived threat. -Martin” +1 I live in a browser-integration world (CRM, Softphone clients, etc.) and disabling support for RC4 will be a burden since we still have a big percentage of customers using WindowsXP/IE6 (Obsolete clients) due to legacy custom integrations they are running. I feel that making RC4 a "MUST NOT” and ending up as an IETF Standard is too much fear-mongering. Best, Ron F. del Rosario Information Security Officer [cid:D8C7FEEC-B79B-4830-9898-1599B9F2269E] Five9, Inc. Cloud Contact Center Software 4000 Executive Pkwy, Ste 400 San Ramon, CA 94583 www.Five9.com<http://www.five9.com/> From: Martin Rex <mrex@sap.com<mailto:mrex@sap.com>> Reply-To: "mrex@sap.com<mailto:mrex@sap.com>" <mrex@sap.com<mailto:mrex@sap.com>> Date: Monday, October 6, 2014 at 1:24 PM To: Hubert Kario <hkario@redhat.com<mailto:hkario@redhat.com>> Cc: "tls@ietf.org<mailto:tls@ietf.org>" <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt Hubert Kario wrote: My issue is with the IMHO bogus "MUST NOT" for servers. Servers have no control over the client behaviour, and the current proposal calls for an unconditional hard failure (equals to "come back in clear text") rather than interoperating with an RC4-based TLS cipher suites with installed base clients. thing is that only very specific clients do advertise only RC4, far less than there are RC4 only servers. Cloudflare saw on the order of 0.000002% of connections end up with RC4: http://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/ All from long obsolete clients. Previously they saw on the order of 0.0009%: http://blog.cloudflare.com/killing-rc4-the-long-goodbye/ I'm not sure how representative that cloudflare statistic is. But if this is anywhere near the real numbers, that the current "MUST NOT" for server would be clear fear-mongering rather than providing the target audience a sensible information about the trade-off and realistic perspective on the insignificance of the perceived threat. -Martin _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls ________________________________ CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain confidential information of Five9 and/or its affiliated entities. Access by the intended recipient only is authorized. Any liability arising from any party acting, or refraining from acting, on any information contained in this e-mail is hereby excluded. If you are not the intended recipient, please notify the sender immediately, destroy the original transmission and its attachments and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Copyright in this e-mail and any attachments belongs to Five9 and/or its affiliated entities.
- [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hanno Böck
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- [TLS] adopting ChaCha20 as a WG item was: I-D Act… Nikos Mavrogiannopoulos
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- [TLS] why Chacha20-SHA1 was: adopting ChaCha20 as… Nikos Mavrogiannopoulos
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Joachim Strömbergson
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Peter Gutmann
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Brian Smith
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paul Lambert
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Carl S. Gutekunst
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ralph Holz
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ronald del Rosario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Chris Newman
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Joseph Salowey
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paterson, Kenny
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- [TLS] Fw: I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL