Re: TLS considering an rc4-die-die-die draft

[nisse%lysator.liu.se@localhost (Niels Möller)]

Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost> writes:

> Someone however asked if SSH's used of RC4 ought also be
> deprecated at the same time, or not. Which could be done in
> the same document as the TLS one, or not.
>
> What do folks here think about that?

I think there's some use for a cipher in ssh which is significantly
faster than aes. I'm not following developments as closely as I'd like
to, but I think it would be nice with some recommended replacement for
such uses, most likely salsa20 or chacha. And I think it would be good to
have a spec for using a fast cipher as a traditional cipher in ssh,
independent of developments to adopt aead constructions like
chacha-poly1305.

I don't have a strong opinion on whether or not this is the right time
for an explicit deprecation.

> [1] https://www.ietf.org/mail-archive/web/tls/current/msg11932.html

Is the intention that a conforming implementation must delete all
support for rc4? Or is it viewed as acceptable to keep supporting it (if
configured by user/administrator) but ensure that the *default*
configuration never enables it in the algorithm negotiation?

Regards,
/Niels


-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.