Stephen Farrell <stephen.farrell%cs.tcd.ie@localhost> writes:
Someone however asked if SSH's used of RC4 ought also be
deprecated at the same time, or not. Which could be done in
the same document as the TLS one, or not.
What do folks here think about that?
I think there's some use for a cipher in ssh which is significantly
faster than aes. I'm not following developments as closely as I'd like
to, but I think it would be nice with some recommended replacement for
such uses, most likely salsa20 or chacha. And I think it would be good to
have a spec for using a fast cipher as a traditional cipher in ssh,
independent of developments to adopt aead constructions like
chacha-poly1305.
I don't have a strong opinion on whether or not this is the right time
for an explicit deprecation.
[1] https://www.ietf.org/mail-archive/web/tls/current/msg11932.html
Is the intention that a conforming implementation must delete all
support for rc4? Or is it viewed as acceptable to keep supporting it (if
configured by user/administrator) but ensure that the *default*
configuration never enables it in the algorithm negotiation?
Regards,
/Niels