Prohibiting RC4 Cipher Suites
draft-ietf-tls-prohibiting-rc4-01
Yes
(Alissa Cooper)
(Barry Leiba)
(Brian Haberman)
(Spencer Dawkins)
(Stephen Farrell)
(Ted Lemon)
No Objection
(Adrian Farrel)
(Benoît Claise)
(Martin Stiemerling)
Note: This ballot was opened for revision 01 and is now closed.
Alissa Cooper Former IESG member
Yes
Yes
()
Unknown
Barry Leiba Former IESG member
Yes
Yes
()
Unknown
Brian Haberman Former IESG member
Yes
Yes
()
Unknown
Jari Arkko Former IESG member
Yes
Yes
(2015-01-07)
Unknown
Thanks for writing this important document. I agree with the action it specifies.
Kathleen Moriarty Former IESG member
Yes
Yes
(2014-12-10)
Unknown
Thanks for your work on this draft!
Richard Barnes Former IESG member
Yes
Yes
(2015-01-07)
Unknown
Enthusiastically in support. It was pointed out to me today that some PCI-DSS [1] auditors are still requiring RC4 [2]. Hopefully this document will help fix that situation. [1] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard [2] http://forums.iis.net/t/1193152.aspx [3] http://www.purehacking.com/blog/gordon-maddern/beast-vs-rc4-ciphers-vs-pci
Spencer Dawkins Former IESG member
Yes
Yes
()
Unknown
Stephen Farrell Former IESG member
Yes
Yes
()
Unknown
Ted Lemon Former IESG member
Yes
Yes
()
Unknown
Adrian Farrel Former IESG member
No Objection
No Objection
()
Unknown
Alia Atlas Former IESG member
No Objection
No Objection
(2015-01-07)
Unknown
I do agree with Pete's question
Benoît Claise Former IESG member
No Objection
No Objection
()
Unknown
Joel Jaeggli Former IESG member
No Objection
No Objection
(2015-01-06)
Unknown
about time, thanks.
Martin Stiemerling Former IESG member
No Objection
No Objection
()
Unknown
Pete Resnick Former IESG member
(was Discuss)
No Objection
No Objection
(2015-01-08)
Unknown
Thanks to Chris Newman and Viktor Dukhovni for their additions to the discussion. I think we all understand that the SMTP Opportunistic Security community is going to continue to use RC4 (only opportunistically and only when it's the only working alternative to clear text) for some period of time, but that putting this in the document is in the rough part of the consensus, as it will tend to diminish the message of the document. I'm not thrilled with that outcome; I wish we could be straightforward in the document about what we actually will and won't do without increasing the likelihood that other folks will misinterpret. But that's where we are.