Last Call Review of draft-ietf-tls-prohibiting-rc4-01
review-ietf-tls-prohibiting-rc4-01-secdir-lc-yu-2014-12-11-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

Summary: ready with minor issues

This document deprecates RC4 cipher suites in TLS due to attacks that
can recover repeated plaintexts given about 2^26 sessions.  Accordingly,
it says that TLS implementations MUST NOT use RC4 cipher suites.

However, I noticed that RFC 5469 specifies only "SHOULD NOT" for
single-DES cipher suites in TLS.  I don't know whether a 2^56 offline
exhaustive key search that reveals an initial plaintext is directly
comparable to a 2^26 online attack that reveals the entire plaintext,
but it seems odd that single-DES is only "SHOULD NOT" while RC4 is "MUST
NOT".  Perhaps this document is not the right place to fix that
discrepancy.

On the other hand, I am wondering if an unintended consequence of sites
or implementations disabling RC4 cipher suites is falling back to
single-DES.  What prevents this fallback from happening?  I don't have a
lot of the relevant information about TLS implementations as deployed.