Last Call Review of draft-ietf-tls-prohibiting-rc4-01
review-ietf-tls-prohibiting-rc4-01-secdir-lc-yu-2014-12-11-00
Request | Review of | draft-ietf-tls-prohibiting-rc4 |
---|---|---|
Requested revision | No specific revision (document currently at 01) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2014-12-10 | |
Requested | 2014-11-27 | |
Authors | Andrei Popov | |
I-D last updated | 2014-12-11 | |
Completed reviews |
Genart Last Call review of -01
by Dan Romascanu
Genart Telechat review of -01 by Dan Romascanu Secdir Last Call review of -01 by Taylor Yu Opsdir Last Call review of -01 by Al Morton |
|
Assignment | Reviewer | Taylor Yu |
State | Completed | |
Request | Last Call review on draft-ietf-tls-prohibiting-rc4 by Security Area Directorate Assigned | |
Reviewed revision | 01 | |
Result | Has issues | |
Completed | 2014-12-11 |
review-ietf-tls-prohibiting-rc4-01-secdir-lc-yu-2014-12-11-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with minor issues This document deprecates RC4 cipher suites in TLS due to attacks that can recover repeated plaintexts given about 2^26 sessions. Accordingly, it says that TLS implementations MUST NOT use RC4 cipher suites. However, I noticed that RFC 5469 specifies only "SHOULD NOT" for single-DES cipher suites in TLS. I don't know whether a 2^56 offline exhaustive key search that reveals an initial plaintext is directly comparable to a 2^26 online attack that reveals the entire plaintext, but it seems odd that single-DES is only "SHOULD NOT" while RC4 is "MUST NOT". Perhaps this document is not the right place to fix that discrepancy. On the other hand, I am wondering if an unintended consequence of sites or implementations disabling RC4 cipher suites is falling back to single-DES. What prevents this fallback from happening? I don't have a lot of the relevant information about TLS implementations as deployed.