Prohibiting RC4 Cipher Suites
RFC 7465

Note: This ballot was opened for revision 01 and is now closed.

(Jari Arkko) Yes

Comment (2015-01-07)
No email
send info
Thanks for writing this important document. I agree with the action it specifies.

(Richard Barnes) Yes

Comment (2015-01-07)
No email
send info
Enthusiastically in support.  It was pointed out to me today that some PCI-DSS [1] auditors are still requiring RC4 [2].  Hopefully this document will help fix that situation.

[1] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard 
[2] http://forums.iis.net/t/1193152.aspx
[3] http://www.purehacking.com/blog/gordon-maddern/beast-vs-rc4-ciphers-vs-pci

Alissa Cooper Yes

(Spencer Dawkins) Yes

(Stephen Farrell) Yes

(Brian Haberman) Yes

Barry Leiba Yes

(Ted Lemon) Yes

(Kathleen Moriarty) Yes

Comment (2014-12-10)
No email
send info
Thanks for your work on this draft!

(Alia Atlas) No Objection

Comment (2015-01-07)
No email
send info
I do agree with Pete's question

(Benoît Claise) No Objection

(Adrian Farrel) No Objection

(Joel Jaeggli) No Objection

Comment (2015-01-06)
No email
send info
about time, thanks.

(Pete Resnick) (was Discuss) No Objection

Comment (2015-01-08)
No email
send info
Thanks to Chris Newman and Viktor Dukhovni for their additions to the discussion. I think we all understand that the SMTP Opportunistic Security community is going to continue to use RC4 (only opportunistically and only when it's the only working alternative to clear text) for some period of time, but that putting this in the document is in the rough part of the consensus, as it will tend to diminish the message of the document. I'm not thrilled with that outcome; I wish we could be straightforward in the document about what we actually will and won't do without increasing the likelihood that other folks will misinterpret. But that's where we are.

(Martin Stiemerling) No Objection