Skip to main content

Prohibiting RC4 Cipher Suites
RFC 7465

Yes

(Alissa Cooper)
(Barry Leiba)
(Brian Haberman)
(Spencer Dawkins)
(Stephen Farrell)
(Ted Lemon)

No Objection

(Adrian Farrel)
(Benoît Claise)
(Martin Stiemerling)

Note: This ballot was opened for revision 01 and is now closed.

(Alissa Cooper; former steering group member) Yes

Yes ()

                            

(Barry Leiba; former steering group member) Yes

Yes ()

                            

(Brian Haberman; former steering group member) Yes

Yes ()

                            

(Jari Arkko; former steering group member) Yes

Yes (2015-01-07)
Thanks for writing this important document. I agree with the action it specifies.

(Kathleen Moriarty; former steering group member) Yes

Yes (2014-12-10)
Thanks for your work on this draft!

(Richard Barnes; former steering group member) Yes

Yes (2015-01-07)
Enthusiastically in support.  It was pointed out to me today that some PCI-DSS [1] auditors are still requiring RC4 [2].  Hopefully this document will help fix that situation.

[1] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard 
[2] http://forums.iis.net/t/1193152.aspx
[3] http://www.purehacking.com/blog/gordon-maddern/beast-vs-rc4-ciphers-vs-pci

(Spencer Dawkins; former steering group member) Yes

Yes ()

                            

(Stephen Farrell; former steering group member) Yes

Yes ()

                            

(Ted Lemon; former steering group member) Yes

Yes ()

                            

(Adrian Farrel; former steering group member) No Objection

No Objection ()

                            

(Alia Atlas; former steering group member) No Objection

No Objection (2015-01-07)
I do agree with Pete's question

(Benoît Claise; former steering group member) No Objection

No Objection ()

                            

(Joel Jaeggli; former steering group member) No Objection

No Objection (2015-01-06)
about time, thanks.

(Martin Stiemerling; former steering group member) No Objection

No Objection ()

                            

(Pete Resnick; former steering group member) (was Discuss) No Objection

No Objection (2015-01-08)
Thanks to Chris Newman and Viktor Dukhovni for their additions to the discussion. I think we all understand that the SMTP Opportunistic Security community is going to continue to use RC4 (only opportunistically and only when it's the only working alternative to clear text) for some period of time, but that putting this in the document is in the rough part of the consensus, as it will tend to diminish the message of the document. I'm not thrilled with that outcome; I wish we could be straightforward in the document about what we actually will and won't do without increasing the likelihood that other folks will misinterpret. But that's where we are.