Prohibiting RC4 Cipher Suites
RFC 7465
Yes
No Objection
Note: This ballot was opened for revision 01 and is now closed.
(Alissa Cooper; former steering group member) Yes
(Barry Leiba; former steering group member) Yes
(Brian Haberman; former steering group member) Yes
(Jari Arkko; former steering group member) Yes
Thanks for writing this important document. I agree with the action it specifies.
(Kathleen Moriarty; former steering group member) Yes
Thanks for your work on this draft!
(Richard Barnes; former steering group member) Yes
Enthusiastically in support. It was pointed out to me today that some PCI-DSS [1] auditors are still requiring RC4 [2]. Hopefully this document will help fix that situation. [1] http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard [2] http://forums.iis.net/t/1193152.aspx [3] http://www.purehacking.com/blog/gordon-maddern/beast-vs-rc4-ciphers-vs-pci
(Spencer Dawkins; former steering group member) Yes
(Stephen Farrell; former steering group member) Yes
(Ted Lemon; former steering group member) Yes
(Adrian Farrel; former steering group member) No Objection
(Alia Atlas; former steering group member) No Objection
I do agree with Pete's question
(Benoît Claise; former steering group member) No Objection
(Joel Jaeggli; former steering group member) No Objection
about time, thanks.
(Martin Stiemerling; former steering group member) No Objection
(Pete Resnick; former steering group member) (was Discuss) No Objection
Thanks to Chris Newman and Viktor Dukhovni for their additions to the discussion. I think we all understand that the SMTP Opportunistic Security community is going to continue to use RC4 (only opportunistically and only when it's the only working alternative to clear text) for some period of time, but that putting this in the document is in the rough part of the consensus, as it will tend to diminish the message of the document. I'm not thrilled with that outcome; I wish we could be straightforward in the document about what we actually will and won't do without increasing the likelihood that other folks will misinterpret. But that's where we are.