In article <Pine.LNX.4.62.0506020227100.27968@xxxxxxxxxxxxxx> you write: >On Wed, 1 Jun 2005, Keith Moore wrote: >>> The argument in favor of publishing this document at proposed is that >>> the existing arcfour cipher is part of a standard and that many other >>> IETF protocols use rc4 in standards track documents. >> >> previous mistakes are not valid justifications for new mistakes. >> previous accidents are not valid justifications for deliberately weakening >> new products. > >Keith, > >I think you're right in general. But in this specific case its not a >"new product". SSH already uses RC4, the change is increasing size >of key that maybe used. That's not the only change. The important aspect of my draft is that it requires discarding the first 1536 bytes of RC4 keystream. Apparently RSA Security have always recommended discarding the start of the keystream, but SSH (and TLS, for that matter) has ignored this recommendation. The addition of support for 256-bit keys was just my taking an opportunity to bring RC4 into line with the rest of SSH, and to give us a little more security headroom against any remaining attacks on the key schedule. -- Ben Harris _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf