On Wed, Mar 30, 2016 at 12:05:26PM -0400, Daniel Kahn Gillmor wrote: > On Wed 2016-03-30 11:33:09 -0400, Benjamin Kaduk wrote: > > I am not sure that we want to be in the business of explicitly marking > > things as insecure other than our own RFCs, though -- there could be an > > implication of more review than is actually the case, which is what this > > proposal is trying to get rid of. > > I think i agree with Ben here: if we have a tri-state: > approved/not-approved/known-bad, then the people will infer that the > not-approved ciphersuites are better than the known-bad ones, which > isn't necessarily the case. > > I think i'd rather see it stay at "approved/not-approved"
Then how should ciphersuites with explicit diediedie RFCs (currently RC4) be presented? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls