Deprecate Triple-DES (3DES) and RC4 in Kerberos
RFC 8429

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, ekr@rtfm.com, draft-ietf-curdle-des-des-des-die-die-die@ietf.org, Daniel Migault <daniel.migault@ericsson.com>, curdle-chairs@ietf.org, curdle@ietf.org, daniel.migault@ericsson.com, rfc-editor@rfc-editor.org
Subject: Protocol Action: 'Deprecate 3DES and RC4 in Kerberos' to Best Current Practice (draft-ietf-curdle-des-des-des-die-die-die-05.txt)

The IESG has approved the following document:
- 'Deprecate 3DES and RC4 in Kerberos'
  (draft-ietf-curdle-des-des-des-die-die-die-05.txt) as Best Current Practice

This document is the product of the CURves, Deprecating and a Little more
Encryption Working Group.

The IESG contact persons are Benjamin Kaduk and Eric Rescorla.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-curdle-des-des-des-die-die-die/


Technical Summary

   The 3DES and RC4 encryption types are steadily weakening in
cryptographic strength, and the deprecation process should be begun
for their use in Kerberos.  Accordingly, RFC 4757 is moved to
Obsolete status, as none of the encryption types it specifies should
be used, and RFC 3961 is updated to note the deprecation of the
triple-DES encryption types.


Working Group Summary

No controversy. 


Document Quality

   
This does not apply here. 

My understanding is implementations are likely to implement
the draft, especially with the "SHOULD NOT" recommendation.

Both co-authors expect to start the deprecation process which is slow
to achieve as there is now a long deployment history. A deprecation 
will not remove the actual software  implementation right away, but 
progressively disable it.


Personnel
   
Daniel Migault is the shepherd, Eric Rescorla is the AD