Assurance

["Capehart,Jeffrey D" <>]

RC4 used as a symmetric key cipher negotiated during the Public-Key 
Cryptographic exchange with SSL protects the key which could be partly why it 
was allowed for limited use in the NIST SSL/TLS document as an exception.

There was more to it than that, but that was the gist I got.

Looks like footnote 17 is also needed...
#17:  RC4 is acceptable for use on Government "Client" systems in very 
limited circumstances where secure information is to be transferred between 
Government systems and non-government servers, and 3DES or better (e.g., AES) 
is not supported by the server. For example, many vendor web sites providing 
supplies to the government support nothing stronger than RC4, and credit card 
information must be conveyed and secured to order supplies. In such cases 
risk is limited to exposure of government credit card information, and 
agencies may wish to take this risk to expedite ordering of supplies. RC4 
should never be used on Government "Server" systems where government 
owned/generated data is to be made available in a secure manner to "client" 
systems.


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Brian Arkills
Sent: Tuesday, February 26, 2013 11:28 AM
To: 

Subject: RE: [Assurance] Question on Protected Channel - SSL/TLS

Accepting RC4 would resolve the Active Directory stored secrets issue too.