Re: [TLS] Should we require implementations to send alerts?
Hubert Kario <hkario@redhat.com> Mon, 21 September 2015 10:45 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D651B3040 for <tls@ietfa.amsl.com>; Mon, 21 Sep 2015 03:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-qQwT6nz_kc for <tls@ietfa.amsl.com>; Mon, 21 Sep 2015 03:45:28 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A07D1ACCF0 for <tls@ietf.org>; Mon, 21 Sep 2015 03:45:28 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (Postfix) with ESMTPS id CD05B461C8; Mon, 21 Sep 2015 10:45:27 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (dhcp-0-251.brq.redhat.com [10.34.0.251]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t8LAjQhY006145 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 21 Sep 2015 06:45:27 -0400
From: Hubert Kario <hkario@redhat.com>
To: Brian Smith <brian@briansmith.org>
Date: Mon, 21 Sep 2015 12:45:25 +0200
Message-ID: <1962214.QoH8MivDcC@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.1.6-201.fc22.x86_64; KDE/4.14.9; x86_64; ; )
In-Reply-To: <CAFewVt605ApqUe+X0pX=hECTPy7rVwRV6JmL+xkRHmpEBpoC_g@mail.gmail.com>
References: <20150917225819.725411A293@ld9781.wdf.sap.corp> <4233694.SipH1XZ6JK@pintsize.usersys.redhat.com> <CAFewVt605ApqUe+X0pX=hECTPy7rVwRV6JmL+xkRHmpEBpoC_g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3134292.r4p03p0v9Y"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OapBZA3kWi7hRNdGKE9IBCBHL6E>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2015 10:45:29 -0000
On Friday 18 September 2015 13:24:33 Brian Smith wrote: > On Fri, Sep 18, 2015 at 4:36 AM, Hubert Kario <hkario@redhat.com> wrote: > > On Friday 18 September 2015 00:58:19 Martin Rex wrote: > > > Easier troubleshooting is IMO a sufficient rationale to justify > > > existence of the alert mechanism and a "SHOULD send the alert > > > before > > > closing the network connection". > > > > > > A "MUST send fatal alert" requirement, however, would be silly > > > (and > > > will be void in face of rfc2119 section 6 anyway). What would be > > > the semantics of such a requirement anyway? > > > > That's true only if you ignore the situation when TLS 1.4 or TLS 2.0 > > is deployed. > > > So yes, it's no a direct interoperability issue, but it will become > > one > > in the future. > > Given a *conformant* TLS 1.3 implementation, that kind of > interoperability problem could only happen if the TLS working group > specifically designed it to happen. In particular, a conformant TLS > 1.3 implementation must accept larger values of > ClientHello.client_version. Given that there is no *conformant* TLS 1.2 implementation that is widely deployed[1], I won't hold my breath for there being many TLS1.3 ones either. We don't live in ideal world, lets build protocols that can handle breakage. Lets make specifications that have the sticks that we can hit developers with when they do wrong. 1 - NSS, SChannel and OpenSSL, all ignore some MUSTs in TLS1.2 -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
- [TLS] Should we require implementations to send a… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Geoffrey Keating
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Andrei Popov
- Re: [TLS] Should we require implementations to se… Hanno Böck
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Henrik Grubbström
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Jim Schaad
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… David Benjamin
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Martin Rex
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… David Benjamin
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Benjamin Kaduk
- Re: [TLS] Should we require implementations to se… Tony Arcieri
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Bill Frantz
- Re: [TLS] Should we require implementations to se… Kurt Roeckx
- Re: [TLS] Should we require implementations to se… Kurt Roeckx
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Hubert Kario