Re: [TLS] Deprecating alert levels
Kyle Nekritz <knekritz@fb.com> Tue, 25 October 2016 01:14 UTC
Return-Path: <prvs=9106d40f6e=knekritz@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D86A129A3B for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 18:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=Cjck0D6g; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=XTT39lxH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Naz85kmlL7xV for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 18:14:26 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9934C129A32 for <tls@ietf.org>; Mon, 24 Oct 2016 18:14:26 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u9P1EQoC025664; Mon, 24 Oct 2016 18:14:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=facebook; bh=h7XOfSCN4m0jkE328uiEcWC0JL7HtEEpGUCGxDyfDPY=; b=Cjck0D6gyJCn2w5m1w/yyrCuENj+2CODDeNyZ3icOFog8aMzeq97gK0AbtQXziKE3laz onsMog5c5Ls/9Hh4ywlKhdrLOIPsbf8IZyxJibBi2xemmtbjDV11iIEFOPuIFvkL7UT9 MrHA+neLOeJES3THH7tRqev0yDrQ/LFTVFg=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 269r962bkw-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 24 Oct 2016 18:14:26 -0700
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.23) with Microsoft SMTP Server (TLS) id 14.3.294.0; Mon, 24 Oct 2016 18:14:25 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AWrDSG4ju//fUZCRrk9kOlGkzq2fZmaMiRBrOeUy4W0=; b=XTT39lxHgj8YlHDQAvaDdrxVQf4W73lsIxs9fX4A7B7Fvnx+Oj36c68kIUe2tTkJqmD2lcTU1s6CUWT95nF9ZRUpahpJzGDJmQ6ZZwKtrbe1P8ngrUMSg+ICJMQQO5NxBMx3Mfw2S6Oig7GhZFn+K+4XIbuVJPqNm0VWAUeA1P8=
Received: from MWHPR15MB1182.namprd15.prod.outlook.com (10.175.2.136) by MWHPR15MB1182.namprd15.prod.outlook.com (10.175.2.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.12; Tue, 25 Oct 2016 01:14:23 +0000
Received: from MWHPR15MB1182.namprd15.prod.outlook.com ([10.175.2.136]) by MWHPR15MB1182.namprd15.prod.outlook.com ([10.175.2.136]) with mapi id 15.01.0679.012; Tue, 25 Oct 2016 01:14:23 +0000
From: Kyle Nekritz <knekritz@fb.com>
To: Martin Thomson <martin.thomson@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Deprecating alert levels
Thread-Index: AdImXnNSskDkr/RBRyKiMCb2wmhMDwBNKucAADz34cAAZqtPgAAFEsmAAAAkNgAAEG1CgAD5HzAQ
Date: Tue, 25 Oct 2016 01:14:23 +0000
Message-ID: <MWHPR15MB11822291FFF82449A328A4E0AFA80@MWHPR15MB1182.namprd15.prod.outlook.com>
References: <MWHPR15MB11829BF852A21F2E9C2B99B6AFD00@MWHPR15MB1182.namprd15.prod.outlook.com> <20161019155845.D13E21A564@ld9781.wdf.sap.corp> <CAOgPGoAu0AKzf46UpWUSxd3hfFc977Ea9HK0OP77Qwu3aCi69w@mail.gmail.com> <CABcZeBPqaSUYKQFzrQ8u0JVTjmdPbTbfWNSOhMu2pQZ2OayG5Q@mail.gmail.com> <CABkgnnWY+miny3iAvYFDk3JahR=eXMZx4Osfc+YGrtQXZH9+_g@mail.gmail.com>
In-Reply-To: <CABkgnnWY+miny3iAvYFDk3JahR=eXMZx4Osfc+YGrtQXZH9+_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c091:180::1:b71d]
x-ms-office365-filtering-correlation-id: 9d164ebb-9021-4bab-21d1-08d3fc7441b3
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1182; 20:QdseVc78tR2Ig0ubsBvgP0hkL2dBYxkbQcH041QvbPBcxf/AG7/X/ro9rR+tVHdvlBYJhWmtVU7/3gd4dW9RpJ1KqTwH15DtjbthgOAWxETsvSqWYwBL1mqxxy8oenGIWy2tOvaXg/lqjFAyTR+G3oJXJTzzM/DZ8K7sn9iTY1Q=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:MWHPR15MB1182;
x-microsoft-antispam-prvs: <MWHPR15MB1182FA7DCE3F025D49BAB94AAFA80@MWHPR15MB1182.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:MWHPR15MB1182; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1182;
x-forefront-prvs: 01068D0A20
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(24454002)(13464003)(189002)(199003)(377454003)(189998001)(97736004)(19580395003)(9686002)(5001770100001)(15650500001)(8676002)(2900100001)(4326007)(15975445007)(7846002)(3280700002)(5002640100001)(122556002)(87936001)(5660300001)(54356999)(76576001)(2950100002)(76176999)(77096005)(7696004)(8936002)(50986999)(105586002)(92566002)(86362001)(99286002)(101416001)(68736007)(93886004)(106356001)(7736002)(305945005)(11100500001)(586003)(10400500002)(2906002)(102836003)(6116002)(575784001)(33656002)(81156014)(81166006)(74316002)(3660700001)(19580405001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1182; H:MWHPR15MB1182.namprd15.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2016 01:14:23.5154 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1182
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-24_19:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Wd29qFOiuOF2VZ0Nad0Lj6cksus>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating alert levels
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2016 01:14:28 -0000
+1 to both Martin and ekr, I think simplifying these alerts with clearly defined behavior for each alert description is the best way forward. Kyle -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson Sent: Wednesday, October 19, 2016 10:18 PM To: Eric Rescorla <ekr@rtfm.com> Cc: tls@ietf.org Subject: Re: [TLS] Deprecating alert levels On 20 October 2016 at 05:28, Eric Rescorla <ekr@rtfm.com> wrote: >> 2. Are there cases, such as unrecognized name. where it is useful to >> indicate that an alert is not fatal? If so how should this case be handled? > > > I think this alert was a mistake :) In NSS is to tolerate it, but it's an exception. I'm happier with a lone exception than with atrophied and redundant alert levels continuing as they are. I'd prefer to take the PR, with a minor amendment noting the hazard caused by unrecognized_name(112). Clients that intend to accept TLS 1.2 and lower probably have to ignore warning alerts until they see that the server is doing TLS 1.3 or higher. _______________________________________________ TLS mailing list TLS@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DQICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=1svSdxAuionbHyrUN4ThSCRLZ1pCQuLaO0qtgQ8Dk7A&s=jWxxDB9uWwT6kP_7TcZ4isUa_Z5LNWOhgMX_O1s3oaw&e=
- [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Benjamin Kaduk
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Martin Rex
- Re: [TLS] Deprecating alert levels Dave Garrett
- Re: [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels David Benjamin
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Martin Rex
- Re: [TLS] Deprecating alert levels Joseph Salowey
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels Olivier Levillain