Re: [TLS] Deprecating alert levels
Eric Rescorla <ekr@rtfm.com> Wed, 19 October 2016 18:28 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DFD0129721 for <tls@ietfa.amsl.com>; Wed, 19 Oct 2016 11:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2_PWZFXuP8D for <tls@ietfa.amsl.com>; Wed, 19 Oct 2016 11:28:45 -0700 (PDT)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E52912975C for <tls@ietf.org>; Wed, 19 Oct 2016 11:28:45 -0700 (PDT)
Received: by mail-yb0-x230.google.com with SMTP id f97so7142698ybi.1 for <tls@ietf.org>; Wed, 19 Oct 2016 11:28:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HI3qw6ap38ePs3Qywxww1OKqlkx2zycvBhRXmq25xTM=; b=EoxV4coBvv3JJJ7VbV9TaCD3d5EVt/NFlArfRp03il5hltUaxAW2YCAlHsB7av2fPw 6drMoPfXoLO5usPpduwJlhI0Aui3Hmn4kPdZ3s7Ux/jHpvLPo4i6YZ3D0i5Xt2wUDFKR XRnRY72dP34PHVIb2fUmuhYyu+63Nxt2c3hBwgvlrLBH2+iaEcipc4GxBMrmekZpbRpB 4np/y+QejVya2sRdxcnuCuQN67IpE3XExVBxe5qUP6bm7EsfWGKPXz7TpYkp0/9nXtod ONsKOFLgFXodK2TGQnO691J/x8F4sP8/lk0EGsSYvcWll9XVfIswd2oSLmGL9Z1Rcsk+ YHiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HI3qw6ap38ePs3Qywxww1OKqlkx2zycvBhRXmq25xTM=; b=gRDgL088d16NFW1TqyaiboRP33Idf2IynZ2Xget/KCxLSzwMDgp4mjv7mSgARXg7nk L5XnmAyJHiXnJVVXZ/rZHdmUMlhj/lNaX2X/LJCXkb36ncgMhWP6vEx2EsvOMQWt5L0z yR4HCb6p/Bexlo6wWWfNoxJdcDDIdzDjQJN+Op8eU+LNCYYnoxzRw1uEdQWC0TJOsCLO TfVqS0R5m4SQGYCDZjJXOqMtLBsl39lF0+cmasDqfWHsePn+o5l3U3Lf55q+jzrjuwOq v68bAhOVvpjY/4LmsVd5lsMJ0V25bdQzSW7z1jIKK+7ougBCINeVZPW0HduU/2q17Buq Fg+Q==
X-Gm-Message-State: AA6/9Rl/gsT9sUmC/Rz3B2sj3PbN/kFbW6kKyfO83OcCCpSHCy8MECEzu3ED+loE0cqxuhNlSDRT7byk8PZf+w==
X-Received: by 10.37.28.8 with SMTP id c8mr7713506ybc.64.1476901724648; Wed, 19 Oct 2016 11:28:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.212 with HTTP; Wed, 19 Oct 2016 11:28:04 -0700 (PDT)
In-Reply-To: <CAOgPGoAu0AKzf46UpWUSxd3hfFc977Ea9HK0OP77Qwu3aCi69w@mail.gmail.com>
References: <MWHPR15MB11829BF852A21F2E9C2B99B6AFD00@MWHPR15MB1182.namprd15.prod.outlook.com> <20161019155845.D13E21A564@ld9781.wdf.sap.corp> <CAOgPGoAu0AKzf46UpWUSxd3hfFc977Ea9HK0OP77Qwu3aCi69w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 19 Oct 2016 11:28:04 -0700
Message-ID: <CABcZeBPqaSUYKQFzrQ8u0JVTjmdPbTbfWNSOhMu2pQZ2OayG5Q@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a11426116aad39c053f3bfa62"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XmVv4pSId9_nJo5-7kqwwDbLJNQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating alert levels
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 18:28:47 -0000
On Wed, Oct 19, 2016 at 11:24 AM, Joseph Salowey <joe@salowey.net> wrote: > It does not look like we have sufficient consensus to adopt this PR. > While there is some support for simplifying alerts by removing the alert > level, the current discussion raises some issues about the general > approach. > > 1. Is it appropriate for all unknown alerts to be treated as fatal? (the > current draft already states this) > I thought we had pretty strong consensus on this. I'd be sad to take it back. 2. Are there cases, such as unrecognized name. where it is useful to > indicate that an alert is not fatal? If so how should this case be handled? > I think this alert was a mistake :) -Ekr > > Cheers, > > J&S > > On Wed, Oct 19, 2016 at 8:58 AM, Martin Rex <mrex@sap.com> wrote: > >> Kyle Nekritz wrote: >> > >> >> This list is already missing the warning-level "unrecognized_name" >> alert, >> >> and such a change would imply that all new/unrecognized alerts are >> going >> >> to be treated as fatal forever (i.e. that no new warning-level alerts >> >> can ever be defined). >> > >> > That alert is currently defined as a fatal alert (see section 6.2 in the >> > current draft). RFC 6066 also states "It is NOT RECOMMENDED to send a >> > warning-level unrecognized_name(112) alert, because the client's >> behavior >> > in response to warning-level alerts is unpredictable.", which I think >> > illustrates the problem. Allowing new non-fatal alerts to be added later >> > would require that existing clients ignore unknown warning alerts, >> > which I think is somewhat dangerous. >> >> It seems that rfc6066 is not clear enough in explaining the issue >> about the situation with the two WELL-DEFINED (but poorly implemented) >> variants of the TLS alerts >> >> (1) unrecognized_name(112) level WARNING >> (2) unrecognized_name(112) level FATAL >> >> See the *ORIGINAL* specification which created *BOTH* of these alert >> variants: >> >> https://tools.ietf.org/html/rfc3546#page-10 >> >> >> If the server understood the client hello extension but does not >> recognize the server name, it SHOULD send an "unrecognized_name" >> alert (which MAY be fatal). >> >> >> -Martin >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Benjamin Kaduk
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Martin Rex
- Re: [TLS] Deprecating alert levels Dave Garrett
- Re: [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels David Benjamin
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Hubert Kario
- Re: [TLS] Deprecating alert levels Martin Rex
- Re: [TLS] Deprecating alert levels Joseph Salowey
- Re: [TLS] Deprecating alert levels Eric Rescorla
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Martin Thomson
- Re: [TLS] Deprecating alert levels Kyle Nekritz
- Re: [TLS] Deprecating alert levels Olivier Levillain