Re: [TLS] PR#625: Change alert requirements

Benjamin Kaduk <bkaduk@akamai.com> Fri, 09 September 2016 23:13 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC1812B041 for <tls@ietfa.amsl.com>; Fri, 9 Sep 2016 16:13:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIUdOWx_cS_z for <tls@ietfa.amsl.com>; Fri, 9 Sep 2016 16:13:05 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 9F49C12B028 for <tls@ietf.org>; Fri, 9 Sep 2016 16:13:05 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id F257843341F; Fri, 9 Sep 2016 23:13:04 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id DC70C433416; Fri, 9 Sep 2016 23:13:04 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1473462784; bh=FogtNBeD0JgWP/KUGS66CEN8dCPsOtzZg6Yx6jDjGC8=; l=6015; h=To:References:From:Date:In-Reply-To:From; b=OjPJnhj0RGJzLmNaYPOLlWGzbGTjnZLh41EvHUAh/WLnwlqOP/zTY2vWM39w2jqqj FC90ibTJxQKpkauoHBmfwJfrW6eEu617DyvOH2w7p0arLtKRzTTb4o3q7h5maXTjb0 v2+cOyxiLG4qZzhvuyQZcqdHRRc3DqCzKxULBhWY=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id A01151FC88; Fri, 9 Sep 2016 23:13:04 +0000 (GMT)
To: Sean Turner <sean@sn3rd.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBMeLgqjvr2cjWL=AHTQJbS9siNBB6U2=0654yigbBGkYA@mail.gmail.com> <6EA2A272-FB9F-4E0A-A35E-680E531DD757@sn3rd.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <b881914a-21ab-afb2-080b-4492b0b9227d@akamai.com>
Date: Fri, 9 Sep 2016 18:13:04 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <6EA2A272-FB9F-4E0A-A35E-680E531DD757@sn3rd.com>
Content-Type: multipart/alternative; boundary="------------CF53ADC30CD298CE8A48560C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ln_m6ndqM_4gIHuTqrmX9RM0EPQ>
Subject: Re: [TLS] PR#625: Change alert requirements
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2016 23:13:07 -0000

I'm happy to make all alerts fatal.

I also like the state in the pull requests where some cases require that
if an alert is sent, it is a specific alert, while leaving flexibility
in other cases (and preventing us from having to exhaustively enumerate
all possible causes for alerts).

It would also be nice to standardize on using "terminate" for
post-handshake issues and "abort" for during the handshake (or, really,
any concrete split).  It looks like the intent of the pull request is to
make that distinction, but I wasn't really reading with a keen eye and
checking all cases for it.

-Ben

On 09/06/2016 04:33 PM, Sean Turner wrote:
> All,
>
> The chairs would like to get some eyes on this PR by this Friday (Sept 9th) so that we can draw it to close.
>
> Thanks,
>
> J&S
>
>> On Sep 05, 2016, at 14:02, Eric Rescorla <ekr@rtfm.com>; wrote:
>>
>> PR: https://github.com/tlswg/tls13-spec/pull/625
>>
>> Currently the TLS spec requires implementations to send alerts under various
>> fatal conditions. However, many stacks actually don't send alerts but instead
>> just terminate the connection. Several people have argued that we should relax
>> the requirement.
>>
>> At the September 2015 interim there was consensus to instead encourage
>> sending alerts and require that if you send an alert, you send a specific one.
>> I've finally gotten around to producing a PR that does this (link above). This
>> PR:
>>
>> - Harmonizes all the language around alert sending (though perhaps I missed
>>   a couple of places)
>> - Tries to make which alerts to send clearer in the alert descriptions to avoid
>>   having to specify individually how to handle every decision.
>> - Relaxes the requirement as listed above.
>>
>> Note that these are to some extent orthogonal changes; even if we decide to
>> continue mandating sending alerts, that should be listed in one location not
>> scattered around the spec.
>>
>> I know that there wasn't universal consensus on relaxing the requirement to
>> send, so I'll await WG discussion and the chairs decision on how to handle this PR. 
>>
>> -Ekr
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls