On Wed, Oct 19, 2016 at 11:24 AM, Joseph Salowey <j...@salowey.net> wrote:
> It does not look like we have sufficient consensus to adopt this PR. > While there is some support for simplifying alerts by removing the alert > level, the current discussion raises some issues about the general > approach. > > 1. Is it appropriate for all unknown alerts to be treated as fatal? (the > current draft already states this) > I thought we had pretty strong consensus on this. I'd be sad to take it back. 2. Are there cases, such as unrecognized name. where it is useful to > indicate that an alert is not fatal? If so how should this case be handled? > I think this alert was a mistake :) -Ekr > > Cheers, > > J&S > > On Wed, Oct 19, 2016 at 8:58 AM, Martin Rex <m...@sap.com> wrote: > >> Kyle Nekritz wrote: >> > >> >> This list is already missing the warning-level "unrecognized_name" >> alert, >> >> and such a change would imply that all new/unrecognized alerts are >> going >> >> to be treated as fatal forever (i.e. that no new warning-level alerts >> >> can ever be defined). >> > >> > That alert is currently defined as a fatal alert (see section 6.2 in the >> > current draft). RFC 6066 also states "It is NOT RECOMMENDED to send a >> > warning-level unrecognized_name(112) alert, because the client's >> behavior >> > in response to warning-level alerts is unpredictable.", which I think >> > illustrates the problem. Allowing new non-fatal alerts to be added later >> > would require that existing clients ignore unknown warning alerts, >> > which I think is somewhat dangerous. >> >> It seems that rfc6066 is not clear enough in explaining the issue >> about the situation with the two WELL-DEFINED (but poorly implemented) >> variants of the TLS alerts >> >> (1) unrecognized_name(112) level WARNING >> (2) unrecognized_name(112) level FATAL >> >> See the *ORIGINAL* specification which created *BOTH* of these alert >> variants: >> >> https://tools.ietf.org/html/rfc3546#page-10 >> >> >> If the server understood the client hello extension but does not >> recognize the server name, it SHOULD send an "unrecognized_name" >> alert (which MAY be fatal). >> >> >> -Martin >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls