On 10 May 2017 at 21:51, Martin Thomson <[email protected]> wrote: > On 11 May 2017 at 01:21, Matt Caswell <[email protected]> wrote: >> Do we really need all of these alerts? > > NSS uses these, but in ways that I don't really understand. I think > that this is part of the general issue that TLS does and doesn't > really include requirements about how to handle the certificate chain.
OpenSSL is quite inconsistent in its use of alerts. That's how this issue came up for me - I was reviewing what the spec said about alerts and comparing it to the OpenSSL implementation (checking we failed everywhere we are supposed to fail, and with the correct alert). OpenSSL is currently using the more specific alerts for certificate failures, although this is in contradiction to what it says in the "Server Certificate Selection" section. If the view is that the more specific alerts are helpful, then I'd suggest amending the wording in the "Server Certificate Selection" section to remove the bit about the "unsupported_certificate" alert and (possibly) replace with a reference to the set of alerts that might be sent instead. Alternatively, if the more specific alerts are not helpful, then perhaps we should prune down the list in section 6 to a much smaller list. Matt _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
