It's not clear to me that there is consensus that more granular error codes are a good idea. I'll defer to the chairs on the process question.
-Ekr On Thu, Jul 23, 2015 at 3:39 AM, Dave Garrett <davemgarr...@gmail.com> wrote: > Hubert Kairo found quite a few more spots in need of explicit error > designations, which have been amended into PR #201. > https://github.com/tlswg/tls13-spec/pull/201 > > I just noticed one error in the current draft text that was wrong and > added a fix for that as well. The Server Hello section said that lack of > acceptable group would result in an "insufficient_security" error, which is > incorrect. That error is clearly defined to be for lack of acceptable > cipher suite. The Negotiated Groups section says lack of acceptable group > is a “handshake_failure” error. I changed the text to state the error for > suites, as the other is already noted elsewhere. (this change is now in PR > #201) This brings up a problem, however: there is no distinct error for > lack of group support. The “handshake_failure” is a bit of a catchall, so > there's no way for a client to really know what's wrong if this happens. > This is also why I don't want to change the definition of the > "insufficient_security" error. Clients rely on these being relatively > precise in order to show error messages that are hopefully meaningful > enough to get them fixed. As such, I'd like to propose adding a new error > just for this and renaming the old one to focus precisely on its long > defined meaning. While we're at it, a failure of client authentication > doesn't have its own error alert code either. > > enum { > handshake_failure(40), > unsupported_cipher_suites(71), /* formerly insufficient_security */ > unsupported_dh_groups(72), /* new */ > client_authentication_failure(73), /* new */ > (255) > } AlertDescription; > > Pretty straightforward. Are there any other errors that can't be clearly > identified by the returned code? Debugging shouldn't be guesswork. ;) > > > Dave > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
