Rather than renaming and otherwise modifying the meaning of the existing alerts, would it be better to define new, more granular alerts in 1.3? We can’t ascribe new meanings to alerts generated by the code we’ve shipped in the past.
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla Sent: Friday, July 24, 2015 1:32 AM To: Dave Garrett Cc: tls@ietf.org Subject: Re: [TLS] new error alerts? It's not clear to me that there is consensus that more granular error codes are a good idea. I'll defer to the chairs on the process question. -Ekr On Thu, Jul 23, 2015 at 3:39 AM, Dave Garrett <davemgarr...@gmail.com<mailto:davemgarr...@gmail.com>> wrote: Hubert Kairo found quite a few more spots in need of explicit error designations, which have been amended into PR #201. https://github.com/tlswg/tls13-spec/pull/201 I just noticed one error in the current draft text that was wrong and added a fix for that as well. The Server Hello section said that lack of acceptable group would result in an "insufficient_security" error, which is incorrect. That error is clearly defined to be for lack of acceptable cipher suite. The Negotiated Groups section says lack of acceptable group is a “handshake_failure” error. I changed the text to state the error for suites, as the other is already noted elsewhere. (this change is now in PR #201) This brings up a problem, however: there is no distinct error for lack of group support. The “handshake_failure” is a bit of a catchall, so there's no way for a client to really know what's wrong if this happens. This is also why I don't want to change the definition of the "insufficient_security" error. Clients rely on these being relatively precise in order to show error messages that are hopefully meaningful enough to get them fixed. As such, I'd like to propose adding a new error just for this and renaming the old one to focus precisely on its long defined meaning. While we're at it, a failure of client authentication doesn't have its own error alert code either. enum { handshake_failure(40), unsupported_cipher_suites(71), /* formerly insufficient_security */ unsupported_dh_groups(72), /* new */ client_authentication_failure(73), /* new */ (255) } AlertDescription; Pretty straightforward. Are there any other errors that can't be clearly identified by the returned code? Debugging shouldn't be guesswork. ;) Dave _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
