On Thursday, July 23, 2015 10:52:59 pm Andrei Popov wrote: > Rather than renaming and otherwise modifying the meaning of the existing > alerts, would it be better to define new, more granular alerts in 1.3? We > can’t ascribe new meanings to alerts generated by the code we’ve shipped in > the past.
I'm not proposing changing the meaning of existing alerts. At most, the Negotiated FF-DH draft would need to be updated/fixed. I'm proposing renaming "insufficient_security" to "unsupported_cipher_suites", which is explicitly what it's been for since TLS 1.0. There isn't a specific error defined for lack of a supported group yet. RFC 4492 just says "fatal handshake failure alert". The Negotiated FF-DH draft has "insufficient_security" for unsupported group. _That_ does change the meaning, as previously it was explicitly defined for cipher issues only. What I want is to add a new "unsupported_groups" alert to use instead. (both here and there) The "client_authentication_failure" alert suggestion is to pull that out of the "handshake_failure" catchall. I just want to clarify the existing alert, not reuse it for a related but distinctly different alert, and not lump stuff into a catchall that we can't debug. ;) Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
