On Sat, 12 Sep 2015 13:49:49 -0700 Eric Rescorla <e...@rtfm.com> wrote:
> Issue: https://github.com/tlswg/tls13-spec/issues/242 > > In https://github.com/tlswg/tls13-spec/pull/231, Brian Smith argues: > > "Nobody must ever be *required* to send an alert. Any requirement for > sending an alert should be SHOULD, at most." Just a quick thought on this: We had vulns in the distant past that relied on different reactions to different errors (Vaudenay / Padding Oracle attack). The Vaudenay attack is history because we agreed long that CBC/HMAC with MAC-then-Encrypt will be gone. But I think making the error alert optional may lead to similar attacks. An implementation may decide to send an error alert in one situation and no error in another. This may leak information valuable to an attacker. I generally think having a more strict spec with less wiggle room is better. Therefore: I think a MUST is better. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpwV5RTpF9Bz.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
