Re: [TLS] Issue 16: Alert clarifications

To: Nelson B Bolyard <nelson at bolyard.com>
Subject: Re: [TLS] Issue 16: Alert clarifications
From: Bodo Moeller <bmoeller at acm.org>
Date: Fri, 8 Jun 2007 10:35:14 +0200
Cc: tls at ietf.org
In-reply-to: <4668CDF7.9030600@bolyard.com>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070603145730.4507B33C4B@delta.rtfm.com> <B356D8F434D20B40A8CEDAEC305A1F2404395329@esebe105.NOE.Nokia.com> <20070607132918.4459D33C58@delta.rtfm.com> <4668CDF7.9030600@bolyard.com>
User-agent: Mutt/1.5.9i

On Thu, Jun 07, 2007 at 08:33:11PM -0700, Nelson B Bolyard wrote:
> Eric Rescorla wrote:
>> <Pasi.Eronen at nokia.com> wrote:
>>> Eric Rescorla wrote:

>>>> - Add a warning that some implementations tear down the connection
>>>>   for any alert so warning alerts are dangerous. New implementations
>>>>   SHOULD not tear down the connection for warning alerts.

>>> Why not simply "MUST NOT tear down"? (this requirement would apply 
>>> only when TLS 1.2 is negotiated, so what some implementations did
>>> with 1.0 or 1.1 doesn't matter)

>> Works for me.

> Umm. Some warning alerts exist to give the recipient a choice to tear
> down or not.  E.g. no_renegotiation.  RFC 2246 says:
> 
>    no_renegotiation
>        Sent by the client in response to a hello request or by the
>        server in response to a client hello after initial handshaking.
>        Either of these would normally lead to renegotiation; when that
>        is not appropriate, the recipient should respond with this alert;
>        at that point, the original requester can decide whether to
>        proceed with the connection. One case where this would be
>        appropriate would be where a server has spawned a process to
>        satisfy a request; the process might receive security parameters
>        (key length, authentication, etc.) at startup and it might be
>        difficult to communicate changes to these parameters after that
>        point. This message is always a warning.

Good point.  This means that neither "SHOULD NOT" nor "MUST NOT" works
for everything.  However, I think a party should not silently tear
down the connection after receiving a no_renegotiation alert that it
does not like -- instead, it should send a fatal alert first.

How about the following?

   If an alert with a level of warning is sent and received, generally
   the connection can continue normally.  If the receiving party
   decides not to proceed with the connection (e.g., after having
   received a no_renegotiation alert that it is not willing to
   accept), it MUST send a fatal alert to terminate the connection.


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Issue 16: Alert clarifications
  - From: Nelson B Bolyard

References:
- [TLS] Issue 16: Alert clarifications
  - From: Eric Rescorla
- RE: [TLS] Issue 16: Alert clarifications
  - From: Pasi.Eronen
- Re: [TLS] Issue 16: Alert clarifications
  - From: Eric Rescorla
- Re: [TLS] Issue 16: Alert clarifications
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Review feedback on draft-rescorla-tls-suiteb-01.txt
Next by Date: Re: [TLS] Issue #12: RSA/DSA/DH timing attacks
Previous by thread: Re: [TLS] Issue 16: Alert clarifications
Next by thread: Re: [TLS] Issue 16: Alert clarifications
Index(es):
- Date
- Thread

Re: [TLS] Issue 16: Alert clarifications

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.