Re: [TLS] Issue 16: Alert clarifications

[Bodo Moeller <bmoeller at acm.org>]

On Tue, Jun 12, 2007 at 02:15:51AM +0200, Martin Rex wrote:

>> Of course, I totally agree that it makes sense to require fatal alerts
>> before the connection is torn down (except in the close_notify case,
>> obviously), and that it makes a lot of sense for implementations of
>> the current specs to behave like this.  I just don't agree that the
>> current specifcations already require implementations to do this.

> I firmly believe that the SSLv3 spec required it, but a spec weasel
> might try to argue that the TLSv1.0 an later specs have failed to add
> the proper rfc-2119 terminology to various places of the SSLv3 protocol
> description and therefore relaxed the original SSLv3 requirements.

This has nothing to do with RFC 2119 terminology.  RFC 2246 and later
make specific statements regarding what the sender and receiver of an
alert should do; this is where the RFC could have codified, in
whatever form, this aspect of the distinction between fatal alerts and
warning alerts.  It quite clearly doesn't say what we think it should
be saying.

(The SSL 3.0 specification is different mostly in that it doesn't
discuss this issue in that much detail, thus leaving more space for
common sense.)

Bodo



_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls