Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension
Note: This ballot was opened for revision 04 and is now closed.
(Jari Arkko) (was Discuss) Yes
(David Harrington) Yes
(Sean Turner) Yes
(Ron Bonica) No Objection
(Stewart Bryant) No Objection
Comment (2011-11-03 for -)
I agree with Adrian's concerns WRT guidance on message frequency and timeout.
(Gonzalo Camarillo) No Objection
(Ralph Droms) No Objection
(Wesley Eddy) No Objection
Comment (2011-11-02 for -)
Stephen's DISCUSS seems very important to consider, though I'm no expert in this area, I support Stephen's DISCUSS.
(Adrian Farrel) (was Discuss) No Objection
Section 4 When a HeartbeatRequest message is received, a corresponding HeartbeatResponse message MUST be sent carrying an exact copy of the payload of the HeartbeatRequest. I know what you mean, but several places in the text contradict this by giving cases when a response is not to be sent. --- I wonder why section 5.2 doesn't discuss the question of whether it is necessary to have both ends transmitting heartbeats, or good enough for just one to do it.
(Stephen Farrell) (was Discuss) No Objection
(Russ Housley) No Objection
(Pete Resnick) No Objection
Comment (2011-10-31 for -)
Section 3 says, "If no corresponding HeartbeatResponse message has been received after some amount of time, the DTLS/TLS connection MAY be terminated by the user." Who is "the user" in this case? The reason I ask is that I'm afraid this sentence is going to cause some not-so-bright implementers to need instructions like we had to provide in draft-ietf-tcpm-persist, taking it to mean that only an end-user can terminate a DTLS/TLS connection. Do you mean "the application that initiated the HeartbeatRequest can terminate the connection"? Or that "the DTLS/TLS layer can terminate the connection"? A little more clarity here would minimize future stupidity.