IETF Logo Mail Archive

Re: [dane] NIST DANE Tester Announcement

Stephen Nightingale <night@nist.gov> Thu, 07 November 2013 15:17 UTC

Return-Path: <stephen.nightingale@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB63821E8293 for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 07:17:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.289
X-Spam-Level:
X-Spam-Status: No, score=-6.289 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pnSPigzhaDYH for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 07:17:08 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 2D50021E829C for <dane@ietf.org>; Thu, 7 Nov 2013 07:17:03 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.158.1; Thu, 7 Nov 2013 10:16:41 -0500
Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.298.1; Thu, 7 Nov 2013 10:16:57 -0500
Received: from [127.0.0.1] (31-140.antd.nist.gov [129.6.140.31]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id rA7FGg87004060 for <dane@ietf.org>; Thu, 7 Nov 2013 10:16:44 -0500
Message-ID: <527BAEC0.1030406@nist.gov>
Date: Thu, 07 Nov 2013 10:16:16 -0500
From: Stephen Nightingale <night@nist.gov>
Organization: NIST
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: dane@ietf.org
References: <527A753A.4040800@nist.gov> <527B820C.1000602@inventati.org>
In-Reply-To: <527B820C.1000602@inventati.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner-Information:
Subject: Re: [dane] NIST DANE Tester Announcement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: night@nist.gov
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 15:17:20 -0000

On 11/7/2013 7:05 AM, Bry8 Star wrote:

    >If you do not have domain owner's (TLSA "Usage" case 2's or 3's) 
TLS/SSL cert or cert-chain file,
    >then will not your test-result always fail for those TWO "Usage" 
cases ?

For usage 2, Yes. That's probably why Viktor and Wes wrote in section 
3.9.2 of their BCP document that TLSA RR 2 publishers must ensure their 
servers are configured to serve the trust anchor cert as part of a full 
cert chain, when TLS handshaking.  I'm thinking to add annotations to 
that effect in the test site.

Usage 3 specifically does not require PKIX validation, so the root cert 
non-availability is moot.
If DANE comes to be widely deployed and trusted, backed by effective 
DNSSEC, then it seems likely that Usage 3 will come to be the default 
mode of operation, as either 301 or 302, for brevity.

Perhaps I should repeat parts of the BCP in the respective test cases.

Stephen.

v2.23.0 | Report a Bug | By Email