Re: [dane] NIST DANE Tester Announcement
Bry8 Star <bry8star@inventati.org> Thu, 07 November 2013 12:33 UTC
Return-Path: <bry8star@inventati.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BEC511E81D0 for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:33:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J73wqflTI9iV for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:32:59 -0800 (PST)
Received: from diserzione.investici.org (diserzione.investici.org [82.221.99.153]) by ietfa.amsl.com (Postfix) with ESMTP id 70A1711E8138 for <dane@ietf.org>; Thu, 7 Nov 2013 04:32:59 -0800 (PST)
Received: from [82.221.99.153] (diserzione [82.221.99.153]) (Authenticated sender: bry8star@inventati.org) by localhost (Postfix) with ESMTPSA id B69B7181199 for <dane@ietf.org>; Thu, 7 Nov 2013 12:32:54 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 diserzione.investici.org B69B7181199
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inventati.org; s=stigmate; t=1383827578; bh=lhMWCAEyCFzRi1aNylqik4BL74SXRp5ePDoUjjS6bbE=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=Tdc6CRshrmMR0/7d3mjYkl4KY+ZIYPWn79nCtJIYl1OV/sMN+lbAvixh25SDqLnoG 3To+dY7Geb0SjTt+GNEqrWMERl7/VpwWyZad/nN31+LtPJsZ6J3C2mdjnzbAqg8FdV FAXwBakJoO0u+MBU6j/XCBkskPAqMSaCM+188888=
Message-ID: <527B8924.3070004@inventati.org>
Date: Thu, 07 Nov 2013 04:35:48 -0800
From: Bry8 Star <bry8star@inventati.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: dane@ietf.org
References: <527A753A.4040800@nist.gov> <527B820C.1000602@inventati.org>
In-Reply-To: <527B820C.1000602@inventati.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] NIST DANE Tester Announcement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: bry8star@inventati.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 12:33:03 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Users who will run test, should MAKE SURE to upload ONLY the PUBLIC certificate portion(s), or such certificate-chain portion (which DO NOT INCLUDE ANY PRIVATE KEY portion) into such textbox. They SHOULD NOT upload the exact cert file or cert-chain file which will be used in real HTTPS server or other TLS encrypted scheme/protocol based Server. As such file may have private keys. With such option (to copy-paste PUBLIC certificate codes), Tests related to "Usage" case 2 & 3 should succeed. Or, can your test-system pull the "Usage" case 3's TLS cert out of the TLSA DNS record, if domain-name have declared the FULL TLS cert code in TLSA ? and then, can such FULL SSL/TLS cert code be used for initiating encrypted connection, with the DANE-signed domain-name based TLS/HTTPS Server/URL ? - - Bright Star. Received from Bry8 Star, on 2013-11-07 4:05 AM: > Hi, > > Thanks. > > Will it be possible to add another textbox/input-field in this > tester-site, for the DANE-signed domain-name that will be tested, to > allow upload of a pem or crt or cer file which will be used with the > HTTPS Web-Server, or with other scheme based server ? or a textbox > to "paste" the cert or cert-chain code from such file. So that, > test can show result info, by ruling-out that, a TLS/SSL cert or > cert-chain used by the DANE-signed site, was not present in > visitor's/client side web-browser/OS. > > My understanding is, such will allow to really TEST the DANE/TLSA > "Usage" 2 and 3 cases. > > If you do not have domain owner's (TLSA "Usage" case 2's or 3's) > TLS/SSL cert or cert-chain file, then will not your test-result > always fail for those TWO "Usage" cases ? > > - - - - - > > For users to test DANE+DNSSEC from their own location/computer, > mentioned in below is one (or two in long shot) option(s), out of > few other options: > > If a local full DNSSEC supported DNS-Server or DNS-Resolver software > is present (for more accurate tests) in local computer or local > (trusted) LAN, or in (local) VM. > > Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner > based web-browsers, like: GNU IceCat, Iceweasel, etc), can have > partial DANE awareness, by loading the "Extended DNSSEC Validator" > ("EDV", a firefox addon/extension from os3sec.org), this addon helps > to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no > support for Usage 0 or 1 yet, this addon also has DNSSEC awareness > and can display info related to DNSSEC authentications, it can also > display info on SSL/TLS cert verification (and certificate chain > verification), etc. > > But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked > on Firefox v25.0 or later, last tested on Nov 5, 2013. Based on EDV > author's response, it seems, he is not interested now, in continuing > developing anymore. > > And, developer/dev-group of "DNSSEC-Validator" (another Firefox > addon, from CZ.NIC) said on mailing list, that they will add support > for DANE from next month. Currently it supports displaying only > DNSSEC (except DANE) related info/icon. > > > - Bright Star. > > > > Received from Stephen Nightingale, on 2013-11-06 8:58 AM: > >> For those DANEs who are in Vancouver, you can talk to Scott Rose or >> Doug Montgomery about this. Doug will be at the informal DANE lunch >> tomorrow. > >> ======== > >> NIST has developed a test system for the RFC 6698 DANE protocol. >> DANE seeks to verify PKIX certificate based Transport Layer Security >> (RFC 5246 TLS) connections using the Domain Name System as secured >> by DNSSEC. > >> https://www.had-pilot.com/dane/danelaw.html > >> The NIST DANE test system has three modes of operation: > >> - Test your DANE enabled site: >> Enter the URL of a site for which a DANE TLSA resource record is >> provisioned. The system will negotiate the connection, verify with >> DANE and get the web page - or provide failure diagnostics. > >> - A reference test set to test your browser in response to all >> possible DANE configurations. > >> - If your browser is NOT DANE enabled, a reference test set to test >> a DANE client's response to all possible configurations and return >> the results to your browser. > >> The site is up and available for testing - But it is still early >> days and there may be occasional outages. Please be patient and/or >> let us know. > >> Stephen Nightingale, NIST >> HAD Pilot Program > > >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSe4kkAAoJEID2ikYfWSP6ah0P/jx0O35IvEqKbtqxRwo6A92d poQrEuEGpZWObJVsI5vboNslHDCsm+gOzxpyYbR0xcL4GfYB/rXh4wAdbelUEi4J pSmLVjNXgP/+q5hOmuB/eDdKA/Bq8/LuUc+3/oQ8OBqzT4Pru4exMQVTX8F2UCRe uFbje1zs6wXarATLav467BUTsOH8yMC45lhWdYQdtwyr9uQqOq3VpczsQJwx3sU7 CyfArrCLwzH591PYUh/iirgj4JCSVdFpHoDFbFyj1Ur5zPu5sOay53N51+agYZ6k N1O3wB7iOJJ9+x9WWwQODb8e6nTUUzZuE7gKWvUMIhumxlRFFi7M4RJBROqrOOET cp3Ko/WOJyaPPlGOXTctIwqvej7Z0ZVXFMdl46xoQfNpYXlAuXrDRMrOjWyddwp7 qOwAoOEuvZynj8fTThfu3RW+dy2PY0XeJZQbK0aZ3tsKG71Zwn/0X1+pWf9IM40V xoCTZut2tq2aeDV4d+zXj9tqMAB1i2FxpJTFeKujeE2XTCgHHktD4GmlPVkjk28R iEdudxUY1Now0VU7H4O8THASW45wp0gIzO5zTaOqTSW0b9/L8RGc5/kfY844CDXm EBG0mgPI3ZeLZE9WIWUwgs3odMY+7GJX+a0oiNBGQ8cavm3IMw89RLAZ0yYGeMS0 SHj4C3PsHUPqqONdhdfG =+D3S -----END PGP SIGNATURE-----
- [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Viktor Dukhovni
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Marco Davids (SIDN)
- Re: [dane] NIST DANE Tester Announcement Marco Davids (SIDN)
- Re: [dane] NIST DANE Tester Announcement Bry8 Star
- Re: [dane] NIST DANE Tester Announcement Bry8 Star
- [dane] Extended DNSSEC Validator was: Re: NIST DA… Guido Witmond
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale