Re: [dane] NIST DANE Tester Announcement

[Bry8 Star <bry8star@inventati.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Users who will run test, should MAKE SURE to upload ONLY the PUBLIC
certificate portion(s), or such certificate-chain portion (which DO
NOT INCLUDE ANY PRIVATE KEY portion) into such textbox.

They SHOULD NOT upload the exact cert file or cert-chain file which
will be used in real HTTPS server or other TLS encrypted
scheme/protocol based Server.  As such file may have private keys.

With such option (to copy-paste PUBLIC certificate codes), Tests
related to "Usage" case 2 & 3 should succeed.

Or, can your test-system pull the "Usage" case 3's TLS cert out of
the TLSA DNS record, if domain-name have declared the FULL TLS cert
code in TLSA ?  and then, can such FULL SSL/TLS cert code be used
for initiating encrypted connection, with the DANE-signed
domain-name based TLS/HTTPS Server/URL ?

- - Bright Star.

Received from Bry8 Star, on 2013-11-07 4:05 AM:
> Hi,
> 
> Thanks.
> 
> Will it be possible to add another textbox/input-field in this
> tester-site, for the DANE-signed domain-name that will be tested, to
> allow upload of a pem or crt or cer file which will be used with the
> HTTPS Web-Server, or with other scheme based server ? or a textbox
> to "paste" the cert or cert-chain code from such file.  So that,
> test can show result info, by ruling-out that, a TLS/SSL cert or
> cert-chain used by the DANE-signed site, was not present in
> visitor's/client side web-browser/OS.
> 
> My understanding is, such will allow to really TEST the DANE/TLSA
> "Usage" 2 and 3 cases.
> 
> If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
> TLS/SSL cert or cert-chain file, then will not your test-result
> always fail for those TWO "Usage" cases ?
> 
> - - - - -
> 
> For users to test DANE+DNSSEC from their own location/computer,
> mentioned in below is one (or two in long shot) option(s), out of
> few other options:
> 
> If a local full DNSSEC supported DNS-Server or DNS-Resolver software
> is present (for more accurate tests) in local computer or local
> (trusted) LAN, or in (local) VM.
> 
> Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner
> based web-browsers, like: GNU IceCat, Iceweasel, etc), can have
> partial DANE awareness, by loading the "Extended DNSSEC Validator"
> ("EDV", a firefox addon/extension from os3sec.org), this addon helps
> to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no
> support for Usage 0 or 1 yet, this addon also has DNSSEC awareness
> and can display info related to DNSSEC authentications, it can also
> display info on SSL/TLS cert verification (and certificate chain
> verification), etc.
> 
> But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked
> on Firefox v25.0 or later, last tested on Nov 5, 2013.  Based on EDV
> author's response, it seems, he is not interested now, in continuing
> developing anymore.
> 
> And, developer/dev-group of "DNSSEC-Validator" (another Firefox
> addon, from CZ.NIC) said on mailing list, that they will add support
> for DANE from next month.  Currently it supports displaying only
> DNSSEC (except DANE) related info/icon.
> 
> 
> - Bright Star.
> 
> 
> 
> Received from Stephen Nightingale, on 2013-11-06 8:58 AM:
> 
>> For those DANEs who are in Vancouver, you can talk to Scott Rose or
>> Doug Montgomery about this. Doug will be at the informal DANE lunch
>> tomorrow.
> 
>> ========
> 
>> NIST has developed a test system for the RFC 6698 DANE protocol.
>> DANE seeks to verify PKIX certificate based Transport Layer Security
>> (RFC 5246 TLS) connections using the Domain Name System as secured
>> by DNSSEC.
> 
>> https://www.had-pilot.com/dane/danelaw.html
> 
>> The NIST DANE test system has three modes of operation:
> 
>> - Test your DANE enabled site:
>>    Enter the URL of a site for which a DANE TLSA resource record is
>> provisioned. The system will negotiate the connection, verify with
>> DANE and get the web page - or provide failure diagnostics.
> 
>> - A reference test set to test your browser in response to all
>> possible DANE configurations.
> 
>> - If your browser is NOT DANE enabled, a reference test set to test
>> a DANE client's response to all possible configurations and return
>> the results to your browser.
> 
>> The site is up and available for testing - But it is still early
>> days and there may be occasional outages. Please be patient and/or
>> let us know.
> 
>> Stephen Nightingale, NIST
>> HAD Pilot Program
> 
> 
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSe4kkAAoJEID2ikYfWSP6ah0P/jx0O35IvEqKbtqxRwo6A92d
poQrEuEGpZWObJVsI5vboNslHDCsm+gOzxpyYbR0xcL4GfYB/rXh4wAdbelUEi4J
pSmLVjNXgP/+q5hOmuB/eDdKA/Bq8/LuUc+3/oQ8OBqzT4Pru4exMQVTX8F2UCRe
uFbje1zs6wXarATLav467BUTsOH8yMC45lhWdYQdtwyr9uQqOq3VpczsQJwx3sU7
CyfArrCLwzH591PYUh/iirgj4JCSVdFpHoDFbFyj1Ur5zPu5sOay53N51+agYZ6k
N1O3wB7iOJJ9+x9WWwQODb8e6nTUUzZuE7gKWvUMIhumxlRFFi7M4RJBROqrOOET
cp3Ko/WOJyaPPlGOXTctIwqvej7Z0ZVXFMdl46xoQfNpYXlAuXrDRMrOjWyddwp7
qOwAoOEuvZynj8fTThfu3RW+dy2PY0XeJZQbK0aZ3tsKG71Zwn/0X1+pWf9IM40V
xoCTZut2tq2aeDV4d+zXj9tqMAB1i2FxpJTFeKujeE2XTCgHHktD4GmlPVkjk28R
iEdudxUY1Now0VU7H4O8THASW45wp0gIzO5zTaOqTSW0b9/L8RGc5/kfY844CDXm
EBG0mgPI3ZeLZE9WIWUwgs3odMY+7GJX+a0oiNBGQ8cavm3IMw89RLAZ0yYGeMS0
SHj4C3PsHUPqqONdhdfG
=+D3S
-----END PGP SIGNATURE-----