[dane] DANE Testing

Stephen Nightingale <night@nist.gov> Fri, 21 February 2014 20:19 UTC

Return-Path: <stephen.nightingale@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id A74CB1A0271; Fri, 21 Feb 2014 12:19:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.048
X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id q5R7hpxboxUt; Fri, 21 Feb 2014 12:19:20 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 985321A0242; Fri, 21 Feb 2014 12:19:20 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov ( by wsget1.nist.gov ( with Microsoft SMTP Server (TLS) id; Fri, 21 Feb 2014 15:19:07 -0500
Received: from postmark.nist.gov ( by WSXGHUB1.xchange.nist.gov ( with Microsoft SMTP Server (TLS) id 8.3.327.1; Fri, 21 Feb 2014 15:19:15 -0500
Received: from [] (31-140.antd.nist.gov []) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id s1LKJA5L011923; Fri, 21 Feb 2014 15:19:11 -0500
Message-ID: <5307B4BE.9010706@nist.gov>
Date: Fri, 21 Feb 2014 15:19:10 -0500
From: Stephen Nightingale <night@nist.gov>
Organization: NIST
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: <uta@ietf.org>, <dane@ietf.org>, proj-had <proj-had@nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ESa12LpIvq5Z8KdPzg14lxiFi-E
Subject: [dane] DANE Testing
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: night@nist.gov
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 20:19:25 -0000

** This is posted to both UTA and DANE mailgroups. Apologies if you get 
it twice. I don't know the overlap of the two groups. **

Some improvements to the DANE Testing site at NIST since I posted to the 
dane mailgroup last November.

The site is at: https://www.had-pilot.com/dane/danelaw.html.

It is now possible to test from both TLSlite based and GnuTLS based 
clients. The Form structure of the site offers the options of connecting 
users' own identified DANE-enabled sites, connecting to the set of sites 
listed on Dan York's ISOC DANE 360 page, and getting results therefrom, 
or connecting to the NIST 'DANE Reference site' that explores all 0xx, 
1xx, 2xx and 3xx Certificate Usage permutations.

Mine was one of the 'DANE-in-the-App' sites that Viktor Dukhovni 
reviewed, and he kindly gave an extensive critique. Many of his points 
have been addressed. A few things still to clear up:
- I'm not checking for certificate revocation. That is on the list to fix.
- For 0xx and 1xx uses, it is hard to identify a single canonical CA 
list. I have overlapping, but different Root Cert sets from Mozilla, 
Fedora and Linux Mint. So when searching for an authority to build a 
verification chain I cycle through all of these until succeeding or 
exhaustion of the possibilities. Some of the DANE 360 listed sets 
(including some from members of this group) fail to authenticate because 
the root certs are not in my authorities.  A golden, canonical CA list 
would be nice to find. But I guess that its non-universal availability 
is one of the problems of the CA system that DANE is aiming squarely at.

The differences between TLSlite and GnuTLS clients highlight the fact 
that there are unresolved interoperability issues among TLS 
implementations. It seems reasonable that TLS interoperability testing 
be instituted as pre-requisite to DANE testing.  The development of a 
TLS Interoperability test suite is therefore on our 'to-do' list.  I 
look forward to seeing the newly upgraded OpenSSL client with added 
DANE. It is quite possible that as an interim step before its appearance 
I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.

If you find any glaring errors, I will be embarrassed but thankful.
If you find any subtle errors I will be impressed and thankful.


Stephen Nightingale, NIST.