[dane] DANE Testing
Stephen Nightingale <night@nist.gov> Fri, 21 February 2014 20:19 UTC
Return-Path: <stephen.nightingale@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A74CB1A0271; Fri, 21 Feb 2014 12:19:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.048
X-Spam-Level:
X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5R7hpxboxUt; Fri, 21 Feb 2014 12:19:20 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 985321A0242; Fri, 21 Feb 2014 12:19:20 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.174.1; Fri, 21 Feb 2014 15:19:07 -0500
Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.327.1; Fri, 21 Feb 2014 15:19:15 -0500
Received: from [127.0.0.1] (31-140.antd.nist.gov [129.6.140.31]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id s1LKJA5L011923; Fri, 21 Feb 2014 15:19:11 -0500
Message-ID: <5307B4BE.9010706@nist.gov>
Date: Fri, 21 Feb 2014 15:19:10 -0500
From: Stephen Nightingale <night@nist.gov>
Organization: NIST
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: uta@ietf.org, dane@ietf.org, proj-had <proj-had@nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner-Information:
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ESa12LpIvq5Z8KdPzg14lxiFi-E
Subject: [dane] DANE Testing
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: night@nist.gov
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 20:19:25 -0000
** This is posted to both UTA and DANE mailgroups. Apologies if you get it twice. I don't know the overlap of the two groups. ** Some improvements to the DANE Testing site at NIST since I posted to the dane mailgroup last November. The site is at: https://www.had-pilot.com/dane/danelaw.html. It is now possible to test from both TLSlite based and GnuTLS based clients. The Form structure of the site offers the options of connecting users' own identified DANE-enabled sites, connecting to the set of sites listed on Dan York's ISOC DANE 360 page, and getting results therefrom, or connecting to the NIST 'DANE Reference site' that explores all 0xx, 1xx, 2xx and 3xx Certificate Usage permutations. Mine was one of the 'DANE-in-the-App' sites that Viktor Dukhovni reviewed, and he kindly gave an extensive critique. Many of his points have been addressed. A few things still to clear up: - I'm not checking for certificate revocation. That is on the list to fix. - For 0xx and 1xx uses, it is hard to identify a single canonical CA list. I have overlapping, but different Root Cert sets from Mozilla, Fedora and Linux Mint. So when searching for an authority to build a verification chain I cycle through all of these until succeeding or exhaustion of the possibilities. Some of the DANE 360 listed sets (including some from members of this group) fail to authenticate because the root certs are not in my authorities. A golden, canonical CA list would be nice to find. But I guess that its non-universal availability is one of the problems of the CA system that DANE is aiming squarely at. The differences between TLSlite and GnuTLS clients highlight the fact that there are unresolved interoperability issues among TLS implementations. It seems reasonable that TLS interoperability testing be instituted as pre-requisite to DANE testing. The development of a TLS Interoperability test suite is therefore on our 'to-do' list. I look forward to seeing the newly upgraded OpenSSL client with added DANE. It is quite possible that as an interim step before its appearance I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted. If you find any glaring errors, I will be embarrassed but thankful. If you find any subtle errors I will be impressed and thankful. Cheers, Stephen Nightingale, NIST. -
- [dane] DANE Testing Stephen Nightingale
- Re: [dane] DANE Testing Viktor Dukhovni
- Re: [dane] DANE Testing Stephen Nightingale
- Re: [dane] DANE Testing Viktor Dukhovni
- Re: [dane] [Uta] DANE Testing Kurt Roeckx
- Re: [dane] [Uta] DANE Testing Viktor Dukhovni