[dane] Anyone interested in writing a DANE tutorial?

Dan York <dan-ietf@danyork.org> Wed, 26 September 2012 18:27 UTC

Return-Path: <dan-ietf@danyork.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7F021F8584 for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 11:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6WHxQ4Q3pB8 for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 11:27:34 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7C54A21F8582 for <dane@ietf.org>; Wed, 26 Sep 2012 11:27:34 -0700 (PDT)
Received: by qaec10 with SMTP id c10so5614811qae.10 for <dane@ietf.org>; Wed, 26 Sep 2012 11:27:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:content-type:subject:date:message-id:to:mime-version:x-mailer :x-gm-message-state; bh=nYQUEMQUkvXENPLik7+7sxN9nuhnS8iD7aneanUnpF0=; b=esaHLzO4WAX4lMhgHppNoQV44utoAy+07irTIpBz0UFWwdPifl7CnFbeHyxmMBZchg G1R0AB/nK/zOCL/gVTRwwYKqWzkehKLoslKFvVB3V8963u86eVcNM+cU0fR+NLxW40vj ThbfXgLcrWu676LbMv0mM6SIOGOJpnLDE2CAfTUujldX+3t1RlqFZQsRze8Dx9KSrbsS XAziqzC74EViYBAmqkJOJxZuqL4LVTs97BvPf6eIzjgzjy1yOxUtZYNSJePN6NE1atd1 cBT+VRTaz0abGPpR11ZnDzV3HmFsg3aIgz4WPEiAPM8IvoN4OfZ4Oz3djIiQwbe+T70a kzZw==
Received: by 10.224.187.146 with SMTP id cw18mr3972995qab.35.1348684053899; Wed, 26 Sep 2012 11:27:33 -0700 (PDT)
Received: from [172.20.12.152] (cpe-74-75-92-114.maine.res.rr.com. [74.75.92.114]) by mx.google.com with ESMTPS id o17sm5598589qao.14.2012.09.26.11.27.27 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 26 Sep 2012 11:27:33 -0700 (PDT)
From: Dan York <dan-ietf@danyork.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C88D7DEC-D609-4A04-8CBB-C1824B28903C"
Date: Wed, 26 Sep 2012 14:27:26 -0400
Message-Id: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org>
To: IETF DANE WG list <dane@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1257)
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQlVv4CAso6mdUAaT6xV2Tx0HTr1YLjryU+cU2G3j1k4h9tdGdBxxF8PW97H1DOPTSw6bh6r
Subject: [dane] Anyone interested in writing a DANE tutorial?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 18:27:35 -0000

On Tue, 25 Sep 2012, Warren Kumari wrote:

> Something that would be very helpful for getting this deployed /
> implemented in browsers is number of folk (and more importantly,
> organizations) stating that they are planning on / would do DANE if
> the browsers supported it natively. Of course, even more helpful would
> be folk actually publishing TLSA records :-P

To this last point about getting more TLSA records published, would anyone be interested in writing a step-by-step tutorial for how to publish a TLSA record?  Or collaborating on writing one?

If we had a page that was a simple set of steps it would be something  we could pass around and encourage people to consider doing.  I'm thinking of something like:

Existing certificate:
 - get a copy of your TLS certificate
 - generate the appropriate hash using ____
 - create a DNS record that looks like "........."
 - publish record (including DNSSEC signing) and celebrate

New certificate
  - generate a new TLS certificate using ____
  - install certificate in your web server (perhaps assume Apache for the tutorial)
  - generate the appropriate hash using ____
 - create a DNS record that looks like "........."
 - publish record (including DNSSEC signing) and celebrate

Now those steps may not be complete... this is just a first thought... and given that I've never deployed a TLSA record (but would like to) I don't know the exact steps. 

If anyone would be interested in creating something like this, I'd be glad to publish it on our Deploy360 site (with attribution to you and a link to a site) or if you publish it on your site I'd be glad to link to it from Deploy360.    Or if you'd like to collaborate with me on writing something, I'd be glad to help with it.

Even if someone could sketch out the basic outline of the commands one would use for the steps above, I'd be glad to write some text narrative explaining the commands.

Anyone interested?

Thanks,
Dan


-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/   skype:danyork
Phone: +1-802-735-1624
Twitter - http://twitter.com/danyork