Re: [dane] NIST DANE Tester Announcement
Bry8 Star <bry8star@inventati.org> Thu, 07 November 2013 12:03 UTC
Return-Path: <bry8star@inventati.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9B011E814D for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61jxl1Q2f2bh for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:03:04 -0800 (PST)
Received: from diserzione.investici.org (diserzione.investici.org [IPv6:2002:52dd:6399::1]) by ietfa.amsl.com (Postfix) with ESMTP id BC72511E813D for <dane@ietf.org>; Thu, 7 Nov 2013 04:02:47 -0800 (PST)
Received: from [82.221.99.153] (diserzione [82.221.99.153]) (Authenticated sender: bry8star@inventati.org) by localhost (Postfix) with ESMTPSA id 772F31811B0 for <dane@ietf.org>; Thu, 7 Nov 2013 12:02:41 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 diserzione.investici.org 772F31811B0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inventati.org; s=stigmate; t=1383825764; bh=8GOnREcBrSpMqF67ssz+U7vPn7VD6GmqKVatiUtMOPQ=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=nzZ51TKcYOW5s95826JaToCsaiOtz++73p0kbtjW1h6RW+DdU/TA0JeNycKZTRdCV RJG39dlChNFuBFkJ+bX/8RcF7w0UhoZJX1JFVc1sgprTx5xedX8S27hTjgDd4v7faS JtcfX/alDgW90dX1YrySGzpVdcvYHsVssqf5FMKU=
Message-ID: <527B820C.1000602@inventati.org>
Date: Thu, 07 Nov 2013 04:05:32 -0800
From: Bry8 Star <bry8star@inventati.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: dane@ietf.org
References: <527A753A.4040800@nist.gov>
In-Reply-To: <527A753A.4040800@nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] NIST DANE Tester Announcement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: bry8star@inventati.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 12:03:05 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Thanks. Will it be possible to add another textbox/input-field in this tester-site, for the DANE-signed domain-name that will be tested, to allow upload of a pem or crt or cer file which will be used with the HTTPS Web-Server, or with other scheme based server ? or a textbox to "paste" the cert or cert-chain code from such file. So that, test can show result info, by ruling-out that, a TLS/SSL cert or cert-chain used by the DANE-signed site, was not present in visitor's/client side web-browser/OS. My understanding is, such will allow to really TEST the DANE/TLSA "Usage" 2 and 3 cases. If you do not have domain owner's (TLSA "Usage" case 2's or 3's) TLS/SSL cert or cert-chain file, then will not your test-result always fail for those TWO "Usage" cases ? - - - - - - For users to test DANE+DNSSEC from their own location/computer, mentioned in below is one (or two in long shot) option(s), out of few other options: If a local full DNSSEC supported DNS-Server or DNS-Resolver software is present (for more accurate tests) in local computer or local (trusted) LAN, or in (local) VM. Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner based web-browsers, like: GNU IceCat, Iceweasel, etc), can have partial DANE awareness, by loading the "Extended DNSSEC Validator" ("EDV", a firefox addon/extension from os3sec.org) this addon helps to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no support for Usage 0 or 1 yet, this addon also has DNSSEC awareness and can display info related to DNSSEC authentications, it can also display info on SSL/TLS cert verification (and certificate chain verification), etc. But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked on Firefox v25.0 or later, last tested on Nov 5, 2013. Based on EDV author's response, it seems, he is not interested now, in continuing developing anymore. And, developer/dev-group of "DNSSEC-Validator" (another Firefox addon, from CZ.NIC) said on mailing list, that they will add support for DANE from next month. Currently it supports displaying only DNSSEC (except DANE) related info/icon. - - Bright Star. Received from Stephen Nightingale, on 2013-11-06 8:58 AM: > > For those DANEs who are in Vancouver, you can talk to Scott Rose or > Doug Montgomery about this. Doug will be at the informal DANE lunch > tomorrow. > > ======== > > NIST has developed a test system for the RFC 6698 DANE protocol. > DANE seeks to verify PKIX certificate based Transport Layer Security > (RFC 5246 TLS) connections using the Domain Name System as secured > by DNSSEC. > > https://www.had-pilot.com/dane/danelaw.html > > The NIST DANE test system has three modes of operation: > > - Test your DANE enabled site: > Enter the URL of a site for which a DANE TLSA resource record is > provisioned. The system will negotiate the connection, verify with > DANE and get the web page - or provide failure diagnostics. > > - A reference test set to test your browser in response to all > possible DANE configurations. > > - If your browser is NOT DANE enabled, a reference test set to test > a DANE client's response to all possible configurations and return > the results to your browser. > > The site is up and available for testing - But it is still early > days and there may be occasional outages. Please be patient and/or > let us know. > > Stephen Nightingale, NIST > HAD Pilot Program > > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSe4ILAAoJEID2ikYfWSP6J+wP/2oca5+I582EWHqWSWCJOhK+ m31LbzIz6UiHVDu9BRcm1BHyz6pVe3D3NawTZigLOm59qHBCQYpyO/gD295wAM4b bEyWJday8OvHq09+YLOxNXDVIMhl4kD8IuTeRyL1RpEXRNlFPfF0NJA8N9eQGrl5 sNanIQC6aFWOQWREUOr0hFWJkRM5Wz5rVD+sNy5HmbrNhFP+4ZV+bzeIAchawcIs KKMSNkcroNhlm3M0Olg6l1xUcKMN8MxfAyco1VfwzBpJckoS8rdaOpEE8ghor1gD SwKEhWHRSeiguaNXE4JEY3Z3h/PYsSGuTxVP+gN2198ToZXMYE1MJCOTF/oGTHRu H385t5RVEiRqkbE86WwZilV4oXl9L/gpVF+tpliGvgAdYwi0mW6oT5l/CstNZBEW of+4KxsDuZXDpgEselNLuglRJpo79z3+tjwjjRAjv3PhKRusLpA9tAc7mNj6eSJF jUPnCc6W9LriqaF0QNF2a4ULQqa2wFnRjZGX+Mq7i+FMZ7JVVWcJvV/qUnNBLTvb 49fXmg0UXxxydueedcG2ZRoLzjSqRmchkdBSNlWiiuM6XsYyhrwKcy/plgOXeUSS vbrE4bJr/U/MoeasamB4xtLVYjiI9qhxJtt3mn0H8CtglvVVltTPQdEMwOpMrmdp pVIuKJfGQPeduqwZ5rGN =kpRU -----END PGP SIGNATURE-----
- [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Viktor Dukhovni
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Marco Davids (SIDN)
- Re: [dane] NIST DANE Tester Announcement Marco Davids (SIDN)
- Re: [dane] NIST DANE Tester Announcement Bry8 Star
- Re: [dane] NIST DANE Tester Announcement Bry8 Star
- [dane] Extended DNSSEC Validator was: Re: NIST DA… Guido Witmond
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale
- Re: [dane] NIST DANE Tester Announcement Stephen Nightingale