Re: [dane] NIST DANE Tester Announcement

Bry8 Star <bry8star@inventati.org> Thu, 07 November 2013 12:03 UTC

Return-Path: <bry8star@inventati.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9B011E814D for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61jxl1Q2f2bh for <dane@ietfa.amsl.com>; Thu, 7 Nov 2013 04:03:04 -0800 (PST)
Received: from diserzione.investici.org (diserzione.investici.org [IPv6:2002:52dd:6399::1]) by ietfa.amsl.com (Postfix) with ESMTP id BC72511E813D for <dane@ietf.org>; Thu, 7 Nov 2013 04:02:47 -0800 (PST)
Received: from [82.221.99.153] (diserzione [82.221.99.153]) (Authenticated sender: bry8star@inventati.org) by localhost (Postfix) with ESMTPSA id 772F31811B0 for <dane@ietf.org>; Thu, 7 Nov 2013 12:02:41 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 diserzione.investici.org 772F31811B0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inventati.org; s=stigmate; t=1383825764; bh=8GOnREcBrSpMqF67ssz+U7vPn7VD6GmqKVatiUtMOPQ=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=nzZ51TKcYOW5s95826JaToCsaiOtz++73p0kbtjW1h6RW+DdU/TA0JeNycKZTRdCV RJG39dlChNFuBFkJ+bX/8RcF7w0UhoZJX1JFVc1sgprTx5xedX8S27hTjgDd4v7faS JtcfX/alDgW90dX1YrySGzpVdcvYHsVssqf5FMKU=
Message-ID: <527B820C.1000602@inventati.org>
Date: Thu, 07 Nov 2013 04:05:32 -0800
From: Bry8 Star <bry8star@inventati.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: dane@ietf.org
References: <527A753A.4040800@nist.gov>
In-Reply-To: <527A753A.4040800@nist.gov>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] NIST DANE Tester Announcement
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: bry8star@inventati.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 12:03:05 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Thanks.

Will it be possible to add another textbox/input-field in this
tester-site, for the DANE-signed domain-name that will be tested, to
allow upload of a pem or crt or cer file which will be used with the
HTTPS Web-Server, or with other scheme based server ? or a textbox
to "paste" the cert or cert-chain code from such file.  So that,
test can show result info, by ruling-out that, a TLS/SSL cert or
cert-chain used by the DANE-signed site, was not present in
visitor's/client side web-browser/OS.

My understanding is, such will allow to really TEST the DANE/TLSA
"Usage" 2 and 3 cases.

If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
TLS/SSL cert or cert-chain file, then will not your test-result
always fail for those TWO "Usage" cases ?

- - - - - -

For users to test DANE+DNSSEC from their own location/computer,
mentioned in below is one (or two in long shot) option(s), out of
few other options:

If a local full DNSSEC supported DNS-Server or DNS-Resolver software
is present (for more accurate tests) in local computer or local
(trusted) LAN, or in (local) VM.

Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner
based web-browsers, like: GNU IceCat, Iceweasel, etc), can have
partial DANE awareness, by loading the "Extended DNSSEC Validator"
("EDV", a firefox addon/extension from os3sec.org) this addon helps
to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no
support for Usage 0 or 1 yet, this addon also has DNSSEC awareness
and can display info related to DNSSEC authentications, it can also
display info on SSL/TLS cert verification (and certificate chain
verification), etc.

But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked
on Firefox v25.0 or later, last tested on Nov 5, 2013.  Based on EDV
author's response, it seems, he is not interested now, in continuing
developing anymore.

And, developer/dev-group of "DNSSEC-Validator" (another Firefox
addon, from CZ.NIC) said on mailing list, that they will add support
for DANE from next month.  Currently it supports displaying only
DNSSEC (except DANE) related info/icon.


- - Bright Star.



Received from Stephen Nightingale, on 2013-11-06 8:58 AM:
> 
> For those DANEs who are in Vancouver, you can talk to Scott Rose or
> Doug Montgomery about this. Doug will be at the informal DANE lunch
> tomorrow.
> 
> ========
> 
> NIST has developed a test system for the RFC 6698 DANE protocol.
> DANE seeks to verify PKIX certificate based Transport Layer Security
> (RFC 5246 TLS) connections using the Domain Name System as secured
> by DNSSEC.
> 
> https://www.had-pilot.com/dane/danelaw.html
> 
> The NIST DANE test system has three modes of operation:
> 
> - Test your DANE enabled site:
>    Enter the URL of a site for which a DANE TLSA resource record is
> provisioned. The system will negotiate the connection, verify with
> DANE and get the web page - or provide failure diagnostics.
> 
> - A reference test set to test your browser in response to all
> possible DANE configurations.
> 
> - If your browser is NOT DANE enabled, a reference test set to test
> a DANE client's response to all possible configurations and return
> the results to your browser.
> 
> The site is up and available for testing - But it is still early
> days and there may be occasional outages. Please be patient and/or
> let us know.
> 
> Stephen Nightingale, NIST
> HAD Pilot Program
> 
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSe4ILAAoJEID2ikYfWSP6J+wP/2oca5+I582EWHqWSWCJOhK+
m31LbzIz6UiHVDu9BRcm1BHyz6pVe3D3NawTZigLOm59qHBCQYpyO/gD295wAM4b
bEyWJday8OvHq09+YLOxNXDVIMhl4kD8IuTeRyL1RpEXRNlFPfF0NJA8N9eQGrl5
sNanIQC6aFWOQWREUOr0hFWJkRM5Wz5rVD+sNy5HmbrNhFP+4ZV+bzeIAchawcIs
KKMSNkcroNhlm3M0Olg6l1xUcKMN8MxfAyco1VfwzBpJckoS8rdaOpEE8ghor1gD
SwKEhWHRSeiguaNXE4JEY3Z3h/PYsSGuTxVP+gN2198ToZXMYE1MJCOTF/oGTHRu
H385t5RVEiRqkbE86WwZilV4oXl9L/gpVF+tpliGvgAdYwi0mW6oT5l/CstNZBEW
of+4KxsDuZXDpgEselNLuglRJpo79z3+tjwjjRAjv3PhKRusLpA9tAc7mNj6eSJF
jUPnCc6W9LriqaF0QNF2a4ULQqa2wFnRjZGX+Mq7i+FMZ7JVVWcJvV/qUnNBLTvb
49fXmg0UXxxydueedcG2ZRoLzjSqRmchkdBSNlWiiuM6XsYyhrwKcy/plgOXeUSS
vbrE4bJr/U/MoeasamB4xtLVYjiI9qhxJtt3mn0H8CtglvVVltTPQdEMwOpMrmdp
pVIuKJfGQPeduqwZ5rGN
=kpRU
-----END PGP SIGNATURE-----