Re: [dane] [Uta] DANE Testing

Kurt Roeckx <kurt@roeckx.be> Fri, 21 February 2014 21:31 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B98DC1A029B; Fri, 21 Feb 2014 13:31:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dL-px-l_z0d4; Fri, 21 Feb 2014 13:30:58 -0800 (PST)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) by ietfa.amsl.com (Postfix) with ESMTP id 56C751A028C; Fri, 21 Feb 2014 13:30:58 -0800 (PST)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id E3E531C215E; Fri, 21 Feb 2014 22:30:52 +0100 (CET)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 96D331FE016D; Fri, 21 Feb 2014 22:30:52 +0100 (CET)
Date: Fri, 21 Feb 2014 22:30:52 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Stephen Nightingale <night@nist.gov>
Message-ID: <20140221213052.GA4505@roeckx.be>
References: <5307B4BE.9010706@nist.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5307B4BE.9010706@nist.gov>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/dzXBKPvawwCdTRS0bcGEC613HKg
X-Mailman-Approved-At: Fri, 21 Feb 2014 16:48:11 -0800
Cc: uta@ietf.org, proj-had <proj-had@nist.gov>, dane@ietf.org
Subject: Re: [dane] [Uta] DANE Testing
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 21:31:01 -0000

On Fri, Feb 21, 2014 at 03:19:10PM -0500, Stephen Nightingale wrote:
> 
> - For 0xx and 1xx uses, it is hard to identify a single canonical CA
> list. I have overlapping, but different Root Cert sets from Mozilla,
> Fedora and Linux Mint. So when searching for an authority to build a
> verification chain I cycle through all of these until succeeding or
> exhaustion of the possibilities. Some of the DANE 360 listed sets
> (including some from members of this group) fail to authenticate
> because the root certs are not in my authorities.

I'm not really sure why you can't find the relevant CAs in your
root store.  It looks like you don't properly build the chain or
something?  Looking for instance at the fedoraproject.org results,
you try all 3 of them, but each time fail, where for all 3 you
actually seem to list the root CA as a relevant cert?


Kurt