[keyassure] Firefox 4 (beta) add-on for certificate validations using DNSSEC
Pieter Lange <pieter.lange@os3.nl> Tue, 01 February 2011 15:16 UTC
Return-Path: <pieter.lange@os3.nl>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45CB93A6D0E for <keyassure@core3.amsl.com>; Tue, 1 Feb 2011 07:16:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.555
X-Spam-Level:
X-Spam-Status: No, score=0.555 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_32=0.6, NO_RELAYS=-0.001, SARE_OBFU_AMP2B=2.555]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UHmrQW8w-An for <keyassure@core3.amsl.com>; Tue, 1 Feb 2011 07:16:20 -0800 (PST)
Received: from mail.serv.os3.nl (mail.serv.os3.nl [IPv6:2001:610:158:960::25]) by core3.amsl.com (Postfix) with ESMTP id 209873A6CF4 for <keyassure@ietf.org>; Tue, 1 Feb 2011 07:15:54 -0800 (PST)
Received: from smtp.os3.nl (smtp.os3.nl [IPv6:2001:610:158:960::119]) by mail.serv.os3.nl (Postfix) with ESMTP id 145F317AA92 for <keyassure@ietf.org>; Tue, 1 Feb 2011 16:19:10 +0100 (CET)
Received: from [IPv6:2001:610:158:1023:21d:72ff:feac:f5ab] (unknown [IPv6:2001:610:158:1023:21d:72ff:feac:f5ab]) by smtp.os3.nl (Postfix) with ESMTP id DFE8B17AA8F; Tue, 1 Feb 2011 16:19:09 +0100 (CET)
Message-ID: <4D48246D.2040904@os3.nl>
Date: Tue, 01 Feb 2011 16:19:09 +0100
From: Pieter Lange <pieter.lange@os3.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: keyassure@ietf.org, Danny Groenewegen <danny.groenewegen@os3.nl>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [keyassure] Firefox 4 (beta) add-on for certificate validations using DNSSEC
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 15:16:21 -0000
We're students from the System and Network Engineering master at the University of Amsterdam and have almost completed our one month project under supervision of NLnet. The topic was related to issue #8 (securing last hop) and other subjects you're discussing here, so we think you might be interested. During last month we've been following the list, reading your draft for securing TLS certificate associations and have implemented an add-on for the new Firefox 4 beta. This add-on is inspired[1] on the DNSSEC validator by NIC.CZ, but does much more. Actual DNSSEC trust chain validation is performed by implementing libunbound[2], unlike the original add-on -- that just checked if the 'ad' flag was set and by no means informed users that the 'ad' can be faked. Additionally, the add-on requests TXT and TLSA records for the same label. The TXT implementation is based on Dan Kaminsky's spec[3] as it is a nice showcase for what's possible. Note that we will remove support for TXT record lookup when dane is nearing consensus on all issues. The add-on currently only supports doing sha1 validation for both TXT and TLSA records; full certificates (cert type 2) or 'parent' (cert type 3/4) certificates are not supported. And there must be a thousand and one more things wrong with it; we are not by any means saying this is a proper way to verify certificates yet. Nor do we properly support the 'sts' flag in Kaminsky's specification because of a conflicting rule in the STS[4] draft specification (doesn't allow self signed certificates). We are very much aware that you focus on more than just HTTP, but still this add-on might prove to be a useful tool to evaluate the current drafts. Bug reports are very welcome but we haven't yet set up our bugtracker. Please have patience and if you have any immediate concerns contact us via email. You can find our add-on at https://os3sec.org, the website of our education can be found at https://www.os3.nl Regards, Danny Groenewegen & Pieter Lange [1] http://www.dnssec-validator.cz [2] http://www.unbound.net [3] http://dankaminsky.com/2010/12/19/dnssec-ch1/ [4] http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-00
- [keyassure] Firefox 4 (beta) add-on for certifica… Pieter Lange
- Re: [keyassure] Firefox 4 (beta) add-on for certi… Ben Laurie
- Re: [keyassure] Firefox 4 (beta) add-on for certi… Pieter Lange