On Tue, May 28, 2013 at 05:56:02PM -0700, Bry8 Star wrote: > -----BEGIN PGP SIGNED MESSAGE-----
http://xkcd.com/1181 > on windows side, users (including me) are using, two firefox addons: > "Extended DNSSSEC Validator" (www.os3sec.org), The code I found for this on github does not support certificate usage 0 or 1 and ignores the TLSA RR selector, always matching the certificate and not the public key. It appears to hardcode port 443 for TLSA RR lookups, rather than use the port from the URI. It is far from clear how it handles name checks. Likely many more problems. At first glance it is a toy not suitable for serious use. > "DNSSEC Validator" > (www.dnssec-validator.cz), and these two are able to use a local or > remote DNSSEC validation supported DNS-Resolver/Server, and seems to > be able to handle at-least "2 s m" and "3 s m" TLSA cases. I have not had a chance to look at this in detail and I don't know much about writing browser plugins, so it is not clear how one robustly hooks into the browser's HTTPS connection establishment process. I would recommend using browsers that support DANE natively, via a properly reviewed implementation in the browser itself. I'd be suspicious of the safety of addons. Perhaps someone else can take a stab at it. My impression is that a non-trivial fraction of the early implementations are substantively flawed. Caveat emptor. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
