On 31-05-13 05:10, Viktor Dukhovni wrote:
On Fri, May 31, 2013 at 12:46:52AM +0200, Guido Witmond wrote:
Perhaps someone else can take a stab at it. My impression is
that a non-trivial fraction of the early implementations are
substantively flawed. Caveat emptor.
I've updated the Extended DNSSEC Validator up to 0.8 in the past
and got its maintainer Danny to incorporate my changes. Is has all
the flaws mentioned before but I consider it a good start. And no,
not ready for production, yet.
More than "not ready for production" it is deeply flawed. It fails
to check that the certificates in the "chain" are actually linked to
each other with each issuer at depth n+1 verified as the signer of an
unexpired subject certificate at depth n. It also does not check
basic constraints or key usage bits. It is trivial to concoct bogus
chains that pass validation via this extension.
Testing that it validates correct chains is the easy part, it MUST
fail to validate invalid chains, and here it bombs spectularly.
You are completely right. Thank you for pointing those out, it helps me
on my journey to become an expert. One has to start somewhere... :-)
For me, this plug in is what got me interested in DNSSEC and DANE. I'm
very grateful of all the hard work that the real experts have done on
it. Without it we cannot leave the current PKI(X) mess of having other
people to decide which Certificate Authorities I have to trust.
With DANE usage 2 0 0, we can do even more than just authenticate a web
site to a browser. We can bootstrap secure, private, anonymous client
certificates for the web. [1]
Users should steer clear of amateur DANE implementations.
Flamebait: I hope that users, developers, journalists, politicians, all
start to use this flawed plug in to see what can be done and demand a
more safe and secure internet without global CA's violating our trust by
selling root certificates for MitM-spydevices.
Respectfully, Guido Witmond.
[1]: http://eccentric-authentication.org/
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
