-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Thanks.
Will it be possible to add another textbox/input-field in this
tester-site, for the DANE-signed domain-name that will be tested, to
allow upload of a pem or crt or cer file which will be used with the
HTTPS Web-Server, or with other scheme based server ? or a textbox
to "paste" the cert or cert-chain code from such file. So that,
test can show result info, by ruling-out that, a TLS/SSL cert or
cert-chain used by the DANE-signed site, was not present in
visitor's/client side web-browser/OS.
My understanding is, such will allow to really TEST the DANE/TLSA
"Usage" 2 and 3 cases.
If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
TLS/SSL cert or cert-chain file, then will not your test-result
always fail for those TWO "Usage" cases ?
- - - - - -
For users to test DANE+DNSSEC from their own location/computer,
mentioned in below is one (or two in long shot) option(s), out of
few other options:
If a local full DNSSEC supported DNS-Server or DNS-Resolver software
is present (for more accurate tests) in local computer or local
(trusted) LAN, or in (local) VM.
Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner
based web-browsers, like: GNU IceCat, Iceweasel, etc), can have
partial DANE awareness, by loading the "Extended DNSSEC Validator"
("EDV", a firefox addon/extension from os3sec.org), this addon helps
to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no
support for Usage 0 or 1 yet, this addon also has DNSSEC awareness
and can display info related to DNSSEC authentications, it can also
display info on SSL/TLS cert verification (and certificate chain
verification), etc.
But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked
on Firefox v25.0 or later, last tested on Nov 5, 2013. Based on EDV
author's response, it seems, he is not interested now, in continuing
developing anymore.
And, developer/dev-group of "DNSSEC-Validator" (another Firefox
addon, from CZ.NIC) said on mailing list, that they will add support
for DANE from next month. Currently it supports displaying only
DNSSEC (except DANE) related info/icon.
- - Bright Star.
Received from Stephen Nightingale, on 2013-11-06 8:58 AM:
>
> For those DANEs who are in Vancouver, you can talk to Scott Rose or
> Doug Montgomery about this. Doug will be at the informal DANE lunch
> tomorrow.
>
> ========
>
> NIST has developed a test system for the RFC 6698 DANE protocol.
> DANE seeks to verify PKIX certificate based Transport Layer Security
> (RFC 5246 TLS) connections using the Domain Name System as secured
> by DNSSEC.
>
> https://www.had-pilot.com/dane/danelaw.html
>
> The NIST DANE test system has three modes of operation:
>
> - Test your DANE enabled site:
> Enter the URL of a site for which a DANE TLSA resource record is
> provisioned. The system will negotiate the connection, verify with
> DANE and get the web page - or provide failure diagnostics.
>
> - A reference test set to test your browser in response to all
> possible DANE configurations.
>
> - If your browser is NOT DANE enabled, a reference test set to test
> a DANE client's response to all possible configurations and return
> the results to your browser.
>
> The site is up and available for testing - But it is still early
> days and there may be occasional outages. Please be patient and/or
> let us know.
>
> Stephen Nightingale, NIST
> HAD Pilot Program
>
>
> _______________________________________________
> dane mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dane
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJSe4ILAAoJEID2ikYfWSP6J+wP/2oca5+I582EWHqWSWCJOhK+
m31LbzIz6UiHVDu9BRcm1BHyz6pVe3D3NawTZigLOm59qHBCQYpyO/gD295wAM4b
bEyWJday8OvHq09+YLOxNXDVIMhl4kD8IuTeRyL1RpEXRNlFPfF0NJA8N9eQGrl5
sNanIQC6aFWOQWREUOr0hFWJkRM5Wz5rVD+sNy5HmbrNhFP+4ZV+bzeIAchawcIs
KKMSNkcroNhlm3M0Olg6l1xUcKMN8MxfAyco1VfwzBpJckoS8rdaOpEE8ghor1gD
SwKEhWHRSeiguaNXE4JEY3Z3h/PYsSGuTxVP+gN2198ToZXMYE1MJCOTF/oGTHRu
H385t5RVEiRqkbE86WwZilV4oXl9L/gpVF+tpliGvgAdYwi0mW6oT5l/CstNZBEW
of+4KxsDuZXDpgEselNLuglRJpo79z3+tjwjjRAjv3PhKRusLpA9tAc7mNj6eSJF
jUPnCc6W9LriqaF0QNF2a4ULQqa2wFnRjZGX+Mq7i+FMZ7JVVWcJvV/qUnNBLTvb
49fXmg0UXxxydueedcG2ZRoLzjSqRmchkdBSNlWiiuM6XsYyhrwKcy/plgOXeUSS
vbrE4bJr/U/MoeasamB4xtLVYjiI9qhxJtt3mn0H8CtglvVVltTPQdEMwOpMrmdp
pVIuKJfGQPeduqwZ5rGN
=kpRU
-----END PGP SIGNATURE-----
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
