-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Users who will run test, should MAKE SURE to upload ONLY the PUBLIC
certificate portion(s), or such certificate-chain portion (which DO
NOT INCLUDE ANY PRIVATE KEY portion) into such textbox.
They SHOULD NOT upload the exact cert file or cert-chain file which
will be used in real HTTPS server or other TLS encrypted
scheme/protocol based Server. As such file may have private keys.
With such option (to copy-paste PUBLIC certificate codes), Tests
related to "Usage" case 2 & 3 should succeed.
Or, can your test-system pull the "Usage" case 3's TLS cert out of
the TLSA DNS record, if domain-name have declared the FULL TLS cert
code in TLSA ? and then, can such FULL SSL/TLS cert code be used
for initiating encrypted connection, with the DANE-signed
domain-name based TLS/HTTPS Server/URL ?
- - Bright Star.
Received from Bry8 Star, on 2013-11-07 4:05 AM:
> Hi,
>
> Thanks.
>
> Will it be possible to add another textbox/input-field in this
> tester-site, for the DANE-signed domain-name that will be tested, to
> allow upload of a pem or crt or cer file which will be used with the
> HTTPS Web-Server, or with other scheme based server ? or a textbox
> to "paste" the cert or cert-chain code from such file. So that,
> test can show result info, by ruling-out that, a TLS/SSL cert or
> cert-chain used by the DANE-signed site, was not present in
> visitor's/client side web-browser/OS.
>
> My understanding is, such will allow to really TEST the DANE/TLSA
> "Usage" 2 and 3 cases.
>
> If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
> TLS/SSL cert or cert-chain file, then will not your test-result
> always fail for those TWO "Usage" cases ?
>
> - - - - -
>
> For users to test DANE+DNSSEC from their own location/computer,
> mentioned in below is one (or two in long shot) option(s), out of
> few other options:
>
> If a local full DNSSEC supported DNS-Server or DNS-Resolver software
> is present (for more accurate tests) in local computer or local
> (trusted) LAN, or in (local) VM.
>
> Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner
> based web-browsers, like: GNU IceCat, Iceweasel, etc), can have
> partial DANE awareness, by loading the "Extended DNSSEC Validator"
> ("EDV", a firefox addon/extension from os3sec.org), this addon helps
> to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no
> support for Usage 0 or 1 yet, this addon also has DNSSEC awareness
> and can display info related to DNSSEC authentications, it can also
> display info on SSL/TLS cert verification (and certificate chain
> verification), etc.
>
> But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked
> on Firefox v25.0 or later, last tested on Nov 5, 2013. Based on EDV
> author's response, it seems, he is not interested now, in continuing
> developing anymore.
>
> And, developer/dev-group of "DNSSEC-Validator" (another Firefox
> addon, from CZ.NIC) said on mailing list, that they will add support
> for DANE from next month. Currently it supports displaying only
> DNSSEC (except DANE) related info/icon.
>
>
> - Bright Star.
>
>
>
> Received from Stephen Nightingale, on 2013-11-06 8:58 AM:
>
>> For those DANEs who are in Vancouver, you can talk to Scott Rose or
>> Doug Montgomery about this. Doug will be at the informal DANE lunch
>> tomorrow.
>
>> ========
>
>> NIST has developed a test system for the RFC 6698 DANE protocol.
>> DANE seeks to verify PKIX certificate based Transport Layer Security
>> (RFC 5246 TLS) connections using the Domain Name System as secured
>> by DNSSEC.
>
>> https://www.had-pilot.com/dane/danelaw.html
>
>> The NIST DANE test system has three modes of operation:
>
>> - Test your DANE enabled site:
>> Enter the URL of a site for which a DANE TLSA resource record is
>> provisioned. The system will negotiate the connection, verify with
>> DANE and get the web page - or provide failure diagnostics.
>
>> - A reference test set to test your browser in response to all
>> possible DANE configurations.
>
>> - If your browser is NOT DANE enabled, a reference test set to test
>> a DANE client's response to all possible configurations and return
>> the results to your browser.
>
>> The site is up and available for testing - But it is still early
>> days and there may be occasional outages. Please be patient and/or
>> let us know.
>
>> Stephen Nightingale, NIST
>> HAD Pilot Program
>
>
>> _______________________________________________
>> dane mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/dane
> _______________________________________________
> dane mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dane
>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJSe4kkAAoJEID2ikYfWSP6ah0P/jx0O35IvEqKbtqxRwo6A92d
poQrEuEGpZWObJVsI5vboNslHDCsm+gOzxpyYbR0xcL4GfYB/rXh4wAdbelUEi4J
pSmLVjNXgP/+q5hOmuB/eDdKA/Bq8/LuUc+3/oQ8OBqzT4Pru4exMQVTX8F2UCRe
uFbje1zs6wXarATLav467BUTsOH8yMC45lhWdYQdtwyr9uQqOq3VpczsQJwx3sU7
CyfArrCLwzH591PYUh/iirgj4JCSVdFpHoDFbFyj1Ur5zPu5sOay53N51+agYZ6k
N1O3wB7iOJJ9+x9WWwQODb8e6nTUUzZuE7gKWvUMIhumxlRFFi7M4RJBROqrOOET
cp3Ko/WOJyaPPlGOXTctIwqvej7Z0ZVXFMdl46xoQfNpYXlAuXrDRMrOjWyddwp7
qOwAoOEuvZynj8fTThfu3RW+dy2PY0XeJZQbK0aZ3tsKG71Zwn/0X1+pWf9IM40V
xoCTZut2tq2aeDV4d+zXj9tqMAB1i2FxpJTFeKujeE2XTCgHHktD4GmlPVkjk28R
iEdudxUY1Now0VU7H4O8THASW45wp0gIzO5zTaOqTSW0b9/L8RGc5/kfY844CDXm
EBG0mgPI3ZeLZE9WIWUwgs3odMY+7GJX+a0oiNBGQ8cavm3IMw89RLAZ0yYGeMS0
SHj4C3PsHUPqqONdhdfG
=+D3S
-----END PGP SIGNATURE-----
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
