[dane] DANE Testing

Fri, 21 Feb 2014 12:20:00 -0800
** This is posted to both UTA and DANE mailgroups. Apologies if you get it twice. I don't know the overlap of the two groups. ** 


Some improvements to the DANE Testing site at NIST since I posted to the 
dane mailgroup last November.


The site is at: https://www.had-pilot.com/dane/danelaw.html.


It is now possible to test from both TLSlite based and GnuTLS based 
clients. The Form structure of the site offers the options of connecting 
users' own identified DANE-enabled sites, connecting to the set of sites 
listed on Dan York's ISOC DANE 360 page, and getting results therefrom, 
or connecting to the NIST 'DANE Reference site' that explores all 0xx, 
1xx, 2xx and 3xx Certificate Usage permutations.



Mine was one of the 'DANE-in-the-App' sites that Viktor Dukhovni 
reviewed, and he kindly gave an extensive critique. Many of his points 
have been addressed. A few things still to clear up:

- I'm not checking for certificate revocation. That is on the list to fix.

- For 0xx and 1xx uses, it is hard to identify a single canonical CA 
list. I have overlapping, but different Root Cert sets from Mozilla, 
Fedora and Linux Mint. So when searching for an authority to build a 
verification chain I cycle through all of these until succeeding or 
exhaustion of the possibilities. Some of the DANE 360 listed sets 
(including some from members of this group) fail to authenticate because 
the root certs are not in my authorities.  A golden, canonical CA list 
would be nice to find. But I guess that its non-universal availability 
is one of the problems of the CA system that DANE is aiming squarely at.



The differences between TLSlite and GnuTLS clients highlight the fact 
that there are unresolved interoperability issues among TLS 
implementations. It seems reasonable that TLS interoperability testing 
be instituted as pre-requisite to DANE testing.  The development of a 
TLS Interoperability test suite is therefore on our 'to-do' list.  I 
look forward to seeing the newly upgraded OpenSSL client with added 
DANE. It is quite possible that as an interim step before its appearance 
I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.


If you find any glaring errors, I will be embarrassed but thankful.
If you find any subtle errors I will be impressed and thankful.

Cheers,

Stephen Nightingale, NIST.


-

_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane






















					Reply via email to