I'm afraid that implementing DANE cause new certification vendor not to come into the market.
- SUGI 2013/1/10 Bry8 Star <bry8s...@yahoo.com> > It would be great to see/know what can be used to enable DANE > support in OpenSSL. > > Those who are interested in bit more info on > > DANE (and related) : > > https://datatracker.ietf.org/wg/dane/ > > https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/ > > > http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec > > http://www.internetsociety.org/deploy360/resources/dane/ > > https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources > > http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools > > https://wiki.mozilla.org/Security/DNSSEC-TLS-details > > https://addons.mozilla.org/en-us/firefox/addon/extended-dnssec-validator/ > > > http://www.internetsociety.org/deploy360/blog/2013/01/verisign-labs-dane-demonstration-page-and-test-sites/ > > > https://www.gnu.org/software/gnutls/manual/html_node/Certificate-verification.html#DANE-verification > > http://www.isc.org/software/bind/dnssec > > > http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-1/151_dane.html > > https://github.com/pieterlexis/swede > > Thanks, > -- Bright Star. > > > > Jakob Bohm, received on 2013-01-09 3:25 PM: > > On 1/9/2013 2:46 PM, Bry8 Star wrote: > >> (reposting this on users list) Hi, When can we expect an > >> OpenSSL release, that will support DANE protocol to verify > >> SSL/TLS certificates (which are added/kept in the DNS RR) using > >> DNSSEC protocols ? > >> > > > > Is there an RFC for DANE, or is it still an experimental or > > project- specific protocol. > > > > Since OpenSSL is mostly a library, the normal/expected way would > > be for OpenSSL to pass back to the OpenSSL-using application > > with a certificate that needs locating/verification by external > > means. > > > > This application callback can then implement any needed > > mechanisms, such as ldap lookups over SSL, http(s) downloads, > > lookup in a database or querying using a DNSSEC supporting DNS > > resolver library or simply prompting the user to accept a > > certificate. Each of those mechanisms can of cause itself use > > OpenSSL for its cryptographic security. > > > > Others on this list may be able to point you to precisely which > > existing OpenSSL mechanisms can do the trick. > > > > Enjoy > > > > Jakob > >
