-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 on windows side, users (including me) are using, two firefox addons: "Extended DNSSSEC Validator" (www.os3sec.org), "DNSSEC Validator" (www.dnssec-validator.cz), and these two are able to use a local or remote DNSSEC validation supported DNS-Resolver/Server, and seems to be able to handle at-least "2 s m" and "3 s m" TLSA cases.
- -- Bright Star. (Bry8Star). Received from Viktor Dukhovni, on 2013-05-28 8:51 AM: > On Tue, May 28, 2013 at 07:20:15AM -0700, Wes Hardaker wrote: > >> It's worth noting, since Viktor unintentionally glossed over it, that >> the base TLSA definition does include definitions for how to use it over >> TLS and targeted toward HTTPS specifically, so another document isn't >> needed for that case. The other protocols he mentioned still need some >> definition and binding, however. > > Yes, my response was perhaps too brief. For HTTPS, RFC 6698 is > largely sufficient. There is a corner case with "2 1 [12]" TLSA RRs > and an unstated requirement for servers to include the TA certificate > in their chain. Many verifier implementations don't correctly handle > "2 1 0" TLSA RRs. > >>> OpenSSL does not yet provide ready-to-use DANE verification code, >>> so applications based on OpenSSL have to roll their own. >> >> Or use another library that provides DANE validation hooks to use for >> OpenSSL verification links. >> >> (eg: >> https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/docs/tool-description/val_getdaneinfo.html >> ) >> > > This library's (latest 2.0 release) implementation of certificate > usage 2 is rather broken none of the "2 x y" cases are implemented > correctly. > > More fundamentally, this library is (as evidenced by the curl patch) > intended to be used after a permissive SSL verification callback > which ignores all errors (or equivalently with any callback and > SSL_VERIFY_NONE set). This will ignore parent-child signature > errors and expiration problems in the certificate chain. > > Since applications generally expect PKIX validation to performed > during the handshake, application code that runs post-handshake > rarely if ever performs a complete set of PKIX checks. > > Thus also with certificate usage 0 and 1 the patched curl will not > in fact validate the PKIX certificate chain. So only certificate > usage 3 may work (at first glance), the others are definitely > broken. > >> It shouldn't be hard to get up and running today, and many applications >> and examples exist for you to glance at and study: >> >> https://www.dnssec-tools.org/svn/dnssec-tools/trunk/dnssec-tools/apps/curl/curl-7.29.0.patch > > Which in turn breaks the patched curl. Support for DANE in this > library needs to be fixed or withdrawn. > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRpVIiAAoJEID2ikYfWSP62DsP/idb4arInNFAZFFLugYMazHi fhP4do634WqCHMm3nG9z1U8mtngC9S5LYMCv0Vuwx8/1l2yKJipvsG3C0V1emzVZ z0c1ybVAEcFud6VHoKDEmn8FLtnO1M9wUMoX5g7QaKM5UHJqkaCglTulRt9FcYS9 acQf4boldRA7dPrtE4LMZhFfTZyzOM2rYgi/nYmeqqNg3jWYe4vrDlqTALeBA6a4 6bieB+KkfLkgKmLQCprw3kx3XQ5DOZRonmnvLIAtrlR8UX3UeKHKz902vhqve7N2 os0p0l9P592XKDfKL77GwSv8fl0ql1WC6088cJdvM5qor4ytrM8QbfZYG/ms5+cL 4XyooZGHLjBXdg2lmbuKJSLWuLzov87D9mxjmSqVKVVyLWGoMdi4ilWCZS8eBY7Y ZS+4vxLDjsk7gSgXV9ugywQP+/lwRbvPOlSa5LMUF4pVv6eRwXfmx+ZU5JFGLhPF 4UfNAaVXgfmVIH2o1LtykTf0hxNg1+dKiyX5XfykySlFkQB1hnnvEcOvLBIZvmtp quBw0bAKvK5R2rXIoEtw1zD640Zg+01AdYT+H1eU9QIGPaRw27Y+oY3bToCOZKwA wGMu6Z2xy40J5amPBEobvqIGoEZhrjjzPTFliqUHKgLGoPH0WRxCCoFMZftL8MjW iOX6LmUNp0V31QZdhFky =F+jg -----END PGP SIGNATURE----- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
