On 29-05-13 03:29, Viktor Dukhovni wrote:
On Tue, May 28, 2013 at 05:56:02PM -0700, Bry8 Star wrote:
-----BEGIN PGP SIGNED MESSAGE-----
http://xkcd.com/1181
on windows side, users (including me) are using, two firefox addons:
"Extended DNSSSEC Validator" (www.os3sec.org),
The code I found for this on github does not support certificate
usage 0 or 1 and ignores the TLSA RR selector, always matching the
certificate and not the public key. It appears to hardcode port
443 for TLSA RR lookups, rather than use the port from the URI.
It is far from clear how it handles name checks. Likely many more
problems.
At first glance it is a toy not suitable for serious use.
Perhaps someone else can take a stab at it. My impression is that
a non-trivial fraction of the early implementations are substantively
flawed. Caveat emptor.
I've updated the Extended DNSSEC Validator up to 0.8 in the past and got
its maintainer Danny to incorporate my changes. Is has all the flaws
mentioned before but I consider it a good start.
And no, not ready for production, yet.
I've got some more updates. It validates TLSA 2 0 0 correctly. Just
check out https://dating.wtmnd.nl:10443/ with it. It has a valid 2 0 0
certificate. It should validate.
You can find my toy at:
https://github.com/gwitmond/Extended-DNSSEC-Validator.git
Cheers, Guido Witmond.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
