Re: Cert in DNS (DANE, DNSSEC) and OpenSSL

Wed, 09 Jan 2013 09:02:44 -0800 

It would be great to see/know what can be used to enable DANE
support in OpenSSL.

Those who are interested in bit more info on

DANE (and related) :

https://datatracker.ietf.org/wg/dane/

https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/

http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec

http://www.internetsociety.org/deploy360/resources/dane/

https://www.dnssec-deployment.org/wiki/index.php/Tools_and_Resources

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools

https://wiki.mozilla.org/Security/DNSSEC-TLS-details

https://addons.mozilla.org/en-us/firefox/addon/extended-dnssec-validator/

http://www.internetsociety.org/deploy360/blog/2013/01/verisign-labs-dane-demonstration-page-and-test-sites/

https://www.gnu.org/software/gnutls/manual/html_node/Certificate-verification.html#DANE-verification

http://www.isc.org/software/bind/dnssec

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_15-1/151_dane.html

https://github.com/pieterlexis/swede

Thanks,
-- Bright Star.



Jakob Bohm, received on 2013-01-09 3:25 PM:
> On 1/9/2013 2:46 PM, Bry8 Star wrote:
>> (reposting this on users list) Hi, When can we expect an
>> OpenSSL release, that will support DANE protocol to verify
>> SSL/TLS certificates (which are added/kept in the DNS RR) using
>> DNSSEC protocols ?
>> 
> 
> Is there an RFC for DANE, or is it still an experimental or
> project- specific protocol.
> 
> Since OpenSSL is mostly a library, the normal/expected way would 
> be for OpenSSL to pass back to the OpenSSL-using application
> with a certificate that needs locating/verification by external
> means.
> 
> This application callback can then implement any needed
> mechanisms, such as ldap lookups over SSL, http(s) downloads,
> lookup in a database or querying using a DNSSEC supporting DNS
> resolver library or simply prompting the user to accept a
> certificate.  Each of those mechanisms can of cause itself use
> OpenSSL for its cryptographic security.
> 
> Others on this list may be able to point you to precisely which 
> existing OpenSSL mechanisms can do the trick.
> 
> Enjoy
> 
> Jakob

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to