Matt McCutchen's Web SiteCryptographic service identity  (Top, DANE implementation for NSS, Bottom).  Email me about this page.

Cryptographic service identity

Every day, I make TLS connections to many different secure services, which today are associated with host names in the IANA DNS.  You probably do too.  Keeping these connections secure is a big deal.  The crux of the problem is to authenticate the server as a legitimate host of the logical service you want, however defined; other than that, it is just a matter of employing the right cryptographic algorithms and protocols.

DANE is the natural solution for services associated with DNS names, and will be a huge step forward from the inconvenient and increasingly untrustworthy public CA system.  But in principle, the idea that IANA, Verisign GRS, etc. can do a better job of naming and maintaining a relationship with my friend than I can is absurd.  I look forward to a system based on local names and introductions, like UIA, that can also handle the IANA DNS as one case.

But this is a long way off, and DNSSEC even has some support for direct relationships with others, avoiding exposure to third parties, via trust anchor pinning.  For now, I am helping to push DANE forward.  To this end...

DANE implementation for NSS

I have completed a proof-of-concept implementation of DANE for NSS, available in the form of a patch.  See the included security/nss/README.dane.

DescriptionFileSizeModification time
current patchnss-dane-20110413.patch192022011-04-13 06:26:57 +0000
obsolete patch (SHA-1)nss-dane-20110215.patch187132011-02-16 05:03:55 +0000

You can test this against the mattmccutchen.net zone with TLSA_RRTYPE=65468.  I will publish the tools I use to maintain the TLSA data when I have a chance.

Thanks to Dan Kaminsky's Phreeload for showing me how to use libunbound.

For questions or comments about this prototype or the TLSA data on mattmccutchen.net, please email me.  Direct questions or comments about DANE itself to the working group.


Matt McCutchen's Web SiteCryptographic service identity  (Top, DANE implementation for NSS, Bottom).  Email me about this page.
Modification time of this page's main source file: 2011-04-13 06:13:34 +0000
Except where otherwise noted, Matt McCutchen waives his copyright to the content of this site.  This site comes with absolutely no warranty.  Why?