Jim Schaad August Cellars EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking CRLs OCSP DANE Review Use DNS as alternative or secondary trust framework ID: 255463
Download Presentation The PPT/PDF document "EMU and DANE" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
EMU and DANE
Jim Schaad
August CellarsSlide2
EMU TLS Issues
Trust Anchor
Matching PKIX cert to EMU Server Name
Certificate Revocation Checking
CRLs
OCSPSlide3
DANE Review
Use DNS as alternative or secondary trust framework
New Records for cert/public key information
Naming: _<port>._<protocol>.<Domain Name>
Matching:
Trust Anchor (Root)
CA
EESlide4
DANE Stapling
Addresses Trust Anchor Issue
Addresses matching Certificate Name
Create a new _
teap
._emu.<Domain Name> DNS record set
Use existing TLSA records
Build list of DNSSEC records and pass in TLS extension
If necessary – new record for name matchingSlide5
OCSP Stapling
Addresses certificate chain validation
Pass OCSP responses in TLS extension
Need to establish trust in OCSP responder
Maybe fix with DANE record
Maybe fix by returning CRLs
Maybe fix by making the Trust Anchor the OCSP responderSlide6
Work List
Need DANE naming convention done in EMU
Need DANE stapling TLS extension – Probably done in DANE
Need OCSP stapling TLS extension done in TLS
Draft-pettersen-tls-ext-multiple-ocsp-03.txtSlide7
Questions?