On Fri, Dec 13, 2013 at 03:11:38PM -0500, John Allen wrote:
> Does anybody know of a good,but simple write up on DANE and TLSA.
> It has to be simple enough for me to understand (assume idiot).
An explanation of what DANE TLSA is for[*]?
Or how to set up a Postfix to work with it?
If the latter, setting up a client to verify DANE TLSA?
http://www.postfix.org/TLS_README.html#client_tls_dane
Or setting up server to be verifiable with DANE TLSA?
There is some text on this in TLS_README in the server certificate
section, but we could perhaps add a DANE_README at some point
or expand the server text if it is not sufficiently detailed.
The main difficulty with server-side DANE is that your zone
must be DNSSEC signed. Deployment of DNSSEC is still fairly thin.
With a bit of luck DANE might motivate folks to consider DNSSEC.
--
Viktor.
[*]
DANE TLSA replaces the multitude of trusted SSL certificate
authorities, that can issue certificates for any dane, with the
hierarchy of DNSSEC authorities.
Each domain can sign the keys of its child domains and the data
records of its own zones including TLSA records which can bind
service end-points (_25._tcp.mail.example.com) to associated
certificates, either the leaf certificate:
_25._tcp.mail.example.com IN TLSA 3 1 1 <sha256 digest of public key>
or a chosen (public or private) issuing CA:
_25._tcp.mail.example.com IN TLSA 2 1 1 <sha256 digest of public key>
In the latter case the server's chain file MUST include the issuing CA.
