add DNSSEC chain handshake extension to TLS

NEW
Unassigned

Status

NSS
Libraries
--
enhancement
7 years ago
3 years ago

People

(Reporter: keeler, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

Created attachment 546559 [details]
patch that adds this extension

Adds simple handling of an experimental handshake extension to TLS.
The client indicates it wishes to see a DNSSEC chain and the server responds with a blob of data.
(Reporter)

Updated

7 years ago
Blocks: 672239
No longer depends on: 672239
David, please include a link to the specification of the format of the server extension and the format of the client extension. The spec. should be written in a similar way to the specs for other TLS extensions (e.g. http://tools.ietf.org/html/rfc4492#section-5.1.1).
Here's the link: https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Format_of_TLS_Extension
Created attachment 546852 [details] [diff] [review]
patch that adds this extension

updated patch
Attachment #546559 - Attachment is obsolete: true
(Reporter)

Updated

7 years ago
Blocks: 672596
(Reporter)

Updated

7 years ago
No longer blocks: 672596
(Reporter)

Updated

7 years ago
Blocks: 672596
Assignee: nobody → dkeeler
FYI, ... my $.02

NSS got burned pretty badly a number of years ago by implementing an Internet 
Draft that had not yet become an RFC, and shipping that in products.  There 
were last minute changes before the RFC was published that necessitated changes
that broke compatibility.  The experience was awful enough that the NSS team 
adopted a policy of not committing changes to the NSS tree branches from which 
real releases come until the change has appeared in an RFC (for protocol changes) or in an official NIST publication (for alg changes).  Note that being in an experimental RFC is OK. 

Please respect that policy in the tree at this time.  If this is still an ID,
do the work on a new branch in CVS, and then it can be merged when the RFC is
published.
Created attachment 555219 [details] [diff] [review]
patch

Latest version of patch.
Attachment #546852 - Attachment is obsolete: true
(Reporter)

Updated

6 years ago
Attachment #555219 - Flags: review?(bsmith)
Comment on attachment 555219 [details] [diff] [review]
patch

Clearing review request until we re-assess how this fits in with our certificate validation improvement plans.
Attachment #555219 - Flags: review?(bsmith)
See Also: → bug 748232
See Also: bug 748232
I am not actively working on this.
Assignee: dkeeler → nobody
You need to log in before you can comment on or make changes to this bug.