DANE with OpenSSL : PKIX certificate authentication throughDNS using OpenSSL

Sammanfattning: Background X.509 is an ITU standard for a public key infrastructure (PKI), which specifies, among other things, formats for public key certificates, certificate requests, certificate revocation lists and certification path validation algorithm. The X.509 standard was primarily designed to support the X.500 structure. However, today’s use cases centre mostly on the Internet. IETF’s Public-Key  Infrastructure (X.509) working group has adapted the standard to the requirements and structure  of the Internet. RFC 5280 specifies the PKIX Certificate and CRL Profile of the X.509v3 certificate standard. PKIX certificates are used for validating the identity or identities of the communicating parties, and optionally establishing secure keying material for protection  of a message or a communications channel. Authentication and establishment of a secure communications channel on top of TCP with the Transport Layer Security protocol (TLS, RFC 5247) or the Secure Sockets Layer protocol (SSL) is probably the most common application of PKIX on the Internet. The IETF is converging on a standard for integration of X.509 Public Key Infrastructure with DNS and DNSSEC (DANE). In order to reach wide adoption, the concept must be validated through interoperability tests between multiple independent implementations. Results An implementation of the DANE standard has been demonstrated  through an extension to the OpenSSL library. All use cases in the DANE standard has been validated to work as documented in the standard. Conclusions The DANE standard is implementable and reaches the results it sets out to achieve.