Security/DNSSEC-TLS: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{| class="fullwidth-table"
{{FeatureStatus
|-
|Feature name=DNSSEC-TLS
| style="font-weight: bold; background: #DDD;" | Feature  
|Feature stage=Development
| style="font-weight: bold; background: #DDD;" | Status
|Feature status=In progress
| style="font-weight: bold; background: #DDD;" | ETA
|Feature health=OK
| style="font-weight: bold; background: #DDD;" | Owner
}}
|-
{{FeatureTeam
<section begin="status" />
|Feature lead engineer=David Keeler
| [[Security/DNSSEC-TLS|DNSSEC-TLS]]
}}
| {{StatusHealthy|status=Internal demonstration implementation}}
{{FeaturePageBody
| 2011-09-01
|Feature overview=This feature performs domain validation in TLS sessions by using DNSSEC chains.
| [[User:dkeeler|David Keeler]]
|Feature users and use cases=Server administrators can put key/certificate information in DNS records they control (e.g. TLSA records). This information is verifiable through DNSSEC. The browser can then use this in place of or alongside certificate chain validation.
<section end="status" />
|Feature functional spec=https://wiki.mozilla.org/Security/DNSSEC-TLS-details
 
|Feature implementation notes=Tracking bug: [https://bugzilla.mozilla.org/show_bug.cgi?id=672239 672239]
|}
}}
 
{{FeatureInfo
This set of pages documents the TLS domain validation through DNSSEC project. These documents are currently a work in progress. There are likely many errors.
|Feature priority=Unprioritized
 
|Feature theme=Security Leadership
== Summary  ==
|Feature roadmap=Platform
 
|Feature secondary roadmap=Security
This project aims to implement domain validation in TLS sessions through use of DNSSEC chains.
}}
 
{{FeatureTeamStatus}}
== Team  ==
 
Who's working on this?
 
*'''Feature Manager''':
*'''Lead Developer''': [[User:dkeeler|David Keeler]]
*'''Product Manager''':
*'''QA''':
*'''Security''':
*'''Privacy''':
 
== Release Requirements  ==
 
The release requirements include a fully working and well tested implementation of this feature. This includes a server implementation. Currently nginx is being targeted as the server of choice.
 
== Next Steps &amp; Open Issues  ==
 
*{{done|Complete external implementation}}
*{{ok|Complete in-browser demo implementation}}
*{{new|Complete in-browser implementation}}
 
== Related Bugs &amp; Dependencies  ==
 
This feature depends on servers with the ability to send DNSSEC chains. Nginx has been modified to support this, as described in a document to come.
 
== Risks  ==
 
Risks are discussed in the [[Security/DNSSEC-TLS-details#Security Considerations|security considerations]] section of the detailed design page.
 
== Use Cases  ==
 
The use case is anyone running an HTTPS server and anyone wishing to connect to that server using Firefox.
 
== Designs  ==
 
Design specifications are detailed [[Security/DNSSEC-TLS-details|here]].
 
== Test Plans  ==
 
Test plans are [[Security/DNSSEC-TLS-details#Test Plans|here]].
 
== Goals ==
Implement domain validation for TLS connections using DNSSEC in Firefox. That is, in addition to sending a certificate in the TLS handshake, a server would send sufficient DNSSEC records to convince the client of its identity and establish public key material.
 
== Non-Goals  ==
 
To be updated as issues arise.
 
== Other Stuff  ==
 
There is currently no other stuff.
 
== Legend (remove if you like)  ==
 
{| class="fullwidth-table"
|-
| {{StatusHealthy|status=&nbsp;}}
| Healthy: feature is progressing as expected.
|-
| {{StatusBlocked|status=&nbsp;}}  
| Blocked: feature is currently blocked.
|-
| {{StatusAtRisk|status=&nbsp;}}  
| At Risk: feature is at risk of missing its targeted release.
|-
| '''ETA'''
| Estimated date for completion of the current feature task. Overall ETA for the feature is the product release date.
|}
 
__NOTOC__
 
Please remove this line and any non-relevant categories below. Add whatever other categories you feel are appropriate.
 
[[Category:Features]] [[Category:Firefox]] [[Category:Platform]] [[Category:Security]]

Latest revision as of 03:07, 7 February 2012

Please use "Edit with form" above to edit this page.

Status

DNSSEC-TLS
Stage Development
Status In progress
Release target `
Health OK
Status note `

{{#set:Feature name=DNSSEC-TLS

|Feature stage=Development |Feature status=In progress |Feature version=` |Feature health=OK |Feature status note=` }}

Team

Product manager `
Directly Responsible Individual `
Lead engineer David Keeler
Security lead `
Privacy lead `
Localization lead `
Accessibility lead `
QA lead `
UX lead `
Product marketing lead `
Operations lead `
Additional members `

{{#set:Feature product manager=`

|Feature feature manager=` |Feature lead engineer=David Keeler |Feature security lead=` |Feature privacy lead=` |Feature localization lead=` |Feature accessibility lead=` |Feature qa lead=` |Feature ux lead=` |Feature product marketing lead=` |Feature operations lead=` |Feature additional members=` }}

Open issues/risks

`

Stage 1: Definition

1. Feature overview

This feature performs domain validation in TLS sessions by using DNSSEC chains.

2. Users & use cases

Server administrators can put key/certificate information in DNS records they control (e.g. TLSA records). This information is verifiable through DNSSEC. The browser can then use this in place of or alongside certificate chain validation.

3. Dependencies

`

4. Requirements

`

Non-goals

`

Stage 2: Design

5. Functional specification

https://wiki.mozilla.org/Security/DNSSEC-TLS-details

6. User experience design

`

Stage 3: Planning

7. Implementation plan

`

8. Reviews

Security review

`

Privacy review

`

Localization review

`

Accessibility

`

Quality Assurance review

`

Operations review

`

Stage 4: Development

9. Implementation

Tracking bug: 672239

Stage 5: Release

10. Landing criteria

` {{#set:Feature open issues and risks=` |Feature overview=This feature performs domain validation in TLS sessions by using DNSSEC chains. |Feature users and use cases=Server administrators can put key/certificate information in DNS records they control (e.g. TLSA records). This information is verifiable through DNSSEC. The browser can then use this in place of or alongside certificate chain validation. |Feature dependencies=` |Feature requirements=` |Feature non-goals=` |Feature functional spec=https://wiki.mozilla.org/Security/DNSSEC-TLS-details |Feature ux design=` |Feature implementation plan=` |Feature security review=` |Feature privacy review=` |Feature localization review=` |Feature accessibility review=` |Feature qa review=` |Feature operations review=` |Feature implementation notes=Tracking bug: 672239 |Feature landing criteria=` }}

Feature details

Priority Unprioritized
Rank 999
Theme / Goal Security Leadership
Roadmap Platform
Secondary roadmap Security
Feature list `
Project `
Engineering team `

{{#set:Feature priority=Unprioritized

|Feature rank=999 |Feature theme=Security Leadership |Feature roadmap=Platform |Feature secondary roadmap=Security |Feature list=` |Feature project=` |Feature engineering team=` }}

Team status notes

  status notes
Products ` `
Engineering ` `
Security ` `
Privacy ` `
Localization ` `
Accessibility ` `
Quality assurance ` `
User experience ` `
Product marketing ` `
Operations ` `

{{#set:Feature products status=`

|Feature products notes=` |Feature engineering status=` |Feature engineering notes=` |Feature security status=` |Feature security health=` |Feature security notes=` |Feature privacy status=` |Feature privacy notes=` |Feature localization status=` |Feature localization notes=` |Feature accessibility status=` |Feature accessibility notes=` |Feature qa status=` |Feature qa notes=` |Feature ux status=` |Feature ux notes=` |Feature product marketing status=` |Feature product marketing notes=` |Feature operations status=` |Feature operations notes=` }}


Retrieved from "https://wiki.mozilla.org/index.php?title=Security/DNSSEC-TLS&oldid=394688"