DCDT Maintenance/Trust Anchor Download Required

[Elizabeth So]

Due to maintenance, a new trust anchor is expected to be generated on Friday, May 6, 2016 around 9 am for all demo versions of DCDT. Therefore, it will be necessary to re-download the trust anchor and install it to your Direct system once the maintenance has been completed. In addition, the Direct addresses for the Discovery testcases will be changed as the demo versions of DCDT will be associated with new (sub)domains. We’ll provide any updates if the timing of the maintenance changes.

We apologize for any inconvenience.

DCDT Dev Team

[Elizabeth So]

Maintenance of both DCDT demo versions will start at 9 am. An update will be posted here once the maintenance has been completed.

DCDT Dev Team

[Elizabeth So]

Maintenance of both DCDT demo versions has been completed and they are available at http://sitenv.org/web/site/direct-certificate-discovery-tool and http://sitenv.org/web/site/direct-certificate-discovery-tool-2015.

Before running any of the Discovery testcases, please download the new trust anchor and install it in your Direct system. Then, map your Direct address from which you will be sending messages to a non-Direct email address where you will receive your results. Please note the new subdomains used for the Discovery testcase addresses.

Thanks,

DCDT Dev Team

[jch...@athenahealth.com]

Clicking the link to download the trust anchor doesn't work. The host refuses to respond.

[jch...@athenahealth.com]

Following up, the hyperlink to download the anchor links to port :8080. I tried going to port :80 and was able to download the anchor.

[sandeep...@gmail.com]

Hello,

We are able to download the trust anchors on SITE for both DCDT 2014 and 2015 without changing any ports.

Can you please try again.

2015:

Download Trust Anchor

2014:

Download Trust Anchor

Thanks,

Sandeep

[jch...@athenahealth.com]

Could be a firewall issue on my end; I was able to access :8080 from a different location. Still would recommend hosting it at :80 as a more standard option. Thanks!

[Nagesh Bashyam]

Thank you for investigating.

--
You received this message because you are subscribed to the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to directtesttoo...@googlegroups.com.
Visit this group at https://groups.google.com/group/directtesttool.
To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/63c06b1b-6c83-4212-895a-cf1408f2a941%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[anilja...@gmail.com]

Hi,

I am able to pass Discovery test case from D1-D16 but failing on new added D17 & D18.

What is i am missing or how i can pass it ?

Discovery testcase D17_DNS_AB_CRLRevocation (D17 - CRL-based revocation checking for address-bound certificate discovery in DNS) failed.

Details

• Negative: false
• Optional: false
• Description: This test case verifies that your system can query DNS for address-bound CERT records and discover a valid X.509 certificate whose CRL-based revocation status indicates that it has not been revoked.
• From: en...@enkiworld.com
• To: d...@domain9.dcdt31prod.sitenv.org
• Processing Message(s): None
• Processed Step(s): None
• Expected Certificate:
  • Name: D17_valA
  • Valid: true
  • Binding Type: ADDRESS
  • Location:
    • Type: DNS
    • Mail Address: d...@domain9.dcdt31prod.sitenv.org
  • Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
• Discovered Certificate:
  • Name: D17_invB
  • Valid: false
  • Binding Type: ADDRESS
  • Location:
    • Type: DNS
    • Mail Address: d...@domain9.dcdt31prod.sitenv.org
  • Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.

Thanks

Anil

[Srinivasan Adhinarayanan]

Hi

As D17 tests the capability of discovering the valid certificate D17_valA (the one with unrevoked CRLstatus: see the objective below) and your discovered certificate is the D17_invB (a revoked address)

this test is failing.

Please let us know if this does not address the issue.

Thanks

Srini

On Wednesday, November 9, 2016 at 1:37:16 AM UTC-5, anilja...@gmail.com wrote:

Hi,

I am able to pass Discovery test case from D1-D16 but failing on new added D17 & D18.

What is i am missing or how i can pass it ?

Discovery testcase D17_DNS_AB_CRLRevocation (D17 - CRL-based revocation checking for address-bound certificate discovery in DNS) failed.

Details

• Negative: false
• Optional: false
• Description: This test case verifies that your system can query DNS for address-bound CERT records and discover a valid X.509 certificate whose CRL-based revocation status indicates that it has not been revoked.
• From: en...@enkiworld.com
• To: d...@domain9.dcdt31prod.sitenv.org
• Processing Message(s): None
• Processed Step(s): None

• Expected Certificate:

• • Name: D17_valA
  • Valid: true
  • Binding Type: ADDRESS

• • Location:
    • Type: DNS
    • Mail Address: d17@domain9.dcdt31prod.sitenv.org

• • Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.

• Discovered Certificate:

• • Name: D17_invB
  • Valid: false
  • Binding Type: ADDRESS

• • Location:
    • Type: DNS
    • Mail Address: d17@domain9.dcdt31prod.sitenv.org

• • Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.

[anil jain]

Hi Joe,

I am trying to pass discovery test case D17 & D18. My certificate is having CRL URL and AIA details as well. But When i am trying to pass D17 test case on DCDT i am getting failed result.

I want to know how can i add another CRL URL(http://pki.dcdt31prod.sitenv.org:10080/dcdt31prod.sitenv.org_ca_intermediate1.crl) in my existing certificate ?

Please help me into this.

And for D18 my below .net code returning error "Object reference not set to an instance of an object."

Health.Direct.SmtpAgent.SmtpAgent m_agent = Health.Direct.SmtpAgent.SmtpAgentFactory.Create(@"C:\Program Files\Direct Project .NET Gateway\SmtpAgentConfig.xml");

setting = m_agent.Settings;

DirectAgent agent = setting.CreateAgent();                

SubscribeToResolverEvents(agent.PublicCertResolver);

agent.ProcessOutgoing(string.Format(TestMessage, to, Guid.NewGuid()));

CRL Snapshot

Thanks

Anil

• Expected Certificate:

• • Location:
    • Type: DNS
    • Mail Address: d...@domain9.dcdt31prod.sitenv.org

• • Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.

• Discovered Certificate:

• • Name: D17_invB
  • Valid: false
  • Binding Type: ADDRESS

• • Location:
    • Type: DNS
    • Mail Address: d...@domain9.dcdt31prod.sitenv.org

• • Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.

Thanks

Anil

On Thursday, 5 May 2016 02:53:02 UTC+5:30, Elizabeth So wrote:

Due to maintenance, a new trust anchor is expected to be generated on Friday, May 6, 2016 around 9 am for all demo versions of DCDT. Therefore, it will be necessary to re-download the trust anchor and install it to your Direct system once the maintenance has been completed. In addition, the Direct addresses for the Discovery testcases will be changed as the demo versions of DCDT will be associated with new (sub)domains. We’ll provide any updates if the timing of the maintenance changes.

We apologize for any inconvenience.

DCDT Dev Team

--

Anil Mehta, 
Sr. Software Eng., 
NextServices, Mumbai

Visit my Blog

**@nil**

[anil jain]

Hi,
Can anyone please help me into this issue.

Thanks
Anil

On 17 Nov 2016 4:34 p.m., "anil jain" <anilja...@gmail.com> wrote:
>
> Hi,
>

> I am trying to pass discovery test case D17 & D18. My certificate is having CRL URL and AIA details as well. But When i am trying to pass D17 test case on DCDT i am getting failed result.
>
> I want to know how can i add another CRL URL(http://pki.dcdt31prod.sitenv.org:10080/dcdt31prod.sitenv.org_ca_intermediate1.crl) in my existing certificate ?
>
> Please help me into this.
> Discovery testcase D17_DNS_AB_CRLRevocation (D17 - CRL-based revocation checking for address-bound certificate discovery in DNS) failed.
> Details
> Negative: false
> Optional: false
> Description: This test case verifies that your system can query DNS for address-bound CERT records and discover a valid X.509 certificate whose CRL-based revocation status indicates that it has not been revoked.
> From: en...@enkiworld.com
> To: d...@domain9.dcdt31prod.sitenv.org
> Processing Message(s): None
> Processed Step(s): None
> Expected Certificate:
> Name: D17_valA
> Valid: true
> Binding Type: ADDRESS
> Location:
> Type: DNS

> Mail Address: d...@domain9.dcdt31prod.sitenv.org
> Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
> Discovered Certificate:
> Name: D17_invB
> Valid: false
> Binding Type: ADDRESS
> Location:
> Type: DNS
> Mail Address: d...@domain9.dcdt31prod.sitenv.org
> Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.
>

> And for D18 my below .net code returning error "Object reference not set to an instance of an object."
>
> Health.Direct.SmtpAgent.SmtpAgent m_agent = Health.Direct.SmtpAgent.SmtpAgentFactory.Create(@"C:\Program Files\Direct Project .NET Gateway\SmtpAgentConfig.xml");
> setting = m_agent.Settings;
> DirectAgent agent = setting.CreateAgent();                
> SubscribeToResolverEvents(agent.PublicCertResolver);
> agent.ProcessOutgoing(string.Format(TestMessage, to, Guid.NewGuid()));
>
> CRL Snapshot
>
>
>

[Joe Shook]

Anil, did you follow the instructions on this page?  

http://wiki.directproject.org/Enable+CRL+support

> Mail Address: d17@domain9.dcdt31prod.sitenv.org

> Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
> Discovered Certificate:
> Name: D17_invB
> Valid: false
> Binding Type: ADDRESS
> Location:
> Type: DNS

> Mail Address: d17@domain9.dcdt31prod.sitenv.org

>>> Mail Address: d17@domain9.dcdt31prod.sitenv.org

>>> Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
>>> Discovered Certificate:
>>> Name: D17_invB
>>> Valid: false
>>> Binding Type: ADDRESS
>>> Location:
>>> Type: DNS

>>> Mail Address: d17@domain9.dcdt31prod.sitenv.org

>>> Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.
>>> Thanks
>>> Anil
>>>
>>> On Thursday, 5 May 2016 02:53:02 UTC+5:30, Elizabeth So wrote:
>>>>
>>>> Due to maintenance, a new trust anchor is expected to be generated on Friday, May 6, 2016 around 9 am for all demo versions of DCDT. Therefore, it will be necessary to re-download the trust anchor and install it to your Direct system once the maintenance has been completed. In addition, the Direct addresses for the Discovery testcases will be changed as the demo versions of DCDT will be associated with new (sub)domains. We’ll provide any updates if the timing of the maintenance changes.
>>>>
>>>>
>>>> We apologize for any inconvenience.
>>>>
>>>>
>>>> DCDT Dev Team
>
>
>
>
> --
> Anil Mehta, 
> Sr. Software Eng., 
> NextServices, Mumbai
> Visit my Blog
>
> **@nil**

--

You received this message because you are subscribed to the Google Groups "Direct Certificate Discovery Tool" group.

To unsubscribe from this group and stop receiving emails from it, send an email to directtesttool+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABj9ywuWSqAqgj5vmfQryUj7fGdrx%2BD2QihjzSJ7VHq7ZJqEfg%40mail.gmail.com.

[anil jain]

Yes. I followed those instructions but problem is i am having a ssl certificate which is issued from symantic and there is only one CRL URL. To pass D17 test case how can i add another CRL URL(http://pki.dcdt31prod.sitenv.org:10080/dcdt31prod.sitenv.org_ca_intermediate1.crl) in my existing certificate ?

Thanks

Anil

> Mail Address: d...@domain9.dcdt31prod.sitenv.org

> Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
> Discovered Certificate:
> Name: D17_invB
> Valid: false
> Binding Type: ADDRESS
> Location:
> Type: DNS

> Mail Address: d...@domain9.dcdt31prod.sitenv.org

>>> Mail Address: d...@domain9.dcdt31prod.sitenv.org

>>> Description: Valid, non-revoked address-bound certificate for the Direct address in a DNS CERT record.
>>> Discovered Certificate:
>>> Name: D17_invB
>>> Valid: false
>>> Binding Type: ADDRESS
>>> Location:
>>> Type: DNS

>>> Mail Address: d...@domain9.dcdt31prod.sitenv.org

>>> Description: An invalid, revoked address-bound certificate for the Direct address in a DNS CERT record.
>>> Thanks
>>> Anil
>>>
>>> On Thursday, 5 May 2016 02:53:02 UTC+5:30, Elizabeth So wrote:
>>>>
>>>> Due to maintenance, a new trust anchor is expected to be generated on Friday, May 6, 2016 around 9 am for all demo versions of DCDT. Therefore, it will be necessary to re-download the trust anchor and install it to your Direct system once the maintenance has been completed. In addition, the Direct addresses for the Discovery testcases will be changed as the demo versions of DCDT will be associated with new (sub)domains. We’ll provide any updates if the timing of the maintenance changes.
>>>>
>>>>
>>>> We apologize for any inconvenience.
>>>>
>>>>
>>>> DCDT Dev Team
>
>
>
>
> --
> Anil Mehta, 
> Sr. Software Eng., 
> NextServices, Mumbai
> Visit my Blog
>
> **@nil**

--
You received this message because you are subscribed to the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to directtesttool+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABj9ywuWSqAqgj5vmfQryUj7fGdrx%2BD2QihjzSJ7VHq7ZJqEfg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Direct Certificate Discovery Tool" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/directtesttool/o930hFOxRts/unsubscribe.
To unsubscribe from this group and all its topics, send an email to directtesttool+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/directtesttool.

To view this discussion on the web visit https://groups.google.com/d/msgid/directtesttool/CABnjC%3Dv4%2BAcwj9axEUy-s_9oe6-r4MyojCvDS5WyPLuNGS%2BB0Q%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Joe Gmail]

This test is not about your certificate. This test is about your ability to discover the correct certificate  hosted by the DCDT for D17. 

Sent from my iPhone

[Joe Shook]

I just looked at the CRL and the effective date and next update are the same.  I will forward you a long thread I had with the DCDT development team last year.  It is possible you are getting CheckTimeValidy errors because of this but I just passed the test a few minutes ago.

You are going to have to dig into the event logs to determine the error in this document,  http://wiki.directproject.org/Enable+CRL+support