Issue 50 in direct-certificate-discovery-tool: DCDT Discovery is not working

[direct-certifica...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 50 by ottepor...@gmail.com: DCDT Discovery is not working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

What steps will reproduce the problem?
Testing with DCDT Tool - Discovery

What is the expected output? What do you see instead?
We got the bound message:
dts...@direct1.cchit.net
Subject: Hi
This message hasn't been delivered yet. Delivery will continue to be
attempted.

The same happens with dts...@direct1.testteam.us

[direct-certifica...@googlecode.com]

Comment #2 on issue 50 by michal.k...@esacinc.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

More information about the problem would be useful. Specifically:

1. Are you using an instance of DCDT deployed at your domain (cchit.net?)
or the demo instance at testteam.us?
2. From your report I can gather that you are trying to execute the DTS501
Discovery test case. Is this correct?

[direct-certifica...@googlecode.com]

Comment #3 on issue 50 by ottepor...@gmail.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

1. I'm using the instance deployed by CCHIT
(http://dcdt.cchit.net:8081/ModularSpecPhase3_Tool/). The same problem if I
use the testteam.us instance.
2. It happens to every test case on both instances. I received non-delivery
report messages back several hours after sending the messages.

[direct-certifica...@googlecode.com]

Updates:
Status: Accepted

Comment #4 on issue 50 by michal.k...@esacinc.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

More questions:
- Have you added the tool instances' trust anchors to the trust store of
the System Under Test you are using?
- Are any Direct emails being dispatched (from the System Under Test) for
any of the test cases?
- Are you seeing 'NoTrustedRecipients' in the Apache James logs (on the
System Under Test) whenever you attempt a Discovery test case?

[direct-certifica...@googlecode.com]

Comment #5 on issue 50 by ottepor...@gmail.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

- Yes, both the anchors from testteam.us and cchit.net instances are
installed. We were able to successfully tested a couple weeks ago.
- We verified that our SMTP server is working properly (we were able to
receive testing email sent using the same system in Gmail or Yahoo).
- The CCHIT instance is managed by CCHIT (cchit.org). We suppose it is the
one that EHR vendors would use to certify. CCHIT's web site tells us to
contact the Tool web site directly for support. That said, we (vendor)
don't set up any DCDT instance, and rather use testteam.us and recently,
cchit.net instances.

[direct-certifica...@googlecode.com]

Comment #6 on issue 50 by michal.k...@esacinc.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

I did some quick testing and it looks like at least some certificates are
not being properly hosted (in DNS/LDAP) for both the cchit.net and
testteam.us DCDT instances.

Examples:
- dts500@direct1.<domain> should have an address-bound cert in DNS
(dts500_valid_cert_record). Neither dts...@direct1.cchit.net nor
dts...@direct1.testteam.us are returning any certs.
- dts505@direct2.<domain> should have an address-bound cert in LDAP
(dts505_mac). dts...@direct2.testteam.us returns the correct cert, but
dts...@direct2.cchit.net returns nothing.

I am currently in the process of phasing out the testteam.us instance, so
it is unlikely that any issues specific to it will be fixed. In the
meantime, feel free to test against the new instance,
http://direct-test.com/dcdt/. However, please be aware that this instance
is being actively deployed to, so availability is not guaranteed during the
interim period.

[direct-certifica...@googlecode.com]

Comment #7 on issue 50 by ottepor...@gmail.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

It looks like the cchit.net instance is using the older version of the
code. It automatically looks for "ou=system" in the initial request as
described in Issue 40.

[direct-certifica...@googlecode.com]

Comment #8 on issue 50 by michal.k...@esacinc.com: DCDT Discovery is not
working
http://code.google.com/p/direct-certificate-discovery-tool/issues/detail?id=50

The hardcoded usage of ou=system was removed in revision 413, however, the
changes did not properly implement baseDN searching.

The fixes to the algorithm I mention in issue 40 are currently only
available in the trunk and not any of the distributable(s) (i.e. the TAR
file / VM image).