[niels_olson]

What's really sad about this is that many government resources have certificates that the browsers available to their users (i.e., IE 6/7/8) don't trust, so the users are conditioned to blow through the clearest warnings they will ever get.

eg, here's the DoD global phone book (in case I want to email somebody). Server requires CAC token from the client, but the client's browser doesn't trust the server!

https://dod411.chamb.disa.mil/

I don't even know what to call this level of broken, Chomsky-esque?

[mpyne]

Just install the goddamn DoD root certificates and the client browser will work just fine.

I've used approximately zero DoD computers since 2005 that had the SSL CA chain misconfigured for use on DoD websites. It's really not that hard, even my Linux box here works fine.

[niels_olson]

Are you on NMCI? Because I have used approximately zero DoD computers since 1994 that had the SSL CA chain configured properly on delivery.

In my humble experience, installing DoD roots is a journey: there are at least a few dozen and they are constantly being retired and superseded. Meanwhile, to get the DoD root certs, one has to trust A) DNS B) whomever is in charge of access control to the cert servers. Clearly, access control is a major problem for the DoD, that's the whole problem to begin with.

[mpyne]

Yes, NMCI.

But like I said, it works on my home computer too. Google for DISA InstallRoot (or try going here and running through the steps http://iase.disa.mil/pki-pke/getting_started/index.html)

It is true that they go through the intermediate CAs fairly quickly, but the actual root is still at CA-2 from what I can tell.

DNS security is certainly a concern, but not the kind of concern that leads to SSL warning popups unless there's something else screwy going on. But then maybe Chrome is seeing screwy stuff that MSIE doesn't know to check for...