[mpyne]

Just install the goddamn DoD root certificates and the client browser will work just fine.

I've used approximately zero DoD computers since 2005 that had the SSL CA chain misconfigured for use on DoD websites. It's really not that hard, even my Linux box here works fine.

[niels_olson]

Are you on NMCI? Because I have used approximately zero DoD computers since 1994 that had the SSL CA chain configured properly on delivery.

In my humble experience, installing DoD roots is a journey: there are at least a few dozen and they are constantly being retired and superseded. Meanwhile, to get the DoD root certs, one has to trust A) DNS B) whomever is in charge of access control to the cert servers. Clearly, access control is a major problem for the DoD, that's the whole problem to begin with.

[mpyne]

Yes, NMCI.

But like I said, it works on my home computer too. Google for DISA InstallRoot (or try going here and running through the steps http://iase.disa.mil/pki-pke/getting_started/index.html)

It is true that they go through the intermediate CAs fairly quickly, but the actual root is still at CA-2 from what I can tell.

DNS security is certainly a concern, but not the kind of concern that leads to SSL warning popups unless there's something else screwy going on. But then maybe Chrome is seeing screwy stuff that MSIE doesn't know to check for...