Hi Joshua, joshua.amolo@gmail.com wrote:
However, in light of the perception of users, KENIC needs to purchase a CA signed certificate.
This might be an ideal situation. But lets analyze it for a moment. Most of the content available on the KENIC website is for public consumption . As such is there any additional value/benefit for communicating over secure session/connection?
No sysop will brand all .ke domains as unsafe as individual owners needs to take care of their own certificates not kenic.
In addition, the sections that need to transverse over a secure session (meaning that most likely user names and passwords or private/sensitive data is being transmitted) would require the KENIC have a some form of trust relationship with the remote user. I would assume this would be a remote access from users related to their business model like Registrars. If thats the case, KENIC may consider publishing their self signed certificate with instruction on how to load it to any browser. It maybe worth considering that the way the SSL certificates work is based on the host name being accessed. Therefore if KENIC were to purchase for an SSL certificate for www.kenic.or.ke they would need to purchase another for any other server on their network that will serve registry functions under a different hostname/server name like registry.kenic.or.ke and needs secure connections.
I think u need to stick to DNSSEC issues you raised initially.
It would be good to know if his DNS servers (resolvers) are DNSSEC aware to start with. Is the browser he's using DNSSEC aware as well.
Happy Easter
You too :). Michuki.