On Tue, Mar 30, 2010 at 7:54 PM, Michuki Mwangi <michuki@swiftkenya.com> wrote:
Hi Robert,
robert yawe wrote:
Hi,
How safe is .ke if the servers have questionable security certificates, it seems we are taking this ctld issues very lightly.
Funny that you interpret a self signed certificate as taking ccTLD issues lightly.
He is conflating two very separate issues.
After attending ICANN I am now more informed about the importance of secure servers and the costs of lax dns issues.
I wonder what costs he is referring to?
Am still trying to see the relationship between a openSSL self signed CA and DNS security. You may want to provide more details on what your understanding of secure servers is and where KENIC is failing.
It's a nit that can be picked, but the cert seems to have expired. Ffox takes a more nuanced approach to this, here is what it shows me: "This Connection is Untrusted You have asked Firefox to connect securely to registry.kenic.or.ke, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue. Technical Details registry.kenic.or.ke uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for Ke NIC The certificate expired on 12/7/2009 12:28 PM." (Error code: sec_error_expired_issuer_certificate) I Understand the Risks" DNSSEC was designed to protect against a limited set of attacks, such as DNS cache poisoning, Man in the middle, etc. It provides: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence. DNSSEC, if implemented, only provides security when you ask a question of the DNS database (in this case, Robert's browser had asked "what is the IP address of kenic.or.ke?"). It's nothing to do with https or CAs, self signed or not. That's a completely different layer. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel