Trusting the U.S. Government

by Niel M. Bornstein

Related link: http://myballot.mil/



I'm no security expert, but if I were in the military and wanted to obtain an absentee ballot for the upcoming presidential election, it would bother me to get the following message while viewing the official website:



image

Switching over to Firefox, you can see that the U.S. Department of Defense is not a trusted certificate issuer.



image

It may be that computer users in the military do trust the Department of Defense implicitly, but I just don't know for sure.



Who do you trust?


2 Comments

aristotle
2004-10-22 18:55:50
Simple:
The DOD CA certificate is not installed in browsers as a trusted CA by default, so the certificates it issues are not trusted by default either.
CFlakes
2004-10-25 17:28:22
DOD Root Certificates
The DOD issues their own client and server certificates rather than rely on a commercial entity's infrastructure. As aristotle said, the DOD's root CA's aren't installed in most browsers by default. However, the root CA's can be downloaded from several DOD websites, one of which is the Navy's infosec site (https://infosec.navy.mil/PKI/pki_tip.html).


Several weeks ago, I was pondered the same questions about DOD trust, so I went looking. The best answer I've found so far is that the DOD has very stringent rules about who it will issue certs to (DOD employees and contractors). Because of these restrictions, they won't give a certificate to just anyone, so they cannot be considered a public CA. As a result, they haven't been included in the "trusted CA" lists. I haven't been able to find a better explanation, so I'll have to accept that one for now. If anyone can find a better explanation, please speak up.