[sdnog] .sd domain

Fri Mar 27 15:31:04 SAST 2020

On 26 Mar 2020, at 21:04, manhal_muhamed at hotmail.com wrote:

> Hi
> Or try to get an SSL from the national provider ;)
>
> National Authority for digital certifications
> Check their website @ "www.nadc.gov.sd"

hi manhal,

there’s no ipv6  :-(
both name servers are on the same network
and a whole bunch of other security related issues.
it’s very, very unlikely that they are listed as a CA in most client 
software.  i checked the cert list that’s still on my mac, and, 
although i routinely prune CAs i don’t _want_ to trust[1], i don’t 
see this listed here  (and i haven’t removed this, i promise)  so, 
tbh, this is not better than a self-signed cert.  and, arguably worse.

that aside, this is just a distraction.
the whole CA system is broken.  you _want_ to be able to self-identify;  
so you _should_ be able to publish your own TLSA records that identify 
you via your public key.  but, you need DNSSEC for that.  so, frankly, 
instead of wasting time, effort and resources, on a “national cert” 
get your TLD DNSSEC signed, and learn DANE.  that’s easier, more 
scalable, and provides real security benefits.

-n.

[1]  just because some CA is in your browser, does not make it safe.  
does not mean it’s not owned by some government’s secret service 
agency.  and certainly, does not mean you should trust it!