
Accessing the Information Assurance Website - aaronharnly
https://www.nsa.gov/what-we-do/information-assurance/
======
subway
This is not a 'self-signed' certificate. This is an internal DISA Certificate
Authority.

Edit: Looking a bit closer, this is a web application that uses the CAC for
client-certificate authentication. Odds are if you have a reason to be going
to this site, you already have this CA cert installed, and are using your CAC
to auth against it.

~~~
mrmondo
Indeed, perhaps the title could be adjusted by a mod to make it less
potentially misleading?

------
jlgaddis
They aren't "self-signed", they're signed by the DoD certificate authorities
(which probably requires more paperwork and due diligence than getting a
certificate issued by GoDaddy, Comodo, etc.).

~~~
nickpsecurity
Indeed:

[http://www.disa.mil/~/media/Files/DISA/Services/UCCO/APL-
Pro...](http://www.disa.mil/~/media/Files/DISA/Services/UCCO/APL-
Process/UC_DoD_PKI_Guide.pdf)

For high-security (esp Type 1), they're also a system for generating and
managing keys that the NSA controls:

[https://en.wikipedia.org/wiki/EKMS](https://en.wikipedia.org/wiki/EKMS)

------
devy
Genuine question: what's the big deal of using custom CA?

~~~
jeremyjh
Nothing, if you know your intended users will have that CA's root in their
trust store, as the NSA likely does.

A self-signed certificate is one generated on the hosting device itself - the
actual webserver hosting the site - there is no chain of trust to a root
certificate that could be in someone's trust store and consequently no way to
know if there is a man-in-the-middle.

~~~
dogma1138
Self signing allows you to counter mitm just fine as you trust a specific
certificate.

A trust allows you to manage revocation easily and it doesn't requires you to
trust 100's or 1000's of certificates independently.

------
iamthepieman
This seems perfectly appropriate. Who else is gonna sign their certs?

We trust us, you should trust us and we don't trust anyone else.

------
aaronharnly
This practice cuts them off from the regular web. For example, suppose one
wanted to link to their Guidelines for Securing Industrial Control Systems --
a client browser gets an error unless they've installed the DoD CA.

~~~
jcrawfordor
Generally, the DoD root CA is only used on websites that are not intended for
public consumption.

That said, as a civilian security professional, I have the DoD root CA
imported on my workstations because I do run into sites signed by it from time
to time, but usually in the course of looking up things specific to federal
contracts.

------
blakeyrat
Why is this newsworthy? I'm no security expert.

~~~
wonkaWonka
It's technical people of some notoriety being vaguely clever about high-brow
qualifications, and at a certain level of humorousness, involves recursion.

