Hacker News new | comments | show | ask | jobs | submit login

I think the question was "why aren't they running this public website with a cert signed by a widely trusted CA"?

Well it is widely trusted by everyone on NIPRnet...

So TLS (X.509) only allows serving a single certificate. You have to choose to serve one trusted by people you need not to be hacked (your own CA) or a commercial one to reduce in general the likelihood of being hacked. I can see why they chose the first option.

Obviously if websites were not signed by one of the 'root trust' paths but by several, and the reputation of each of those trust paths, and the host itself, was tracked in a decentralised secure database where trust was built over time, that would be better.

Oops, I just suggested blockchain snake oil would solve something.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact