[kictanet] KENIC is wanting

[Michuki Mwangi]

Hi Joshua,

joshua.amolo at gmail.com wrote:
> 
> However, in light of the perception of users, KENIC needs to purchase
> a CA signed certificate.
> 

This might be an ideal situation. But lets analyze it for a moment. Most
of the content available on the KENIC website is for public consumption
. As such is there any additional value/benefit for communicating over
secure session/connection?

> No sysop will brand all .ke domains as unsafe as individual owners
> needs to take care of their own certificates not kenic.
> 

In addition, the sections that need to transverse over a secure session
(meaning that most likely user names and passwords or private/sensitive
data is being transmitted) would require the KENIC have a some form of
trust relationship with the remote user. I would assume this would be a
remote access from users related to their business model like
Registrars. If thats the case, KENIC may consider publishing their self
signed certificate with instruction on how to load it to any browser.

It maybe worth considering that the way the SSL certificates work is
based on the host name being accessed. Therefore if KENIC were to
purchase for an SSL certificate for www.kenic.or.ke they would need to
purchase another for any other server on their network that will serve
registry functions under a different hostname/server name like
registry.kenic.or.ke and needs secure connections.

> 
> I think u need to stick to DNSSEC issues you raised initially.
>

It would be good to know if his DNS servers (resolvers) are DNSSEC aware
to start with. Is the browser he's using DNSSEC aware as well.

> Happy Easter
> 

You too :).

Michuki.