[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Thomas Arendsen Hein thomas at intevation.de
Fri Oct 16 16:14:13 CEST 2015 

* Werner Koch <wk at gnupg.org> [20151016 10:16]:
> On Thu, 15 Oct 2015 16:04, thomas at intevation.de said:
> 
> >   www.gpg4win.org (main address)
> >   www.gpg4win.de
> >   gpg4win.org
> >   gpg4win.de
> >   files.gpg4win.org
> >   files.gpg4win.de
> >
> > With a lifetime of three years, this will cost us 640€ for a
> > certificate from GeoTrust (see below for why we use GeoTrust).
> 
> 35 Euro per certificate is pretty expensive, I pay 10 at Gandhi.

This is a single certificate. Can you get a single certificate at
Gandi (not related to Mahatma, Indira and other Gandhis :)) with
above 6 SubjectAltName entries?

Of course the alternative would be to serve https only on one or two
hostnames.

(BTW, the current setup allows ftp.gpg4win.org and .de and has these
names in the certificate, too, but as we no longer want to offer
FTP, this is no longer needed)

> You may also want to wait a few more weeks for the LetsEncrypt initiative.

Might be acceptable for regular, modern browsers. But their root
certificate is so young (June 2015), so not even they use a
certificate signed by it.

> > The certificate will be installed on the server that currently hosts
> >files.gpg4win.org, so downloads from there will immediately become
> >trusted without importing Intevation's CA.
> 
> As an alternative we could also put the gpg4in files on *.gnupg.org.

Technically this would work if your server can serve additional
(currently) 2.0-2.5 TB of traffic per month. The participants of the
project would have to decide if this is a good idea.

> I need to get a larger box anyway - I am too often running out of
> diskspace (30 GiB HP RAID)

We might have some suitable 72GB disks for you, feel free to contact
Sascha or me the next time you are in our office to see if they are
the correct type.

> As domain owener I already offered to pay for the certs.

Thank you, this would also make things easier, as the verification
process would be only between two involved parties instead of three.

But before you do that, we should make sure that the resulting
certificate is usable for the intended setup.

Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151016/08ad090e/attachment.sig>

More information about the Gpg4win-users-en mailing list