[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Fri Oct 16 16:47:57 CEST 2015

* David Kronlid <david at kronlid.net> [20151015 23:24]:
> If this is about keeping the cost low, why don't you buy one wildcard
> certificate for *.gpg4win.org

Because (with the CAs we considered) this is more expensive than a
certificate with the 6 hostnames (which are only accounted as 4,
because the domain as hostname is free if you get the www hostname).

> and just create tons of subdomains to
> gpg4win.org and redirect all https requests to various web addresses you
> use to list.gpg4win.org, de.gpg4win.org, www.gpg4win.org, etc. You can
> still keep the same servers on the various current domains too, just make
> the web servers redirect each https request to a subdomain under gpg4win.org
> while still letting http go through. This won't break any existing links
> found on the Internet,

The existing hostnames would have to live on a separate IP so they
can still provide the suitable certificate signed by our CA (for
people who have already imported our root certificate), as the
redirect can only happen after a successful SSL connection.

And I don't recommend hostnames like de.gpg4win.org for websites
with wildcard certificates, because people _will_ write
www.de.gpg4win.org at some point and the wildcard certificate for
*.gpg4win.org won't match that as it does not work like filename
glob patterns. And personally I don't like them, but that might be
just me :)

> and will make it easier for you in the future to
> gather everything under one good looking domain gpg4win.org and skip using
> various domains for http requests too whenever you feel the time is ready.

As mentioned above: Wildcard certificates are quite expensive.
Bernhard allowed me to present the prices we pay, to make the list
shorter I limit it to certificates with 3 year validity:

regular certificate: 295€
wildcard certificate: 1380€
certificate with 4 SAN entries: 640€
additional SAN entries (up to the 24th): 65€ per entry

For all above certificates and SAN entries: If you buy
www.example.com (or *.example.com for the wildcard), the SAN entry
for example.com is free.

So it would be cheaper to buy 15 hostnames we want (in any domain!)
than buying a single wildcard certificates (for just one domain).

> A web server with one IP can have alot of domains pointing towards it so
> this is a workaround if you only want to buy one single wildcard
> certificate.

Yes, until SNI or IPv6 become available (nearly) everywhere on the
client side, wildcard certificates or certificates with many SANs
are both solve (or work around) this problem.

> I don't see the certificate issue as the real problem here, but rather that
> the people working on the gpg4win project over time have scattered things
> under too many domains, and it doesn't look good and it's less practical in
> the long run to keep it this way so why not take steps towards facilitating
> a migration to having everything under one domain anyway?

The two main domains allow easy language selection for the main
webpage, but yes, for the download server it is not important.

Of course gpg4win.org could switch to language selection based on
the browser settings or geoip (with possibility to override via
cookies), but more often than not I'm annoyed by that, when I see it
used elsewhere.

> Good luck with all this! It can be time consuming but it's worth it!

Thank you!

Regards,
Thomas

-- 
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151016/7a90cbe6/attachment.sig>