[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites

Thomas Arendsen Hein thomas at intevation.de
Tue Oct 20 08:37:07 CEST 2015

* Werner Koch <wk at gnupg.org> [20151019 19:41]:
> On Fri, 16 Oct 2015 16:47, thomas at intevation.de said:
> > Yes, until SNI or IPv6 become available (nearly) everywhere on the
> > client side, wildcard certificates or certificates with many SANs
> > are both solve (or work around) this problem.
> Should we really support installation of our software on boxes which do
> not support SNI and thus are old, unsupported, and easy to take over?
> Don't we give a false sense of security if we have not at least minimal
> of security requirement.

1. This was a general remark to David's comment about wildcard
   certificates, not specifically targeted towards gpg4win or even Wald.
2. If you don't want people to install the software on Windows XP,
   then make the installer bail out on Windows XP, but don't hide
   the website, mailing list or forum from them where they can read
   about why they are not supposed to use gpg4win.
3. My list contained software, which still receives active security
   support (and I'm not even talking about LTS here), but does not
   support SNI. I just noticed that wget 1.13.4-3+deb7u1 in Debian
   wheezy received support for SNI in a point release in 2014, but
   my point is still valid for wheezy's python.

Besides all this, SNI or not is not really relevant for gpg4win
here, as the 6-SAN-certificate I proposed above is still cheaper
(640€ for 3 years = 17.78€ per month) than 2 regular certificates
from Gandi (2*10€ = 20€ per month) or 3 from GeoTrust (3*295€/3/12
= 24.58€ per month).

So SNI would not save money here (or very little if we reduce our
plan to just 2 regular GeoTrust certificates).

Of course we should consider SNI for e.g. Wald in the near future,
but the first step should be {www,files}.gpg4win.{org,de}


thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151020/78b82814/attachment.sig>

More information about the Gpg4win-users-en mailing list