Gandi Bar - SSL - Comments

One domain name, one certificate - Romain

Romain — Wed, 01 Apr 2009 08:40:15 +0200

It seems that EV SSL are great but the green bar doesn't display in IE !! Do you know why ?

One domain name, one certificate - Nicolas (Gandi)

Nicolas (Gandi) — Mon, 09 Mar 2009 12:48:40 +0100

Fulgan: See comment #15 and contact our customer care team
Regarding your questions, we don't support custom OIDs in our certificate for the moment and SubjectAltName extension are not proposed for the moment, we will probably add a intermediary offer with 2 or 3 CN included.
Our intermediate CA are available here http://en.gandi.net/ssl/documentati... and our root CA here http://crt.usertrust.com/AddTrustEx...

One domain name, one certificate - Fulgan

Fulgan — Mon, 09 Mar 2009 10:20:39 +0100

Hello,

I was kinda excited by the announcement because, like you, I strongly believe that SSL must be much strongly tied to the DNS system and this for many reasons, only a few of them being that it will make securing "low budget" domains stronger.

However, I wasn't surprised to see that the announcement is misleading: with the fact that you get a single SSL cert per registered DNS and the fact that it's only for a single year, the real mellow of that specific bone has been removed and it's now just a promotional introduction offer instead of a real step forward.

Don't get me wrong: it IS a good offer and the price is really interesting. Even though I'm apparently too good a customer to be eligible for this offer (I register my domains for 3 to 5 years, usually, and thus none will expire before the end of the promotion), I will still be interested the next time I need a "public" X509 certificate.

A few questions remains, though:
- Will you support SubjectAltName extension in certificate requests ? (OID 2.5.29.17) If yes, will there be additional costs involved ?
- What is your root CA ? Ideally, do you have a web page that is signed with your production authority so we can check the chain and compatibility with browsers and applications ?
- Will you support custom OIDs in the certificates ? If yes, will there be additional costs involved ?

Thank you,
Stephane

One domain name, one certificate - Leland

Leland — Thu, 05 Mar 2009 14:23:37 +0100

@Jonas (#21)

I just tried with Safari 3.2.1 myself, and it defaulted to english for me -- even though the language cookie isn't listed in my Safari... (/me investigates further)

hmm...

Update

Okay.. looking into this I think I have isolated the answer. You mentioned that you have set the Accept-language header to nl-nl... I removed the cookie and did the same in Firefox and sure enough the page defaulted to french. The long and short of it is the site defaults to french without cookie. If you set a language preference in the browser, but it is a language that is not recognised or supported by the gandi website, again it will revert to its default language (French). If the language is recognised and supported, it will attempt to use that instead. If the language cookie is set, this overrides the browser preference.

HTH

Leland

One domain name, one certificate - Jonas

Jonas — Thu, 05 Mar 2009 13:14:22 +0100

@Leland

I'm using Safari 3.2.1. For .gandi.net I have a 'currency' but no 'language' cookie. It also turns out that my language isn't even saved within the same session. I hadn't noticed this because of the redirect to en.gandi.net.

I just tried Firefox and this browser does indeed store the 'language' cookie. The default language (sans cookie) was French, despite having the 'Accept-Language' header set to 'nl-nl'.

One domain name, one certificate - nibl

nibl — Thu, 05 Mar 2009 03:47:59 +0100

Is this a single root or chained root certificate?

I don't see Gandi listed as a known CA in Firefox 3.0.6, so which authority/authorities is Gandi using?

Thanks.

One domain name, one certificate - Steve

Steve — Thu, 05 Mar 2009 01:36:22 +0100

Is there any need to whine so much, people? Obviously Gandi are SSL resellers from a higher authority; otherwise they'd have to go back in time and have their cert added to browsers from years ago to make it actually work properly. Renewal after the year is optional, and it's a pretty low price anyway.

My company's SSL certs are up for renewal in May and I'll certainly be having a good look at Gandi's offering, as they've been so good with everything else I've bought from them in the past.

One domain name, one certificate - Tom Chiverton

Tom Chiverton — Thu, 05 Mar 2009 00:32:50 +0100

@Stephen: Cheers, email sent ! It is an excellent deal, and a lot better experience than elsewhere too

One domain name, one certificate - Leland

Leland — Wed, 04 Mar 2009 13:45:08 +0100

@Jonas (#10) concerning your issue with the site language. It seems that your browser is not storing a specific cookie used by the website to remember the language preference.

Specifically, the name of the cookie is simply "language" with a content indicating the country code corresponding to the preferred language. It is applied to domain *.gandi.net and sent for any type of connection. It generally has a 90 day life time as far as I can tell.

Using firefox and IE, the gandi website (as well as the wiki, groups, and gandibar) all default to english for me (and I'm actually at Gandi in Paris) as stored in my language cookie (English is my native language, so suits me perfectly!).

You might want to check that your browser is accepting and storing the appropriate cookies from Gandi.net. (In firefox, for example, the cookies associated with the page can be found under Tools -> Page Info -> Security -> View Cookies.)

Hope that helps!

Leland

One domain name, one certificate - joe (Gandi)

joe (Gandi) — Wed, 04 Mar 2009 12:05:49 +0100

Hi El Bunto,

I believe you can purchase a certificate per sub domain, e.g. buy several of the 1 sub domain certs, rather than buying the unlimited one which as you say is much more expensive. This way you can vary the cost with the number you need. Does that help?

Joe

One domain name, one certificate - Stephan

Stephan — Wed, 04 Mar 2009 10:03:11 +0100

Jonas : The french version is also clearer now, I modified it. It's always tricky to communicate, so thanks for asking the right questions.

Wolfgang : we are your CA certificate. The fact we've licensed a technology doesn't mean we're not really your authority of certification. We are declared like that, and I guess it's all that really matters at the end.

Tom/Ano/El Bunto : Thanks for the feedback We appreciate your concerns, and for the effort of posting here, I'll make sure you'll benefit from a free certificate with your domains (1 year is already a great offer, as you recognized !). Hope it helps :D
Please contact our support we'll deal with it.

One domain name, one certificate - El Bunto

El Bunto — Wed, 04 Mar 2009 08:53:21 +0100

I'm not pleased with GANDI regarding this scheme.

First, I renewed my domain early after receiving the `domain expiring in 30 days'' communication to prevent any problems with payment processing. So although my domain renews on 10th March, I am not eligible for this free certificate. Why not?

Secondly, the vast gulf in prices for one cert versus an unlimited number appears to be deliberately designed to sting those people who need two or three certs. Why did GANDI not offer a sliding scale of pricing instead of assuming that those who need more than one cert must purchase an infinite number?

One domain name, one certificate - Anonymous

Anonymous — Wed, 04 Mar 2009 08:37:57 +0100

Regarding comment 11: Based on the documentation in the wiki at http://wiki.gandi.net/ssl, it looks like Gandi lets you generate a CSR yourself and submit that. A CSR includes only the public key, not the private key.

Regarding comment 10: Yeah, same problem here. I registered my domain two months ago. I wonder: does renewing early, as in adding a year to the end of the registration, let me take advantage of the free certificate offer?

Regarding the various comments about misleading advertising: only one struck me as misleading, namely the word "renew". I interpreted the offer as "each time you renew your domain you get a free certificate for a year", which would *rock*. When I realized it only meant one free year total, that seemed slightly less awesome, though still nice. And your prices still beat many other certificate authorities.

One domain name, one certificate - Wolfgang Rupprecht

Wolfgang Rupprecht — Tue, 03 Mar 2009 21:43:01 +0100

If Gandi were to sign my CA certificate, that might be worth something, but I'm not sure when I would trust a certificate where the private key was generated by an outside entity and where the only barrier to someone else getting a key with a a similar CN is an administrative one.

One domain name, one certificate - Tom

Tom — Tue, 03 Mar 2009 19:55:11 +0100

Ace !
Except... I renewed my domains just the other week, and obviously missed this offer, which is only going to run till the end of the year, apparently. Bah.

One domain name, one certificate - Jonas

Jonas — Tue, 03 Mar 2009 18:51:42 +0100

Well, in the French version of http://www.gandi.net/ssl/ there's no mention of the one year limit in the title ("Un certificat SSL standard inclus gratuitement* avec votre nom de domaine !").

On a side note. It's really annoying that everything I visit Gandi.net, I first get served the French version. It never gives me the English version even though I'm using a Dutch version of my OS and browser. Also, when I switch languages, it never remembers this choice between sessions. I'm guessing I get served the French version because I'm log in from Brussels.

Anyway. I did overreact--sorry for that--but you guys do sort of have a history with making your services look cheaper than they are (e.g. changing prices after the beta period; mentioning prices with VAT not included). You shouldn't. You're the best already!

One domain name, one certificate - El Bunto

El Bunto — Tue, 03 Mar 2009 18:02:35 +0100

I was very excited by this announcement, but was then disappointed at the binary pricing scheme. I would require certificates for two subdomains but this results in an eight-fold increase in cost!

Perhaps Gandi would consider a sliding scale of prices? There is a spectrum of requirements between one domain and unlimited domains.

One domain name, one certificate - Stephan

Stephan — Tue, 03 Mar 2009 13:35:03 +0100

Vbfox : We're not reseller, but authority of certification. With all rights and duties attached. The fact that for the higher certificates we use Comodo services is simply to complete our offering, in order to cover the needs of everybody.

You don't need the extramile proposed with the big certificates (monetary guarantees), but perhaps others will make this choice, knowing exactly what they are buying (it's explained on the product pages, and we freely talk about it in and there).

We think we're introducing something quite interesting to the mass market : True SSL certificate with a domain name. From such a large provider, it's simply a first, and as certificates will be more and more important to professionalize your web presence, it's definitely a service we needed to propose, the Gandi way.

I totally agree with you, this particular market needs a good kick in the butt, and this is, I think, a good start in that direction : we're still there, with the same ethical guidelines and hopes, be assured about that.

One domain name, one certificate - Vbfox

Vbfox — Tue, 03 Mar 2009 12:43:29 +0100

I really hope that you someday manage it. It is a market that -- like dns when gandi began -- need a good kick in the butt.

One domain name, one certificate - joe (Gandi)

joe (Gandi) — Tue, 03 Mar 2009 12:35:28 +0100

Hi Vbfox,

Don't worry about it. I understand. In an ideal world we would provide every product direct to you, build and developed entirely in house, as we have with our domains and hosting services. However some products like SSL require quite a serious investment in specific encryption technologies, which is why the industry is dominated by a few large players. We have choosen Comodo as our SSL technology provider and partner as they are independent, which is important to us as it is consistent with our vision.

I hope that gives you a better idea of where we're coming from, and thanks for helping us make sure our message is clear and honest.

Joe

One domain name, one certificate - Vbfox

Vbfox — Tue, 03 Mar 2009 12:15:34 +0100

It totally make sense, i'm sorry if i was rude but i was expecting more from you. You are here just a resseler as there are a miriad of.

I still don't see why i should pay an ssl cert when i use it to provide non monetary services.

When i provide a webmail or a private download site for my company or even to customers WHY should i pay for a service that is just a distributed pki to avoid man in the middle. Gandi as a domain name provider know that i own the domain and should be able to provide a wilcard for free.

The current offer is the same as other providers and is aimed to provide monetary guarantees that arent needed in most case.

Basically i was expecting more. Sorry.

One domain name, one certificate - joe

joe — Tue, 03 Mar 2009 11:51:40 +0100

Hi vbfox and Jonas,

There is no intension to deceive you here. We are paying for the privilage to be able to offer our customers a certificate for 1 year for free with all domains. Like domains, certificates cost money, so we can't provide this for free indefiniately.

The text on our homepage says '1 year free certificate' and as you have pointed out we do put the terms of the certificate clearly on the SSL page. We are not trying to hide our offer, nor why we are offering it. If it was not clear in the article, I will adjust it, as we would hate for you to think we are trying to mislead or exploit you.

The reason we are doing this is because we think certificates will form an increasingly important part of the domain space, particularly as the ICANN liberalisation will create any number of alternative domains that might 'look' like your domain. The certificate will be a way of making sure your customers know its you.

As Ryan says, we hope you will see some benefit from the free year and if you want to continue with it, that's up to you. If we can find a way to extend the offer, or get you better rates, we will do that.

I hope that makes sense,

Joe

One domain name, one certificate - Vbfox

Vbfox — Tue, 03 Mar 2009 11:36:59 +0100

Misleading advertising and as all other you expect us to pay for a small "*" character.

Long gone is the time wher gandi was doing things more honestly than other. Now your just another money hungry provider.

One domain name, one certificate - Ryan (gandi)

Ryan (gandi) — Tue, 03 Mar 2009 11:34:15 +0100

Jonas: we are simply saying that we include a Gandi Standard SSL Certificate for free for one year, with domains that are registered, renewed, or transferred at Gandi.

As is our way, there is no obligation to have a Standard SSL certificate with the domain's registration, and no forced sale. If our customer wants to have a Gandi Standard SSL certificate, he will be happy to benefit from the free year, and can renew it if it pleases him/her, or not.

One domain name, one certificate - Jonas

Jonas — Tue, 03 Mar 2009 11:04:19 +0100

* Included for free the first year with the purchase, transfer, or renewal of your domain name. €12 euros excl. vat per year for its renewal. Offer valid until December 31st, 2009.

This is some seriously misleading advertising you have going on here.