One domain name, one certificate
By Ryan on Tuesday 3 March 2009, 08:54 - SSL - Permalink
Since trust is the basis of all relationships, and since Gandi has been working each and every day for nearly ten years to earn yours, we have the pleasure of announcing a new and important step: as of today, Gandi is a Certification Authority.
The principle is simple: you visit a website, and in the address bar of your web browser, you see a little padlock or a green color (or colour
) that means, "go ahead, you are on a secure website".
Gandi, true to its core value of "Internet For All", wants to provide this technology to as many people as possible so that they can establish a real and secure online presence. As part of this mission, Gandi will now include a 1 year certificate for free, with each domain name that is registered, transferred or renewed at Gandi.
When you confide your company name, your trademark, your shop, your domain names to us to manage, trust is hugely important.
It is also important when you extend that trust to a company that hosts your resources, a company that allows you to be online and to own a little piece of the web.
Visitors to your site will have that same need for trust and security when they decide to visit your website, whether to order products, services, or just to contact you.
For these everyday choices internet certificates are there to reassure your customers, and to guide them towards those sites that have chosen to have a more "professional" presence.
Gandi, by the quality of its services and products, is a world-renowned domain name registrar and web host that benefits from a capital of confidence that many envy. It was therefore logical (and requested by many of our customers) that we provide these internet certificates.
For those that would like to go further, an entire range of services will be made available on our website www.gandi.net, to meet the needs of our varying customers: individuals, SME, corporate customers, institutions, or resellers, everyone may find a plan that will meet their specific needs.
Have a look at our full offer at http://www.gandi.net/ssl
The principle is simple: you visit a website, and in the address bar of your web browser, you see a little padlock or a green color (or colour
) that means, "go ahead, you are on a secure website".Gandi, true to its core value of "Internet For All", wants to provide this technology to as many people as possible so that they can establish a real and secure online presence. As part of this mission, Gandi will now include a 1 year certificate for free, with each domain name that is registered, transferred or renewed at Gandi.
When you confide your company name, your trademark, your shop, your domain names to us to manage, trust is hugely important.
It is also important when you extend that trust to a company that hosts your resources, a company that allows you to be online and to own a little piece of the web.
Visitors to your site will have that same need for trust and security when they decide to visit your website, whether to order products, services, or just to contact you.
For these everyday choices internet certificates are there to reassure your customers, and to guide them towards those sites that have chosen to have a more "professional" presence.
Gandi, by the quality of its services and products, is a world-renowned domain name registrar and web host that benefits from a capital of confidence that many envy. It was therefore logical (and requested by many of our customers) that we provide these internet certificates.
For those that would like to go further, an entire range of services will be made available on our website www.gandi.net, to meet the needs of our varying customers: individuals, SME, corporate customers, institutions, or resellers, everyone may find a plan that will meet their specific needs.
Have a look at our full offer at http://www.gandi.net/ssl
Comments
* Included for free the first year with the purchase, transfer, or renewal of your domain name. €12 euros excl. vat per year for its renewal. Offer valid until December 31st, 2009.
This is some seriously misleading advertising you have going on here.
Jonas: we are simply saying that we include a Gandi Standard SSL Certificate for free for one year, with domains that are registered, renewed, or transferred at Gandi.
As is our way, there is no obligation to have a Standard SSL certificate with the domain's registration, and no forced sale. If our customer wants to have a Gandi Standard SSL certificate, he will be happy to benefit from the free year, and can renew it if it pleases him/her, or not.
Misleading advertising and as all other you expect us to pay for a small "*" character.
Long gone is the time wher gandi was doing things more honestly than other. Now your just another money hungry provider.
Hi vbfox and Jonas,
There is no intension to deceive you here. We are paying for the privilage to be able to offer our customers a certificate for 1 year for free with all domains. Like domains, certificates cost money, so we can't provide this for free indefiniately.
The text on our homepage says '1 year free certificate' and as you have pointed out we do put the terms of the certificate clearly on the SSL page. We are not trying to hide our offer, nor why we are offering it. If it was not clear in the article, I will adjust it, as we would hate for you to think we are trying to mislead or exploit you.
The reason we are doing this is because we think certificates will form an increasingly important part of the domain space, particularly as the ICANN liberalisation will create any number of alternative domains that might 'look' like your domain. The certificate will be a way of making sure your customers know its you.
As Ryan says, we hope you will see some benefit from the free year and if you want to continue with it, that's up to you. If we can find a way to extend the offer, or get you better rates, we will do that.
I hope that makes sense,
Joe
It totally make sense, i'm sorry if i was rude but i was expecting more from you. You are here just a resseler as there are a miriad of.
I still don't see why i should pay an ssl cert when i use it to provide non monetary services.
When i provide a webmail or a private download site for my company or even to customers WHY should i pay for a service that is just a distributed pki to avoid man in the middle. Gandi as a domain name provider know that i own the domain and should be able to provide a wilcard for free.
The current offer is the same as other providers and is aimed to provide monetary guarantees that arent needed in most case.
Basically i was expecting more. Sorry.
Hi Vbfox,
Don't worry about it. I understand. In an ideal world we would provide every product direct to you, build and developed entirely in house, as we have with our domains and hosting services. However some products like SSL require quite a serious investment in specific encryption technologies, which is why the industry is dominated by a few large players. We have choosen Comodo as our SSL technology provider and partner as they are independent, which is important to us as it is consistent with our vision.
I hope that gives you a better idea of where we're coming from, and thanks for helping us make sure our message is clear and honest.Joe
I really hope that you someday manage it. It is a market that -- like dns when gandi began -- need a good kick in the butt.
Vbfox : We're not reseller, but authority of certification. With all rights and duties attached. The fact that for the higher certificates we use Comodo services is simply to complete our offering, in order to cover the needs of everybody.
You don't need the extramile proposed with the big certificates (monetary guarantees), but perhaps others will make this choice, knowing exactly what they are buying (it's explained on the product pages, and we freely talk about it in and there).
We think we're introducing something quite interesting to the mass market : True SSL certificate with a domain name. From such a large provider, it's simply a first, and as certificates will be more and more important to professionalize your web presence, it's definitely a service we needed to propose, the Gandi way.
I totally agree with you, this particular market needs a good kick in the butt, and this is, I think, a good start in that direction : we're still there, with the same ethical guidelines and hopes, be assured about that.
I was very excited by this announcement, but was then disappointed at the binary pricing scheme. I would require certificates for two subdomains but this results in an eight-fold increase in cost!
Perhaps Gandi would consider a sliding scale of prices? There is a spectrum of requirements between one domain and unlimited domains.
Well, in the French version of http://www.gandi.net/ssl/ there's no mention of the one year limit in the title ("Un certificat SSL standard inclus gratuitement* avec votre nom de domaine !").
On a side note. It's really annoying that everything I visit Gandi.net, I first get served the French version. It never gives me the English version even though I'm using a Dutch version of my OS and browser. Also, when I switch languages, it never remembers this choice between sessions. I'm guessing I get served the French version because I'm log in from Brussels.
Anyway. I did overreact--sorry for that--but you guys do sort of have a history with making your services look cheaper than they are (e.g. changing prices after the beta period; mentioning prices with VAT not included). You shouldn't. You're the best already!
Ace !
Except... I renewed my domains just the other week, and obviously missed this offer, which is only going to run till the end of the year, apparently. Bah.
If Gandi were to sign my CA certificate, that might be worth something, but I'm not sure when I would trust a certificate where the private key was generated by an outside entity and where the only barrier to someone else getting a key with a a similar CN is an administrative one.
Regarding comment 11: Based on the documentation in the wiki at http://wiki.gandi.net/ssl, it looks like Gandi lets you generate a CSR yourself and submit that. A CSR includes only the public key, not the private key.
Regarding comment 10: Yeah, same problem here. I registered my domain two months ago. I wonder: does renewing early, as in adding a year to the end of the registration, let me take advantage of the free certificate offer?
Regarding the various comments about misleading advertising: only one struck me as misleading, namely the word "renew". I interpreted the offer as "each time you renew your domain you get a free certificate for a year", which would *rock*. When I realized it only meant one free year total, that seemed slightly less awesome, though still nice. And your prices still beat many other certificate authorities.
I'm not pleased with GANDI regarding this scheme.
First, I renewed my domain early after receiving the `domain expiring in 30 days'' communication to prevent any problems with payment processing. So although my domain renews on 10th March, I am not eligible for this free certificate. Why not?
Secondly, the vast gulf in prices for one cert versus an unlimited number appears to be deliberately designed to sting those people who need two or three certs. Why did GANDI not offer a sliding scale of pricing instead of assuming that those who need more than one cert must purchase an infinite number?
Jonas : The french version is also clearer now, I modified it. It's always tricky to communicate, so thanks for asking the right questions.
Wolfgang : we are your CA certificate. The fact we've licensed a technology doesn't mean we're not really your authority of certification. We are declared like that, and I guess it's all that really matters at the end.
Tom/Ano/El Bunto : Thanks for the feedback
We appreciate your concerns, and for the effort of posting here, I'll make sure you'll benefit from a free certificate with your domains (1 year is already a great offer, as you recognized !). Hope it helps :D
Please contact our support we'll deal with it.
Hi El Bunto,
I believe you can purchase a certificate per sub domain, e.g. buy several of the 1 sub domain certs, rather than buying the unlimited one which as you say is much more expensive. This way you can vary the cost with the number you need. Does that help?
Joe
@Jonas (#10) concerning your issue with the site language. It seems that your browser is not storing a specific cookie used by the website to remember the language preference.
Specifically, the name of the cookie is simply "language" with a content indicating the country code corresponding to the preferred language. It is applied to domain *.gandi.net and sent for any type of connection. It generally has a 90 day life time as far as I can tell.
Using firefox and IE, the gandi website (as well as the wiki, groups, and gandibar) all default to english for me (and I'm actually at Gandi in Paris) as stored in my language cookie (English is my native language, so suits me perfectly!).
You might want to check that your browser is accepting and storing the appropriate cookies from Gandi.net. (In firefox, for example, the cookies associated with the page can be found under Tools -> Page Info -> Security -> View Cookies.)
Hope that helps!
Leland
@Stephen: Cheers, email sent ! It is an excellent deal, and a lot better experience than elsewhere too
Is there any need to whine so much, people? Obviously Gandi are SSL resellers from a higher authority; otherwise they'd have to go back in time and have their cert added to browsers from years ago to make it actually work properly. Renewal after the year is optional, and it's a pretty low price anyway.
My company's SSL certs are up for renewal in May and I'll certainly be having a good look at Gandi's offering, as they've been so good with everything else I've bought from them in the past.
Is this a single root or chained root certificate?
I don't see Gandi listed as a known CA in Firefox 3.0.6, so which authority/authorities is Gandi using?
Thanks.
@Leland
I'm using Safari 3.2.1. For .gandi.net I have a 'currency' but no 'language' cookie. It also turns out that my language isn't even saved within the same session. I hadn't noticed this because of the redirect to en.gandi.net.
I just tried Firefox and this browser does indeed store the 'language' cookie. The default language (sans cookie) was French, despite having the 'Accept-Language' header set to 'nl-nl'.
@Jonas (#21)
I just tried with Safari 3.2.1 myself, and it defaulted to english for me -- even though the language cookie isn't listed in my Safari... (/me investigates further)
hmm...
Update
Okay.. looking into this I think I have isolated the answer. You mentioned that you have set the Accept-language header to nl-nl... I removed the cookie and did the same in Firefox and sure enough the page defaulted to french. The long and short of it is the site defaults to french without cookie. If you set a language preference in the browser, but it is a language that is not recognised or supported by the gandi website, again it will revert to its default language (French). If the language is recognised and supported, it will attempt to use that instead. If the language cookie is set, this overrides the browser preference.
HTH
Leland
Hello,
I was kinda excited by the announcement because, like you, I strongly believe that SSL must be much strongly tied to the DNS system and this for many reasons, only a few of them being that it will make securing "low budget" domains stronger.
However, I wasn't surprised to see that the announcement is misleading: with the fact that you get a single SSL cert per registered DNS and the fact that it's only for a single year, the real mellow of that specific bone has been removed and it's now just a promotional introduction offer instead of a real step forward.
Don't get me wrong: it IS a good offer and the price is really interesting. Even though I'm apparently too good a customer to be eligible for this offer (I register my domains for 3 to 5 years, usually, and thus none will expire before the end of the promotion), I will still be interested the next time I need a "public" X509 certificate.
A few questions remains, though:
- Will you support SubjectAltName extension in certificate requests ? (OID 2.5.29.17) If yes, will there be additional costs involved ?
- What is your root CA ? Ideally, do you have a web page that is signed with your production authority so we can check the chain and compatibility with browsers and applications ?
- Will you support custom OIDs in the certificates ? If yes, will there be additional costs involved ?
Thank you,
Stephane
Fulgan: See comment #15 and contact our customer care team
Regarding your questions, we don't support custom OIDs in our certificate for the moment and SubjectAltName extension are not proposed for the moment, we will probably add a intermediary offer with 2 or 3 CN included.
Our intermediate CA are available here http://en.gandi.net/ssl/documentati... and our root CA here http://crt.usertrust.com/AddTrustEx...
It seems that EV SSL are great but the green bar doesn't display in IE !! Do you know why ?