On 11 May 2014, at 20:03, Platonides <platonides@gmail.com> wrote:

Merlijn van Deen wrote:
On 11 May 2014 13:55, Silke Meyer <silke.meyer@wikimedia.de
<mailto:silke.meyer@wikimedia.de>> wrote:

   It is not a trivial redirect: Wikimedia Deutschland will obviously not
   give the wildcard SSL certificate for *.wikimedia.de
   <http://wikimedia.de> to WMF (and WMF
   would not want to have it). This would mean we would have to
   completely delegate that subdomain to WMF and guarantee that it stays
   like that forever. This is hard to guarantee and it is also misleading
   to delegate a .de subdomain to the Foundation.


First of all: Why would the (sub)domain need to be delegated to the WMF?
The redirect could just be on WMDE servers.

If the redirect *has* to be on Foundation servers for some reason, it
could just use a specific tools.wikimedia.de <http://tools.wikimedia.de>
certificat -- or we could just kill SSL altogether -- the
tools.wikimedia.de <http://tools.wikimedia.de> domain is from before the
toolserver even had SSL support.

+1

I think you are viewing things more complex than they really are, Silke.


Indeed. Assuming WMDE isn't planning on not having any web servers, their
existing web server for wikimedia.de can keep redirecting tools.wikimedia.de
to toolserver.org. No changes necessary.

If WMDE really wants to remove them, they could point that subdomain to
WMF servers and have WMF do the redirect and simply don't provide an SSL
certificate. E.g. WMF would use a self-signed certificate or an invalid one like
the one for wikipedia.org, WMF does this all the time for old or unused
domains:

wikipedia.com
https://www.wikipedia.com/

wikimediacommons.org
https://wikimediacommons.org/

And if we really really want, one could purchase a separate certificate for just
tools.wikimedia.org (so that the wildcard one isn't needed) and transfer only
that to WMF.

— Krinkle