

Ask HN: Where do you get your code signing certificates? - r1ch

Back in 2006 I was able to get a code signing certificate through a Comodo reseller with minimal headache - a simple proof of residency and photo id check and I was done.<p>Today I need a code signing certificate again for an open source project, but the requirements seem a lot stricter than I remember - multiple forms of ID, utility bills, passport, requiring notarized documents, etc doesn&#x27;t seem uncommon. Just the extra expense and hassle of getting something notarized is enough to turn me away.<p>Does anyone have any recommendations for a cheap (under $100&#x2F;yr) code signing certificate provider that won&#x27;t require notarization and other extra fees &#x2F; hassle? Thanks.
======
jasonkester
I just jumped through the thousand tiny hoops needed to get one through Comodo
(resold by tucows), and more than anything it was just calendar time and
busywork rather than any particular difficulty that bothered me about the
process.

After a week of not hearing back from them, I got in touch by email and they
said they were stalled (though they hadn't contacted me to say so) because the
email and phone number on the whois for the domain weren't exact matches with
the ones on the application.

Ok, fair enough. Fixed.

But then (days later) we were blocked because they couldn't look up the
business license. So I sent them a direct link to the Washington State
department of whatever search, with the business license number I'd given them
already pre-filled.

But then (days later) we were blocked because the phone number and business
address weren't to be found in any online phone book services. Can't call you
on the number listed on the businesses website or whois. Need phone book.

But phone book listings are free. You can add one for any business, fictitious
or otherwise, by supplying a name, address and phone number at yp.com. They
just take still more calendar time.

Add in a few more meaningless steps like that and I was verified (without ever
having to mail them that passport scan or anything else that would actually
verify me or my business).

I guess they need to justify charging all that money. But mostly it's just a
giant hassle that makes you glad you bought the longest duration cert possible
to avoid having to go through that again any time soon.

~~~
iancarroll
> But then (days later) we were blocked because the phone number and business
> address weren't to be found in any online phone book services. Can't call
> you on the number listed on the businesses website or whois. Need phone
> book. But phone book listings are free. You can add one for any business,
> fictitious or otherwise, by supplying a name, address and phone number at
> yp.com. They just take still more calendar time.

Last time I checked Comodo doesn't use YP as a provider. D&B is the preferred
way (~7 days, need it for a lot of other stuff too) to validate your address.

> Add in a few more meaningless steps like that and I was verified (without
> ever having to mail them that passport scan or anything else that would
> actually verify me or my business).

I don't think this is true at all.

Everything in that process had a purpose, to verify one piece of info after
the next. Comodo is not known for fast response times, but the process is
documented (see their legal repository for the CPS) and effective.

------
iancarroll
Persona verification is typically: \- one or two forms of ID

\- a bill showing the address

\- a phone call to the phone listed on the bill

I deal with multiple certificate authorities as a partner and typically you
won't need much else. If you're applying as a company, you might need a
notarization but this is uncommon.

I can sell you a code signing certificate for $75 from Comodo, but I've never
actually applied as an individual. Shoot me an email, in my profile.

Edit: As per 3.2.3.2 of the Comodo CPS, they require:

\- A photo ID "which discernibly shows the Applicant's face" to verify your
_name_.

\- "A government ID, utility bill, or bank or credit card statement" to verify
your _address_. "Comodo MAY rely on the same government issued ID that was
used to verify the Applicant's name."

Comodo also states that they may "[require] face to face verification of the
Applicant's identity before an authorized agent of Comodo, an attorney, a CPA,
a Latin notary, a notary public or equivalent."

~~~
r1ch
That sounds great, I'll shoot you an email tomorrow. Thanks!

