
Where can you get a (cheap or free) digital certificate (for Code Signing jar files)? - juwo

======
dpapathanasiou
This is one place where cheapest may not be best.

We went through a similar thing a few years back with SSL certificates.

GoDaddy offered super-cheap (relatively speaking) certs, but none of the major
browsers had GoDaddy in their default list of certification entities at that
time.

So the upshot of using a GoDaddy cert was that every visitor would get a "not
trusted" warning, even though the cert was legitimate.

That's not something you want your users to see when they're in the middle of
signing up or downloading something from your site.

I don't know whether or not this concept applies to java & jar too, but you
might want to confirm it before making a decision.

~~~
juwo
This sounds like a startup opportunity - issue cheap but trusted certificates.

~~~
SwellJoe
It worked for Mark Shuttleworth during (before) the first boom. It could work
for you, too!

There's a lot of competition out there these days, and the cost/time of
getting accepted by all of the browsers put your time to revenues sometime two
or three years into the future. In other words, it's a hard business to get
into to, and you'll probably need a source of revenue while you wait. That's
why folks who sell domains are getting into the business...they have some
revenues from the domain business for those two or three years, and then they
have a large customer base to sell the certs to.

------
jmw
It's worse in the mobile space.

If you're trying to sign a jar to go on handsets, you pretty much either have
to go a thawte certificate ($200), or a verisign certificate ($400) in order
to guarantee compatibility with most handsets that are out there.

------
chmike
cacert are free certificates but the root certificates are not frequently
preinstalled on browsers and mobile phones. I was told that Microsoft asks
around 10k$/year to add a root certificate in its browser. Add to this the
cost to validate the certification process.

If you can get user's cooperation so that they can install the root
certificate, you may go with cacert certificates.

The more web sites uses cacert, the more chances you will have that the cacert
root certificate is preinstalled.

Regarding startup opportunity, as long as there is a problem and/or the
opportunity to do something useful, the opportunity exists.

You might also be interested to follow the progress of my project
<http://dis.weebly.com> because one of my objective is to do something in this
field. But I am afraid it won't help juwo for is current problem.

------
juwo
Thawte wants to charge me $249 just to renew - I paid $50 for the certificate
last year.

I heard you can get them free from CA Authority but when I looked it up, they
have some procedure where you have to know someone who is a CA and attend
their events, (which are mostly in Europe or California).

~~~
vlad
I think the cheapest ones are from comodo.com , $179.

~~~
juwo
that is ridiculous. all they are doing is calling you up to verify you are
from where you say you are, and doing a quick lookup. At the time of purchase.

After that, it is just the certificate file.

~~~
vlad
Well, when IE 6 and Vista first came about a couple of years ago, I could not
find code-signing certificates listed anywhere except comodo.com and
verisign.com. They are being offered in more places now, but also for a lot
more money. It's $500 for 3 years from comodo.com--that's only a savings of
about twenty dollars a year. I believe multi-year savings used to be much more
substantial before. Yet more reasons to create web applications.

