login      my ps      about      contact  



home instructor-led training online training blogs


Security Briefs » The cost of a code signing certificate

The cost of a code signing certificate

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

UPDATE: It turns out that John *did* find a bargain. Please be sure to read this followup post.

In my recent post about Windows Live OneCare Firewall and Security, I mentioned that code signing certificates aren't cheap. If you look at the major vendors like VeriSign and Thawte, you'll find they charge between $500 and $300 for a cert that's valid for a year.

Scott commented that you can get cheap code-signing certs, as John Robbins points out. 80 bucks sounds like quite a deal, but a quick look at John's post reveals that a cheap code signing cert isn't as easy to use as one issued by the big dogs:

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer.

It's not just ease of use that I'm worried about here though. What's it mean to ask your customer to install a CA certificate into her trusted root store? I'm thinking of a nontechnical person like my mother - what's she going to think when she's asked to approve something that looks like this (the dialog that pops up on Windows XP when you try to install a cert into the trusted root store):

(click image to enlarge)

If you find that your customers tend to choose the default option here, "NO", your code signing cert won't be trusted, which begs the question, why didn't you save yourself the 80 bucks and simply issue your own code signing cert via Windows built-in Certificate Services?

And even worse, what does it mean if you find that your customers tend to choose, "YES"? That leads to the philosophical question: what use is PKI anyway if the end user doesn't understand it? If every software vendor creates one of those web pages (I'm sure you've seen them) instructing users on what to do when they see the above dialog ("press YES"), then ultimately what's the cost to the consumer?

I don't like tithing to my certificate authority any more than the next guy, but buying a "cheap" cert is more costly in the long term. If you need a cheap certificate for testing or for personal reasons, issue it yourself! If you need a real certificate, your best bet is to stick with a vendor that your customers already "trust", for better or for worse.

Posted Jan 17 2008, 07:31 AM by keith-brown
Filed under: , ,

Comments

John Robbins wrote re: The cost of a code signing certificate
on 01-17-2008 7:39 AM
Keith,

I'm sorry I didn't make it clear, but the $80 certificate is trusted by all computers. Where I had the problems and needed to install the Comodo cert was for the *purchase* of the certificate. I only did the install on the computer I purchased the certificate with and not any other computer.

Your mom will not need to do any certificate installs to see the Comodo certificate is valid. :)

-John Robbins
Keith Brown wrote re: The cost of a code signing certificate
on 01-17-2008 10:24 AM
LOL! Thanks for clarifying, Jon. You know, I swept through my trusted CA list before posting this, but I missed it - indeed it is there.
Jarle Nygård wrote re: The cost of a code signing certificate
on 01-18-2008 1:57 AM
I think the post should be updated to include this bit of info... ;)
Scott E Pace MD wrote re: The cost of a code signing certificate
on 05-30-2008 11:34 AM
Hello
I recently purchased a 3 yr Comodo Code Signing Certificate - which was a renewal as I had a certificate with them which expired on 5-20-08 and they had all my documents on file. Despite re-providing Comodo with Articles of Incorporation, Oklahoma Sec of State Filing Documents, Whois.net evidence showing my Company's email, phone number and address is registered to the required domain and an electric bill showing I live at my address they still will not give me a code renewal. They state I need a "[utilities bill (Water/Gas/Telephone),Bank statement OR Cheque containing your company name and address]" but my software company is just me and I do not have any of those things. They are acting like they do not want to renew my a code signing certificate. I discussed this with Thawte who stated they would take a notarized letter in lieu of a phone bill. I'm thinking Comodo is punishing me for buying the certificate from Tucows but a 3 year certificate was only $195.
Tucows is also very perplexed by this behavior. So Keith, do you think your Mom can help?

Scott
Charles wrote re: The cost of a code signing certificate
on 05-31-2008 4:44 AM
COMODO increases its web presence and reputation by being stern with cert buyers. If they want a copy of my birth certificate I'll gladly send it to them - even certified. If certs are too easy to get they lose their value. In my opinion, COMODO and all of the other cert companies need to be tough on all requests for certs - especially code signing certs that can invade a computer and render it useless.
Julian Moss wrote re: The cost of a code signing certificate
on 06-05-2008 2:44 AM
Certification authorities are subject to regular and strict audit controls. We promote Comodo code signing certificates (and incidentally have some good articles on code signing and free code signing tools) and we are often asked by shareware developers if they can get a certificate in their business name. Unfortunately most shareware businesses are just a trading name and not officially incorporated in any way so it is impossible to check that the applicant is really entitled to use the name.

In Scott's case it looks as if his business actually is incorporated, and I wonder if Comodo made a mistake? I would advise him to raise a support ticket with Comodo (or even to contact Comodo's MD via their online forum.)

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation