This is cache of http://pluralsight.com/blogs/keith/archive/2008/01/17/49950.aspx. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
The cost of a code signing certificate
2008-01-17 07:31:00 by Keith Brown in Security Briefs
 

In my recent post about Windows Live OneCare Firewall and Security, I mentioned that code signing certificates aren't cheap. If you look at the major vendors like VeriSign and Thawte, you'll find they charge between $500 and $300 for a cert that's valid for a year.

Scott commented that you can get cheap code-signing certs, as Jon Robbins points out. 80 bucks sounds like quite a deal, but a quick look at Jon's post reveals that a cheap code signing cert isn't as easy to use as one issued by the big dogs:

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer.

It's not just ease of use that I'm worried about here though. What's it mean to ask your customer to install a CA certificate into her trusted root store? I'm thinking of a nontechnical person like my mother - what's she going to think when she's asked to approve something that looks like this (the dialog that pops up on Windows XP when you try to install a cert into the trusted root store):

(click image to enlarge)

If you find that your customers tend to choose the default option here, "NO", your code signing cert won't be trusted, which begs the question, why didn't you save yourself the 80 bucks and simply issue your own code signing cert via Windows built-in Certificate Services?

And even worse, what does it mean if you find that your customers tend to choose, "YES"? That leads to the philosophical question: what use is PKI anyway if the end user doesn't understand it? If every software vendor creates one of those web pages (I'm sure you've seen them) instructing users on what to do when they see the above dialog ("press YES"), then ultimately what's the cost to the consumer?

I don't like tithing to my certificate authority any more than the next guy, but buying a "cheap" cert is more costly in the long term. If you need a cheap certificate for testing or for personal reasons, issue it yourself! If you need a real certificate, your best bet is to stick with a vendor that your customers already "trust", for better or for worse.

 
Tags: code, cheap, cheap code, cert, root store, root, philosophical question, issue, install
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia