|
I think it is "cheap" compared to other certificates. But everyone/company must decide for what it pays it hard earned money.
Greetings from Germany
|
|
|
|
|
Well, wouldn't the certification authority have to perform some kind of background check and verification to ensure that the applicant isn't some kind of devious cracker dude who wants to wreak havoc on the planet? I am not endorsing this or trying to justify the prices - merely trying to point out that there may be some amount of manual labor involved before certificates are issued. But yes, prices like these do put signing software out of many small scale development units' reach. And besides, I am not sure how savvy the average end user is to care for verifying digital signatures!
--
gleat
http://blogorama.nerdworks.in[ ^]
-- Number Two's eyes narrowed and became what are known in the Shouting and Killing People trade as cold slits, the idea presumably being to give your opponent the impression that you have lost your glasses or are having difficulty keeping awake. Why this is frightening is an, as yet, unresolved problem. -- HHGTG
|
|
|
|
|
gleat wrote: Well, wouldn't the certification authority have to perform some kind of background check and verification to ensure that the applicant isn't some kind of devious cracker dude who wants to wreak havoc on the planet?
What if they did? Unless your user base demands that you sign your executables, paying for a background check on yourself doesn't really gain you anything there.
gleat wrote: And besides, I am not sure how savvy the average end user is to care for verifying digital signatures!
Well, exactly. If most or all potential users are as likely to install an unsigned app as they are a signed one, then you're just throwing money away - they'll still install both your app and the malware.
---- You're right.
These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets .
|
|
|
|
|
Shog9 wrote: What if they did? Unless your user base demands that you sign your executables, paying for a background check on yourself doesn't really gain you anything there.
Yep, it doesn't! And most users probably don't care either way (except maybe if you're building something for the Department of Defense or something).
That apart, sometimes, deciding to sign your code may be technology driven. I remember working on a project where we had to sign a Java applet because the JRE didn't allow you to make cross-domain network calls otherwise and we really hated having to do this as it was one more hoop that the users had to jump through. They had to click this "I agree" thingy you see - which of course meant that there had to be documentation on the screen somewhere that told them what to do - with screen-shots and all ("hey, don't forget to check that 'Always do this' check-box by the way, so you don't have to deal with this ever again - except of course, if you used a different browser, or re-installed it or cleared your cache yada yada yada"... sigh!). Sometimes, the verification dialog would hide behind the browser window and the user would never know what was going on and the page'd just sit there doing nothing! Grrr!
And if that wasn't enough, we learnt that you had to get separate certificates to sign applets and ActiveX controls and you had to pay in full for both!
--
gleat
http://blogorama.nerdworks.in[ ^]
-- Number Two's eyes narrowed and became what are known in the Shouting and Killing People trade as cold slits, the idea presumably being to give your opponent the impression that you have lost your glasses or are having difficulty keeping awake. Why this is frightening is an, as yet, unresolved problem. -- HHGTG
|
|
|
|
|
The signing authority could verify my company in under 5 minutes, probably 1 minute if they do that for a living and are all set up to do the checks. 500 plus dollars for a minutes work and a few bytes on a server somewhere for a year seems just about as close to legal robbery as you can get.
"It's so simple to be wise. Just think of something stupid to say and then don't say it."
-Sam Levenson
|
|
|
|
|
The point of signing code isn't to verify it is safe, just that the company the certificate belongs to wrote it. If you dont trust the company/individual signing the code, the signature is useless.
|
|
|
|
|
Try Comodo[^], there is no advantage that I can see in paying so much for a code signing certificate from another, better known, company.
1 year at $180, 2 year at $340 and 3 year at $500.
Cheers,
Brett
|
|
|
|
|
Still rather high isn't it?
Especially given that skip tracers can be had for under $75/hr now?
I think we need an "Open Source" Certificate Authority.
|
|
|
|
|
I bought a couple of SSL certificates from Comodo[^] and they are much cheaper than Verisign. Code signing certificates cost $179/year, I think a little more reasonable.
|
|
|
|