Anybody has any experience with code signing certificate issued by startssl.com? I just went through their Class 2 validation and got my personal cert, the cost is $59 per year, but the best part is that, for an individual, the validation process is much easier then what I experienced with Comodo few years ago - what I needed to do is just uploading two of your ID documents, a picture of mine holding my ID card, a picture my debit card and transfer 0.1 to a bank account provided by startCOM. Tried signed a program of mine. Tried signed an EXE under Win7, initial tests show that the digital signature is recognizable under both Win7 and XP.

-

Anybody has any experience with code signing certificate issued by startssl.com? I just went through their Class 2 validation and got my personal cert, the cost is $59 per year, but the best part is that, for an individual, the validation process is much easier then what I experienced with Comodo few years ago - what I needed to do is just uploading two of your ID documents, a picture of mine holding my ID card, a picture my debit card and transfer 0.1 to a bank account provided by startCOM. Tried signed a program of mine. Tried signed an EXE under Win7, initial tests show that the digital signature is recognizable under both Win7 and XP.

Related post:
===
https://plus.google.com/u/0/+StefanGlienke/posts/9ituJw6MZ1p?cfem=1

Comments

  1. jeff weirAugust 19, 2016 at 6:05 AM

    The link is actually startssl.com

    ReplyDelete
  2. A. BouchezAugust 19, 2016 at 6:32 AM

    Just try https://letsencrypt.org/ - it is free and awesome.

    ReplyDelete
  3. Edwin YipAugust 19, 2016 at 7:36 AM

    jeff weir Yes, corrected the URL :)

    ReplyDelete
  4. Edwin YipAugust 19, 2016 at 7:37 AM

    A. Bouchez Lets Encrypt is awesome for a web server, but it's not for code signing a desktop program ;) According to letsencrypt.org FAQ: Can I use certificates from Let’s Encrypt for code signing or email encryption?

    No. Email encryption and code signing require a different type of certificate than Let’s Encrypt will be issuing.

    ReplyDelete
  5. A. BouchezAugust 19, 2016 at 1:36 PM

    Edwin Yip you are right

    ReplyDelete
  6. Roland KossowAugust 19, 2016 at 2:18 PM

    Edwin Yip Also my provider. Worked for me.

    ReplyDelete
  7. Eugene Mayevski (Риба Баскервілей)August 19, 2016 at 4:06 PM

    The problem with StartSSL certificates is that not all systems contain the root certificates of StartSSL as trusted. Otherwise they are fine.

    ReplyDelete
  8. Edwin YipAugust 20, 2016 at 12:01 AM

    Eugene Mayevski I'm new in this field -- I assume Windows start from XP trust StartSSL certificates, right? If yes, that's OK for me. I wish you can reply, you are professional in this area :)

    ReplyDelete
  9. Eugene Mayevski (Риба Баскервілей)August 20, 2016 at 5:10 AM

    Edwin Yip
    I can't say anything about particular platforms, especially when they are soo old. Moreover, I suspect that the set of ROOT certificates included with the OS can be different across various regional versions of the OS. You never know, actually.
    What I can say for sure is that StartSSL's CA certificates are not in the certificate store on many systems, so when signing something (or running a web site with StartSSL certificate) be sure to include a complete certificate chain (excluding the root, of course, as it makes no sense) and not just the certificate itself.

    ReplyDelete
  10. Eugene Mayevski (Риба Баскервілей)August 21, 2016 at 12:58 PM

    Joseph Mitzen
    Sometimes it makes sense to do the homework first. Those certificates are unsuitable, and also trust is very questionable.

    ReplyDelete
  11. Eli MAugust 21, 2016 at 7:42 PM

    Joseph Mitzen Technically I pay for LetsEncrypt because I donate to the EFF.

    ReplyDelete
  12. Edwin YipAugust 21, 2016 at 11:39 PM

    Eugene Mayevski Not sure what you mean by "be sure to include a complete certificate chain", but I'll do some research. Thanks!

    ReplyDelete
  13. Edwin YipAugust 21, 2016 at 11:44 PM

    Joseph Mitzen Let's Encrypt is great, but we Delphi users need to first find a way to use a certificate issued by letsencrypt.org for EXE file signing first ;)

    ReplyDelete
  14. Edwin YipAugust 21, 2016 at 11:46 PM

    Eugene Mayevski Yes, letsencrypt.org's certificates are not suitable for signing desktop programs, but for web servers, it's trustable - both Chrome and Firefox has added support for them.

    ReplyDelete
  15. Eugene Mayevski (Риба Баскервілей)August 22, 2016 at 6:19 AM

    Edwin Yip
    First, the question was about code signing, not about web servers, right? Next, I don't trust fully-automated certificates. It's easy for an attacker to get a new certificate (with his own private key) if s/he has access to the validation resource ( a file on a known URI or a DNS record). And while I usually say that the owner of the host is in bigger trouble in this situation, this is still one more channel for data leak.

    ReplyDelete
  16. Edwin YipAugust 22, 2016 at 7:58 AM

    Eugene Mayevski Yes, the question is all about code signing :) As to using letsencrypt.org for web servers, well, in my specific case, I'm don't have high security needs - all I want is replacing http with httpS, so that my potential users see a green icon in the address bar of his browser :)

    ReplyDelete
  17. Eugene Mayevski (Риба Баскервілей)August 22, 2016 at 8:41 AM

    Edwin Yip
    Unfortunately such attitude undermines the whole notion of security. This is exactly why Extended Validation certificates are offered now - because "that green icon" is not secure enough anymore.

    ReplyDelete

Post a Comment