Matt Brown writes about StartCom, the Israeli issuer providing basic SSL certificates for nothing.
In fact I’ve been using StartSSL certificates for about three years now, but I get them issued to Level 2 verification which incurs a fee. (It’s more expensive now than when I was first validated, but still good value.)
StartCom are the only issuer I’ve ever dealt with who work like this. They validate the individual, using:
- two forms of government ID
- third-party background checks
- telephone verification at a number of their choosing, based on the checks
This makes me trust them far more than other issuers, who don’t bother with any meaningful validation at all. Their approach is to establish identity, then allow you to:
- validate domains and issue as many certificates as you wish, valid for two years, including SAN and wildcard certificates
- validate email addresses and issue X.509 certificates in your name
- issue code signing and XMPP certificates
- undertake stringent Organisation Validation, and then issue certificates in a company name as well as an individual
- validate other individuals with a web-of-trust arrangement, like CACert
- undergo Extended Validation and issue EV certificates
- if you have an unspecified amount of money, become a private CA yourself
Although this doesn’t make up for trust (the presence of an SSL certificate doesn’t guarantee the data you send is safe upon arrival) it does make me much happier to see a CA taking proper verification measures instead of just handing out certificates at random – and it’s much cheaper for me too, being verified once and then issuing as many certificates as I need. Highly recommended.
*that is, more trustworthy