On Sat, Jun 14, 2014 at 11:10 AM, Alain Forget <aforget@xxxxxxx> wrote: > As far as I know, any certificate authority (such as those listed here: > https://en.wikipedia.org/wiki/Certificate_authority#Providers) can provide us > with a certificate with which we can sign our drivers (and the Windows > installation package). > > When I looked these up to obtain one for my research group last year, > according to sslshopper.com, I found that DigiCert was the best rated, and > their pricing is middle-of-the-road: > > 3 Year $178.33 USD / year > 2 Year $198.50 USD / year > 1 Year $223.00 USD / year > > We will also need the "full legal name" (and full mailing address & phone > number) of our organisation. This name will be what shows up on the UAC and > installation dialog boxes. > > Note that this certificate should be able to digitally sign any software for > Windows, Java, Apple, browser extensions, and so on, which may or may not be > useful to us later on. > > So this leaves some open questions: > > 1) How are we going to pay for this? (Yet another use for possible donations, > if/when we open that up) > 2) How long do we want the cert? > 3) What will our "full legal name" be? I imagine this could be a member of > our group who has full intentions of sticking around for the length of the > cert, and is comfortable signing our drivers and executables (which I would > guess legally means such person is vouching for the integrity and > non-maliciousness of the code). However, if we want to make it our > "organisation", (CipherShed Inc.? :-P) I fear we don't have a full mailing > address and phone number, so...I don't know how we would handle that. > Presumably someone could contact the certificate authority and ask how this > is done for distributed open-source projects, such as this. > > Despite these challenges, if we want our software to be trusted and > reputable, I think obtaining a certificate with which to sign our drivers and > executables/binaries is a must. > > Alain I agree that we'll definitely have to do this at some point. Those prices are (somewhat) reasonable, I suppose. This is where I feel as though we should setup some sort of LLC or Non-Profit.I would be more than happy to cover the costs of a certificate, but I don't want any personal liability in the event that something goes wrong down the line. I "donate" to the organization, and the organization purchases the cert (not me). No one else should have to bear that responsibility of personal liability either.