Comment by organsnyder
11 years ago
> especially since a basic SSL certificate is free
From where? StartSSL only gives out free certs to individuals. For my company, they've actually required me to get organizational validation in the past, which wasn't cheap ($200, IIRC—$100 for the organizational validation, plus $100 for stage 2 personal validation, which also required me to upload images of my driver's license and passport).
That's interesting, it doesn't mention that on their website. I have only received a certificate from them as an individual, so I haven't encountered that limitation.
Even so, I'd argue that $200 is a fairly cheap way to protect the integrity of your company.
Domain validated certs for websites are free, got one a couple of weeks ago for a site.
If it was for an organization, you only got the cert because they didn't catch it. For some reason, my account got flagged as high-risk, and every cert I request needs manual review. During one of those reviews, they rejected my cert request and told me that since it was for an organization, I needed organizational validation. This was for a standard certificate—not extended validation. I think they must've either visited the company website or checked whois.
Their FAQ alludes to this, but doesn't really make it explicit:
> The certificate is for my company, what shall I do?
> In the Class 1 settings (free), the only possible relationship between StartCom and the subscriber is > with individuals, i.e. natural persons. StartCom has no relationship with the organization a subscriber > may represents and acknowledges only the subscriber. All responsibilities according to the StartCom > CA Policy are that of the subscriber personally, even in case he/she decides to obtain certification as > an employee or representative of an organization. > Organizations should perform Class 2 validation and an organization name may only appear in a digital > certificate at Class 2 level and higher.
http://www.startssl.com/?app=25#2