* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!


» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)


Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

What's up with Comodo using 3rd party for phone verification

Comodo now requires, as part of its code signing certificate, the company phone be listed with one of  the free listing vendors at

Last year Comodo called me to verify.Why the change? My guess is it saves them from having to do it.  Maybe they get a kickback of some sort?

Bill Anonomist Send private email
Tuesday, February 19, 2013
Thawte likewise requires you to have your business listed in certain Internet phone directories. Again this is new.
NewToASPX Send private email
Tuesday, February 19, 2013
Yeah, sounds absurd. Switch certificate providers - let the market decide. Unless it's some dumb law and everybody is doing it now.
Scott Send private email
Tuesday, February 19, 2013

Any recommendations?
Bill Anonomist Send private email
Tuesday, February 19, 2013
Not particularly. I actually think the whole certificate thing is a scam.

Why? Well there's lots of software from both large and well known companies with expired and otherwise invalid certificates. Which means you have to install it or otherwise give permission with the bad certificate anyway.

In addition, there have been multiple instances of faked certificates, and it is well known that intelligence agencies are able to fake certs on demand, so likewise are scammers.

Relying on certificates to prove anything is a poor security practice as certificates are notoriously unreliable.
Scott Send private email
Tuesday, February 19, 2013
Always seemed like a scam to me. Similar points to yours have been made on BOS in the past. Most of the posters seemed to feel not having a certificate  will hurt sales, especially when selling to medium-large companies. I have never been totally convinced of that -I made sales to big companies before I had a certificate, but I have no way of knowing if or how many sales I lost by not having one.  Another point made here in the past is the cost is low so it's a no-brainer to just do it and move on. Also  an app might get flagged by anti-virus software.
Bill Anonomist Send private email
Tuesday, February 19, 2013
I just went through this myself. I used supermedia.com to list my phone number, with the intention of deleting it off once I was verified. However, they treat the phone number on the listing as a required field, so I had to use a 000-0000 number to wipe it once I was done.

The main reason I bought the cert was to prevent Chrome and other browsers from stating my install .exe download "appears malicious". It also looks a little more trustworthy when asking for windows administrative rights when installing, so I guess it was worth the hassle.
Jarrett Lee Send private email
Wednesday, February 20, 2013
You can get a bona fide Comodo cert off http://ksoftware.net/ significantly cheaper than you can from Comodo. I don't know if they require phone verification (they didn't when I got my last cert a couple of years back). I buy my cert for 5 years at a time to minimize renewal hassles.
Andy Brice Send private email
Wednesday, February 20, 2013
Also note that Gatekeeper on Mac OS X only recognizes Apple issued certs. So you have to sign up and pay for that separately. (insert own expletive here). Not sure if it is possible to use your Apple cert on Windows.
Andy Brice Send private email
Wednesday, February 20, 2013
Paying for a certificate is emotional blackmail.  "Pay us, or nobody will trust your stuff."  Certificates should be free.
Harry Phace Send private email
Wednesday, February 20, 2013
@Bill, I highly recommend www.startssl.com (no affiliation, just a happy customer).

They verify you and your company but everything is done without hassles. I have been buying all my certs (ssl and code signing) from them for the last few years and never had problems (and my case is somewhat complicated: I live in one country, the company is registered in another and neither are first-world countries).
B2B Send private email
Wednesday, February 20, 2013
Although I'm selling B2B software I avoided and delayed getting certificate so far. However I got an email from customer who asked about digitally signed installer since his IT department refuses to install unsigned software on servers. So, that was an incentive to finally push this through.

I just got certificate from Comodo this morning. It was purchased through KSoftware. Comodo did ask me to register to one of local phone directories. There could be a good reason for that - local directory has access to other local registers, e.g. official government business registry, or telephone company directory, and they can easily check if address or phone number are ok. This info is usually publicly available, but often only in local language and character set, which makes it hard for Comodo to do it on their own. I also sent them scans of some documents but since they weren't in English (I'm in eastern europe), it's questionable if they used them at all. At the end they called me to number published in directory, asked few details and issued a certificate.

Now I'm anxious to see if this will boost sales at all. Although it might be hard to know for sure since my sales fluctuate quite a bit.
Suka Send private email
Wednesday, February 20, 2013
I had this last month with Comodo (actually bought through K Software  - much cheaper but the rest of the process is handled by comodo).

They tried to tell me I must be registered with a local business directory in the u.k., I told them I didn't have to do that last year & I was sick of them changing the rules and making my jump through new hoops every-single-freaking-time. They then dropped the requirement for the listing and did the verification call with me right away.

Make of that what you will; either it's a real security requirement and their security is poor or it isn't a requirement and their processes are poor (they should have spotted they already had the data they needed).

Honestly from what I've seen of their processes and support in the past I'd suspect it's that.
Jonathan Matthews Send private email
Wednesday, February 20, 2013
I am currently sufferring through this process, and just this morning, I sent the following email to feedback@comodo.com - it should tell you everything about my experience....


I am extremely dissatisfied with my experience with renewal by codesign certificate at Comodo (via Tucows). This is for Comodo Order ID ******

My certificate was expiring on 20th Feb 2013 and I got a renewal reminder just 5 days before. You should send reminder at least one month in advance and at least 2 times - the second two weeks before expiration.

The process of "validation" has dragged on for 1 week now - I sent all documents requested promptly but I dont understand why its still taking so much time.

3. The last step where this process is rotting is "validation call" -  I think you guys call from some VOIP, so we do not receive a proper caller ID (something like +44 40), so I did not answer it.

4. I have been waiting for a repeat validation call for 2 days now!

5. You customer service guys have poor written English skills!

The most ridiculous thing is that you guys have already validated our company 3 years ago. Since this order was for renewal, I dont understand why you need to validate again and why it takes so long.


Overall, I am *extremely* dissatisfied, and I may very well use a different codesigning company next time.

Further, if my order does not get validated in next 24 hours, and I am not able to access my certificate, I may cancel this order this time too.
ssware Send private email
Friday, February 22, 2013
Is there a way to get a certificate without paying?  I'm sure I read a post somewhere (not here) that said you could.

Also, is signing just for setup.exe's, or if I distribute my apps as zip files, would they be exempt?
Harry Phace Send private email
Friday, February 22, 2013
@ssware - it's point 6 on your list that always gets me - even after something like 5 renewals every time they change it slightly and make me jump through hoops again.

If someone asks for an example of bad customer service it's a close call between Comodo & BT.
Jonathan Matthews Send private email
Friday, February 22, 2013

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz