What Do You Think About The Current Adobe AIR Certificate Situation?
I was watching Craig Cmehil’s Friday morning report and he said a lot of really good things about AIR. Craig is a big fan and it’s always great to have someone like him doing some community evangelism for us, so thanks Craig. But he has a frustration. He doesn’t like how we do AIR certificates.
I didn’t know much about certificates before looking at how they work in AIR. As you probably know, if you want to sign your AIR applications, you need to get a Thawte certificate to do so. But there’s a problem (sort of). Thawte doesn’t allow you to get an individual certificate. They only let you get one if you have a company. I’m not entirely sure why that is, but I assume that it has something to do with liability. The pain of getting a certificate caused Craig to question whether or not it was even valuable to get a certificate. He said that he used 3-4 AIR applications and that most of them weren’t signed.
Signing is a really important part of the AIR process because it creates a contract between the user and the developer. But because AIR makes it so easy to build desktop applications, I can understand the frustration of not being able to get an individual certificate. So for those of you out there building AIR applications as individuals, I want to see if that’s preventing you from signing your apps. If we had a way to get individual certificates, would you sign those apps?
Posted in Adobe AIR
August 22nd, 2008 at 11:50 am
We recently bought a certificate from Thawte for the SlideRocket offline player. What bugs me is that after installing it, the big red exclamation point in the installer changed to a big yellow question mark because I guess the app still has UNRESTRICTED access to the file system. We’ve gotten comments back from users who have refused to install the AIR app because of the unrestricted access warnings in the installer – even though that access is no different than any other desktop app.
I’m not sure what the best solution would be but a better designed installer might be helpful…
August 22nd, 2008 at 12:16 pm
Your thoughts were spot on. I don’t sign apps because I’m an individual. It’s the paperwork of setting up a company that’s the problem.
That being said, I’d also love to see something a bit lower cost than $300 for an individual cert.
August 22nd, 2008 at 12:23 pm
On the other hand, with the proliferation of so many unsigned AIR apps, people will probably just learn to ignore the warnings in the installer which would completely defeat their purpose.
It’s kind of like all of those message boxes Windows throws at you asking if you want to allow an app to access the internet. Users blindly click OK, because that’s what made things work the last 500 times.
August 22nd, 2008 at 1:16 pm
I agree with Craig and Shan. It’s not just the fact that only companies (from D.B.As to corporations) can get certificates but it’s also the cost. There are so many really good developers out there who have discovered that they (apart from the company they may work for) can create relatively small, very useful AIR applications for the general community to use. I would hate to think that we could loose out on some great innovation because some smart developer didn’t have the time and money to get a certificate.
I would love to see some system that allows individuals to acquire a certificate, without setting up a company and for a lower cost.
If enough of us speak up, it will happen.
August 22nd, 2008 at 1:51 pm
It’s always important that people trust the application they are installing.
As a individual developer I have no chance to get an certificate, so when I create an application I need to find a way to sign so people trust. In this point I have problem,I work for companys but I cannot push them to get an certificate.
I think some how Adobe have to find a way to solve this problem.
In one point Craig is right I also install application which is not have certificate. But is not same for last user. Users always wanna feel what they do is safe for they computer.
August 22nd, 2008 at 2:09 pm
Well, I’m ambivalent. I have random thoughts on the matter, with no obvious solution…
1) It seems most of the apps worth installing aren’t signed, so you just click through anyway. Maybe the end-users are already used to just ignoring the first screen of the install process. I’m pretty ambivalent because of the way my system is locked down and I’m mostly install applications written by known devs of the Flex/AIR community.
2) It’s installing desktop software, so the user should just assume risk with a desktop install.
3) if there wasn’t an “install now” badge embedded to a web page, there’d be a lot less need for certificates, AND a lot less need for the AIR sandbox. I.e., if users are used to installing potentially dangerous desktop applications, then let them do it.
4) with all that said, though. It’s obvious that some form of signed applications, whether installed from the Web or traditional desktop are starting to have signed payloads…like Apple iTunes for example.
5) Seems that mostly small dev shops/individuals (maybe other than eBay) are using AIR, and most end-users haven’t heard of them, so does having a cert by them even matter? Does signing something made by Todd Inc. even matter as far as end user perception?
6) It would be great if a way to avoid the certs could be found because I see a lot of open source software being written potentially in AIR….because of it’s cross-platform nature (hello Linux), and the possible sexy UIs.
7) Developing software that you’re selling, you’ll have a company setup anyway.
August 22nd, 2008 at 2:23 pm
Hey guys, thanks a lot for commenting.
Todd, I’m going to ping you offline about a couple of things you mentioned.
For those that want a cheaper certificate, (out of curiosity) what’s a good price point? I would assume that a big chunk of the cost of a certificate is actually doing some kind of background check. I’m not really sure how much that costs.
=Ryan
August 22nd, 2008 at 2:34 pm
Due to the nature of the Flash community, I expect there will be many free AIR apps out in the wild. It’s hard to justify spending a lot of money on a cert when I’m publishing my stuff for free and never expect a dime in return.
Having said that, it totally makes sense that there will be some individuals who are selling their app, but it seems like, according to the IRS, those people should probably have a company anyway. So I’m not sure how big of a deal it is. However, $300 is way too much for a small app that might only make $500 in the first place. Perhaps $100 would be more reasonable. But $300 is probably too little for a corporate app that will make significantly more than this…
At the end of the day, all my stuff is free and/or open source, so I don’t really care if people are afraid to install it, their loss
August 22nd, 2008 at 3:12 pm
I think between $100-$150 its fine. Of course will be perfect if is totally free.
I agree with Nate. Developers which is helping to people to get better about what they work on it doesn’t expect anything. Usually all codes are open source and every one who is new or not can use it for free. In this point as a developer I like to share, but also I wouldn’t pay $300 just for testing or experiment new application.
August 22nd, 2008 at 3:36 pm
The certs. are just ridiculous in most cases. I guess I agree if the app is being sold, or making some profit. However, to spend $300, and still get the big yellow warning, is just crazy. I just don’t see a reason to have all that, when you can install 3rd party web browsers, applications, and so on, and you never see warnings like those. I wonder what the statics are of people who don’t install due to the red/yellow warning on all apps compared to users who do install… My 2 pennies
August 22nd, 2008 at 4:08 pm
I’d echo what Mitch said. It’s a bit galling to pay $300 to just get the red ! to change to a yellow ?
It’s something we’ve had a lot of users complaining about. Of course I can try to explain that it’s actually less access than most apps they install, but all they see is the big yellow warning and UNRESTRICTED. It’s not even like JWS where you can request a lower level of access and avoid the warning.
In terms of personal certs, Thawte do free personal email certs. How about accepting those? Make the dialog say “Do you trust matt@clevr.example” or whatever.
August 22nd, 2008 at 5:00 pm
I’m not sure if this is feasible, but it would be cool if there was some system in place to support open source efforts… Like if Adobe could somehow deem a community project as “safe” and put it under a special certificate that didn’t cost the developers.
August 22nd, 2008 at 8:19 pm
This has never really worked that well for any other technologies in the same ball park as AIR. An SSL cert is valuable because it let’s the user know that the data sent to the site they are using is encrypted. For this to work, the seller validates that SSL is properly installed on the server. The AIR certificate doesn’t seem to provide any “real” value, whether perceived or not. It’s a nice way for someone to get an extra chunk of change in licensing while confusing users on the clarity of the platform. (Or just adding another thing that they will completely ignore.)
August 22nd, 2008 at 8:35 pm
I also got the same experience of buying a Thawte certificate. I am really frustrated although I have tried my best to fulfil their verfication process, I still cannot get my certificate since I have no commericial telephone line for registering the public phone listing. I consider should I give up the application of certificate, it really takes time and disturbing. Any ideas ?
August 22nd, 2008 at 11:18 pm
Sounds like an interesting business model. What if one started up a company just for this? The company would have to buy only 1 certificate. It could be the central place for all ‘safe’ AIR applications. Offcourse the source code should be made available to this company, but if the source code is deemed ‘safe’ it will sign the application.
This company would probably grow big in a sense that alot of AIR developers will turn to it. Giving it a unique position in the market.
Interesting idea.
Greetz Erik
August 23rd, 2008 at 5:47 am
What is ironic, is that I can write an application using a “.swf wrapper” such as Zinc or SWFKit with MUCH more low level OS access than an AIR application and unleash it on the public with no warnings at all. I think that Adobe may just be slowing down AIR proliferation by requiring a certificate or scaring off potential users with a glaring warning. On the other hand I don’t know if no certificate at all is a viable solution. Like Todd, I see no clear answers. But as Todd also pointed out, are people going to breathe a sigh of relief because they see my name on a product? Maybe five. Personally, I believe anyone willing to install anything they’ve downloaded from the web has, at that moment, assumed all responsibilty. But that’s just me. To address the question though, even a hundred bucks is too rich for my blood to develop small apps free for community or general use. Three hundred, though, I think is fine for a business releasing commercial software.
August 23rd, 2008 at 10:19 am
This restriction is precisely why i haven’t gotten a certificate yet. Even when Adobe offered me a free one, i couldn’t get it because i don’t have a company so it was wasted. If there was an individual one i would totally take it.
I also agree that getting a certificate should definitely change the icon from a red ? to something less scary. Emphasizing that an application has unrestricted access is not only redundant but unnecessary. This puts AIR at a disadvantage against normal applications even though AIR apps have LESS access than a normal application.
August 23rd, 2008 at 10:58 am
A background check on an individual through the Dept. of Justice (or an authorized 3rd party), costs about $80, not counting your own manhours – say 1 hour at $20/hour for a skilled adminstrative worker) and overhead. If you add in one of the many US background search services, costing around $50, you’re looking at roughly $150. That’s straight cost, with no profit margin.
Adding in additional overhead and the profit margin, you’ll see how quickly it adds up.
Perhaps a non-profit certificate authority could make a compelling business case and garner sustainable funding to provide low cost certs for individual developers and micro-businesses.
As a former IT Director for an NPO, and a current freelancer, I’ve always thought that conventions like CAs, digital signatures, intellectual property rules, etc., would need to evolve more fluidly and more thoughtfully with regards to ensuring equity of access for folks struggling to bootstrap their way up in today’s marketplace.
Since entrepreneurialism, small businesses, and individual innovation are essential for our markets to thrive, it would seem that some form of more financially accessible, yet equally credible signing system would be a great thing, a catalyst to wider adoption, not a barrier.
IMHO. LOL
August 23rd, 2008 at 12:24 pm
Wow, a ton of good info. Thanks all. Let me go back to the team and see if there’s anything we can do to make this easier. No promises, but clearly there’s a lot of frustration about the process.
=Ryan
August 23rd, 2008 at 3:17 pm
Ryan, here’s a post with my correct email. Sometimes my Firefox autocomplete uses an incomplete email.
August 23rd, 2008 at 6:31 pm
I work for an educational institution, and would love to be able to publish apps that are signed. Unfortunatly, we are unable to obtain one without lots of legal paperwork (which is something I am unable to get through with lots and lots of red tape). Because we are registered as a government entitiy, the process Thwart makes us go through is unbelievable (they like the paperwork that is issued to INCs and LLCs).
My department is unable to purchase one directly, because we are not a legal entity.
Most of my users don’t mind the “Unverified” message — they are getting it all the time with other apps. It is becoming as useful as UAC in Vista :S
August 24th, 2008 at 1:43 pm
I know this only addresses a small percentage of apps but I wonder if there is something that could be added to the install screen in the case that the source code is included. For those of us in the community who are making apps for other Flex devs/designers I think that would go a long way toward reassurance. At least in those cases the community could police itself.
August 25th, 2008 at 5:22 am
The whole application process at Thawte – sorry to say that – really sucks! We waited about 10 days before we finally got the certificate. The staff there always requested the same (corporate) evidence and weren’t able to interprete the documents correctly. Besides I think that the air installer really goes too far with its warnings. If you install a “normal” desktop application via the usual setup install wizard you won’t get these warnings either! People aren’t used to the air installer yet as only a very very small percentage of apps are air apps. most people who know air are propably from the flash / flex community! So my suggestion would be:
- Redesign the air installer. Make it more standards conform and less daunting
- Offer some alternatives to Thawte to purchase certificates
- Offer individual, cheaper certificates for folks who provide free air apps and make the application procedure easier
August 25th, 2008 at 6:44 am
@Erik – I wonder if Thawte would disapprove of such a business and revoke their certificate for pimping it out like that?
August 26th, 2008 at 9:23 am
A lot of interesting thoughts here and thank you Ryan for listening, I posted a followup including the conversation I had with Thawte about the whole thing.
http://craig.cmehil.com/2008/08/saga-of-adobe-air-developer-certificate.html
August 26th, 2008 at 9:56 am
“If we had a way to get individual certificates, would you sign those apps?”…
…definitely! signing an application as a company when you are an individual is a pain in the ass and very pricey!