I received a number of interesting replies, most off-list, so I thought I would summarize and perhaps restart the discussion. Many folks pushed the "run your own CA" idea. While I get that works, and even secures the communication, if you run a web site accessed by random folks it will confuse some percentage of them. StartCom (www.startssl.com) seems to be the only 100% free option, with a few limitations. You must own your own domain (for instance they validate your e-mail based on the ones listed in whois), and the certs have the Organization set to "Persona not validated". This doesn't prevent the certs from working fine and "locking the padlock", but if someone looks at it may raise an eyebrow. Still, it's free, you can generate a personal cert for e-mail and certs for web, smtps, jabber, etc. Multiple certs are no problem. For 100% free, it's the only option anyone has mentioned. From there, you can move up to "cheap" with a couple of options. With StartCom a $60 upcharge will verify a _person_. From that you can generate unlimited certs for the domains you own, a pricing model I think is really nice. They are good for 2 years, although the verification is only good for 1 year. So it's $60 every 2 years if you're not doing any new cert issues in that time, or $60 every year if you are; but the lack of a per-cert charge makes this a pretty good deal if you run a bunch of domains. In the per-cert realm, both CheapSSL.COM ($8.95/cert/year) and RapidSSL ($49/cert/3year) offer relatively cheap per-cert pricing for one and three year certs, respectively. Depending on needs these may be cheaper or more expensive than StartCom. I am personally trying out the StartCom free for S/MIME, HTTPS, SMTPS, and IMAPS right now, and they are working quite nicely thus far. If the testing goes well with all clients I may upgrade to their verified product. One last interesting idea that's not quite ready for prime time. There's an IETF working group called DANE which has code in Chrome: https://datatracker.ietf.org/wg/dane/ The idea is pretty simple, DNSSEC sign your zones, and then publish your own key material in DNS. By doing this there is no need for a CA at all, which eliminates not only cost but the trust and security issues with the CA's. Of course it moves the trust and security to DNS, but at least two folks argued that DNS (management) has proved more secure than CA's, and at least here were fewer players to audit and trust. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/