We went through a similar thing a few years back with SSL certificates.
GoDaddy offered super-cheap (relatively speaking) certs, but none of the major browsers had GoDaddy in their default list of certification entities at that time.
So the upshot of using a GoDaddy cert was that every visitor would get a "not trusted" warning, even though the cert was legitimate.
That's not something you want your users to see when they're in the middle of signing up or downloading something from your site.
I don't know whether or not this concept applies to java & jar too, but you might want to confirm it before making a decision.
It worked for Mark Shuttleworth during (before) the first boom. It could work for you, too!
There's a lot of competition out there these days, and the cost/time of getting accepted by all of the browsers put your time to revenues sometime two or three years into the future. In other words, it's a hard business to get into to, and you'll probably need a source of revenue while you wait. That's why folks who sell domains are getting into the business...they have some revenues from the domain business for those two or three years, and then they have a large customer base to sell the certs to.
If you're trying to sign a jar to go on handsets, you pretty much either have to go a thawte certificate ($200), or a verisign certificate ($400) in order to guarantee compatibility with most handsets that are out there.
cacert are free certificates but the root certificates are not frequently preinstalled on browsers and mobile phones.
I was told that Microsoft asks around 10k$/year to add a root certificate in its browser. Add to this the cost to validate the certification process.
If you can get user's cooperation so that they can install the root certificate, you may go with cacert certificates.
The more web sites uses cacert, the more chances you will have that the cacert root certificate is preinstalled.
Regarding startup opportunity, as long as there is a problem and/or the opportunity to do something useful, the opportunity exists.
You might also be interested to follow the progress of my project http://dis.weebly.com because one of my objective is to do something in this field. But I am afraid it won't help juwo for is current problem.
Thawte wants to charge me $249 just to renew - I paid $50 for the certificate last year.
I heard you can get them free from CA Authority but when I looked it up, they have some procedure where you have to know someone who is a CA and attend their events, (which are mostly in Europe or California).
that is ridiculous. all they are doing is calling you up to verify you are from where you say you are, and doing a quick lookup. At the time of purchase.
Well, when IE 6 and Vista first came about a couple of years ago, I could not find code-signing certificates listed anywhere except comodo.com and verisign.com. They are being offered in more places now, but also for a lot more money. It's $500 for 3 years from comodo.com--that's only a savings of about twenty dollars a year. I believe multi-year savings used to be much more substantial before. Yet more reasons to create web applications.
We went through a similar thing a few years back with SSL certificates.
GoDaddy offered super-cheap (relatively speaking) certs, but none of the major browsers had GoDaddy in their default list of certification entities at that time.
So the upshot of using a GoDaddy cert was that every visitor would get a "not trusted" warning, even though the cert was legitimate.
That's not something you want your users to see when they're in the middle of signing up or downloading something from your site.
I don't know whether or not this concept applies to java & jar too, but you might want to confirm it before making a decision.