"Getting a certificate from one of the supported vendors costs hundreds of dollars per
year. Many developers simply generate their own and use them for code signing. Of
course, JavaWeb Start has no way of checking the accuracy of these certificates. When
you receive such an application, then you know:
1. The code is exactly as it was when it was signed; no other party has tampered with it.
2. Someone has signed the code, but Java Web Start cannot verify who it was.
This is quite worthless; anyone could have tampered with the code and then signed it,
claiming to be the author. Nevertheless, Java Web Start will be perfectly happy to present
the certificate for your approval (see Figure 10–7). It is theoretically possible to verify the
certificate through another way, but few users have the technical savvy to do that."
Core Java Volume I (8th Ed) P.507
Any idea what is the author talking about when he mentions "another way" of verifying certificates, other than say getting one from a provider such as Thawte?