On 2010-01-27 06:18 PST, Eddy Nigg wrote:

It is?

I've seen MANY rants in past years from people who got infected by signed
malware.  They were under the mistaken impression that signed software is
software that has been certified by the CA to be virus-free.  Of course,
as we know, that's not what a code signing cert means at all.  It merely
provides trustworthy identification of the source of the software, and
does not attest to the quality of the software.

I've also seen a lot of confusion in the past over who is the source if
signed software.  A lot of people assume that the certificate issuer,
rather than the certificate subject, is the source of the signed software.

Now, we come to the immediate cases to which Eddy provided links:

I cannot determine, from the information presented on those pages, if CNNIC
was itself the source (the signer) of the signed software, or was merely the
issuer of certificates that were used by other subjects to sign malware.
The middle of those 3 links says that CNNIC had links to another site,
tech.sina.com.cn, which on its face seems to be another organization.
This doesn't seem inconsistent with CNNIC's role as a CA.

I think we need to be very careful to avoid getting caught in the trap of
thinking of certificates as attestations of morality or competence, and
thinking of CAs as judges of morality or competence.  If we allow the role
of CAs to become defined as being those judges, they will CERTAINLY FAIL.
So, let's define their role as doing something at which they can succeed,
namely attesting to binding of keys to vetted identities.