re: I See (By Peter)

"Don't trust Global Sign, they can't vet for sh*t ,"

Now, now -- "GlobalSign vets a company within strict guidelines" according to their own statement. If you dig around their web site a bit you find a document describing this strenuous process, but loosely for a code-signing cert (which is at issue here) it involves filling in a form and sending them copies of your national ID card (or similar for non-EU folk -- drivers license maybe??, passport), business registration papers and such.

Ohh, and of course, paying the fee...

"Simple enough, trust Verisign, the money saved just came back to cost you."

That would be the same VeriSign that issued TWO -- not one, but two -- bogus Microsoft certs DESPITE having extra special additional procedures in place as part of its issuing process for any certs in Microsoft's name?

Yeah, those VeriSign folk REALLY know how to vet!

One has to wonder how come, after that, MS kept their certificate business with VeriSign and did not revoke VeriSign's status as a default root CA the following Patch Tuesday... They certainly deserved worse for that lapse...

And although I don't have the data readily at hand, I seem to recall there have been previous instances of signed malware using valid VeriSign certs, so I don't think I'll be taking your advice...