GlobalSign needs to get its story straight...
According to the article, a GlobalSign statement said:
"Like all CAs [certificate authorities], GlobalSign vets a company within strict guidelines, but we cannot form an opinion on the software they sign with the issued certificate. While we cannot provide a guarantee around the quality of the software, the certificate does provide proof of which company is responsible for the software, and therefore provides traceability to any parties using that software. This traceability allows us to perform an appropriate investigation."
"The concept of code signing certificates from any CA, whoever they are, is designed to provide assurances of origin of the software, but cannot express that it is virus-free, bug-free or malware-free," it added.
Whilst this is, of course, entirely true -- valid signatures only "prove" that the item is signed by a "known entity" -- GlobalSign's web site suggests in several places, and at least once even outright claims something else, something more. For example:
"On the consumer side, ObjectSign gives those buying and downloading from the Web the confidence to acquire new software without the fear of potentially installing malware. The new security precautions also allow consumers to see where software originates and that the vendors are legitimate – on an ongoing basis this means that updates and new drivers can be seamlessly downloaded without undue delay, giving users free reign to maximise usage of their operating system and applications."
Old story -- marketing should actually talk to the tech folk so they know WTF gives.
Also, according to The Reg GlobalSign says that the LLC AJSBIRI cert has been revoked (several days ago now), yet my Windows Vista machine says that a .DLL signed with the cert Sunbelt reported to GlobalSign (same serial number per the screen shots in the Sunbelt blog entry) is still valid ("This certificate is OK." on the Certification Path tab). GlobalSign runs a CRL and OCSP so this Vista machine should be telling me that the cert is invalid/revoked (I don't know if Vista does CRL for GlobalSign certs -- anyone??).
So, can anyone actually confirm that GlobalSign has revoked this cert, or does it just claim to have revoked it?