Re: "from a trusted certification authority"
What's the CA got to vet?
Every piece of software signed with that key? That's totally unrealistic.
Every company who requests such a key? They already do - they know exactly who bought that key.
Every rogue former-employee who had access to the key using it to sign malware? How can you police that as a CA?
Or should they remove the entire company's certificate which signs thousands of pieces of software because of one signed piece of rogue software? I'm inclined to say yes, but you can see where that could be a problem (e.g. revoking all of Adobe's keys or Microsoft's or even a small indie game company's).
It's not the CA's problem. All they're doing is providing a signed certificate, they can't sign off on literally everything that certificate itself ever signs, in perpetuity. All they're doing is saying "Yep, that was definitely signed by company X".
If Company X has lax security around their keys, that's their problem. If Company X accidentally signs something they shouldn't, that's their problem. If Company X was designed to appear legitimate but then go on to sign things they shouldn't, that's their problem and risks the CA revoking their entire certificate but far more likely - those individual signed packages will be blacklisted way before that happens.
Fact is, trusting a piece of software because the user once trusted an earlier piece of software from the same company is a DUMB IDEA. Trusting a piece of software just because it has been code-signed is a DUMB IDEA. Trusting everything that a key signs without question is a DUMB IDEA, even a Microsoft key.
Code-signing isn't about certifying every byte as a safe instruction. It's about accountability. We trusted X. X made this happen. We no longer trust X.
But you and I will have very different ideas on what X or Y we want to trust, or indeed have to to operate our business, and what happens to everything that X ever signed if X signs a small package on the other side of the world that it shouldn't have. I'd really rather my networks didn't collapse instantly because everything stops working because someone signed a script that someone else mistook for malware.
I've had that because of a code-signing certificate inside a Java JAR inside a piece of UPS software installed on a server. That certificate expiring was literally enough to bring down thousands of customer networks instantly with no obvious cause whatsoever (the UPS software occupied 100% CPU and prevented any analysis or investigation, even in safe mode).
CAs and code-signing aren't for software-whitelisting on a global scale.
They're a tiny part of such a system, in which it is an incredibly bad idea to revoke entire company's certificates (and hence why Microsoft has to "work with" CAs to see what they can do).
The CA is merely certifying "Yep, Company X signed that software". Whether that software is bad, whether specific users, company, browsers, operating systems or anything else should actually trust that software, or whether that software has been compromised is none of their business.
The only thing that really should be taken into consideration for them is "Is this certificate so false / misused / compromised that we should revoke anything ever made by it?" which is a huge decision and not to be taken lightly.
Biting the hand that feeds IT
