Hacker News new | comments | ask | show | jobs | submit login

Could this be used by the Kazakh government to sign malware/spying packages and install them on their citizens' machines? Sounds like a super easy way to open that backdoor.

Or is this a different type of cert? I'm thinking along the lines of what Dell and Lenovo were yelled at for (although those were easy to rip off, but the government could possibly serve as the malicious actor here).

Only if the cert also has code signing EKU. Then, in case of code signing trust bit not disabled in the cert manager, signed EXEs will appear with "verified publisher".

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact