Just because a software developer has signed
a program does not necessarily mean that the code is safe. In regard to applications, proper signing assigns responsibility. Several years ago, a private software developer created an ActiveX control called Internet Exploder, then got it signed by VeriSign. This control was malicious and erased hard drives. This incident did not violate VeriSign's claim for authentication, however. This is because the control did in fact belong to the creator. The certificate was completely accurate. Remember, authenticating identity is not the same thing as verifying whether code is malicious or
The certificate may also indicate the applications that it supports. A certificate issuer, called a certification authority
(CA) can specify the supported applications or specify the expected cryptographic operations. For example, the
certificate could specify virtual private network (VPN) key management. Alternatively, the certificate issuer might
specify that the public key should be used for validating digital signatures.