Ah yes, here's that "what does it mean to sign the thing" issue all
over again. Macromedia has signed their buggy Shockwave control. So
now, if you want to be able to trust *other* ActiveX controls signed
by Macromedia (including the bug-fixed Shockwave, when they produce
it!), you have to risk accepting the old, known-buggy Shockwave, with
its old, known-valid signature, from someone else who is deliberately
serving it (in conjunction with a malicious movie) as a Trojan Horse.
The only way I can see out of this in a code-signing framework would
be for Macromedia to get a new certificate *and* somehow securely
revoke the old one... does Authenticode provide for that?