[OpenAFS] What you need to know about Windows 10

Antoine Verheijen antoine@verheijen.ca
Thu, 30 Jul 2015 00:30:35 -0600


On Jul 29, 2015, at 9:10 AM, Jeffrey Altman =
<jaltman@your-file-system.com> wrote:

> On 7/29/2015 3:12 AM, Antoine Verheijen wrote:
>> Putting my security hat on: certified drivers does not provide ANY
>> additional degree of security whatsoever. It merely states that the
>> certifier has blessed it using whatever criteria they use (in many
>> cases, simply financial payment).
>>=20
>> What guarantee(s) is the certifier prepared to live up to via their
>> certification? If none, why is it required?
>=20
> Certification provides quality control.  Microsoft's signing of the
> kernel drivers does not involve any payment.  Microsoft is willing to
> sign any drivers that have passed the required quality control checks
> which include test suites, static analysis, and feature/capability =
lists.

I'll accept this point at face value, in particular as I have no direct
experience with Microsoft in this regard. Furthermore, I realize in
hindsight that this not the venue to discuss an issue of this sort as it
does not relate in any meaningful way to AFS, the real subject of this
mailing list, and I should never have made my initial comments in this
discussion list. I apologize for having done so.

> The only additional security benefit of Microsoft signing the drivers =
as
> opposed to permitting vendors to use issued cross signing certificates
> is that a vendor cannot longer be hacked and have their signing key be
> used without their knowledge to sign unapproved binaries without a =
paper
> trail.

This is a totally valid point, one which I had not considered, and which
most certainly does provide increased security (albeit perhaps not of =
the
sort I had in mind), clearly contradicting my initial assertion. :-)

> Jeffrey Altman

Once again, apologies for the inappropriate content. I'll try to be more
considerate. :-)

Bye for now.

------------------------------------------------------------------------
Antoine Verheijen                            Email: antoine@verheijen.ca
.                                            Phone: (780) 462-9696=