This e-mail is intended as a heads up to the OpenAFS end user community. As per
https://technet.microsoft.com/library/security/2880823 Microsoft is deprecating the use of the SHA-1 hashing algorithm to sign binaries after 1 Jan 2016. After that point SHA-256 will need to be used. As documented https://support.microsoft.com/en-us/kb/2763674 it is not possible to run applications on Windows 7 SP1 / Server 2008 R2 SP1 and earlier that are signed using a SHA-256 certificate. Since last Fall Microsoft has been attempting with mixed success to update Windows 7 SP1 and Server 2008 R2 SP1 (but not earlier OSes) to support SHA-256 and Extended Validation certificates. The most recent attempt was issued this month as update 3033929. However, this update fails to permit booting of the system when third party boot loaders are used. For example when dual booting Linux. https://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-fails-to-install-and-cause-a-minor/4c56d5d5-a66c-4865-8ccb-d36f7c314c33 Microsoft has not publicly announced but it is known to those in the Windows kernel development community that major changes to driver signing are coming for Windows 10 RTM. In particular three requirements will go into effect when Windows 10 exits preview. 1. SHA-256 Extended Validation certificates must be used for driver signing on Intel platforms 2. Organizations will not be issued cross-signing certificates by Microsoft and all drivers must be uploaded to Microsoft for cross-signing 3. Only parties that have been approved and are actively involved in the Microsoft system quality program are permitted to submit drivers for signing These rules unify the driver signing requirements for Windows on Intel, Windows on ARM (aka Windows Phone), and Xbox One. As a side-effect of the deprecation of SHA-1 the approved Certificate Authorities that issue Authenticode certificates are no longer issuing renewals for SHA-1 and EV certificates are only available as SHA-256. It is not known if there will be a certification requirement for file system drivers as there is for other drivers. What does this mean for the OpenAFS community? Due to the new requirements it will no longer be possible to issue one set of installers for all operating systems. In particular, XP, Server 2003, XP 64, Vista, Server 2008, Windows 7 and Server 2008 R2 will not have SHA-256 support are no longer going to be able to install new OpenAFS releases. Systems that are running Windows 7 SP1 and Server 2008 R2 SP1 without the latest updates are not going to be able to install new OpenAFS releases. Up to this point all Windows installer packages have been built and signed by Your File System Inc. These packages have been distributed via the openafs.org web site. This is going to change. The new requirements from Microsoft for SysQual participation and signature validation will no longer permit Your File System Inc. to sign a driver and reference openafs.org as the source. This week I will be attending the IFS PlugFest at Microsoft and will find out the missing details regarding how drivers will be submitted, what test / validation must be provided to Microsoft, and how the signed drivers will be retrieved. I will also find out whether one of these new Windows 10 EV certificated based signed drivers cross-signed by Microsoft will work on pre-Windows 10 systems. There is a strong likelihood that installers for Windows 10 will not be compatible with earlier OS revisions because of the driver signing requirements. It is not known whether a driver installed on a Windows 7 or Windows 8 system using a SHA-1 certificate and the existing cross-signing mechanism will continue to work after an upgrade to Windows 10. My guess is "yes", but only if the driver was signed before the Windows 10 RTM date. Windows 10 RTM is expected to be issued some time over the Summer. Your File System Inc will continue to provide Windows installer packages to its customers and the community via the https://www.your-file-system.com website. It will no longer produce installers using the out of date in-tree packaging. Instead the unified MSI packaging with embedded Heimdal assemblies will be the only version of the installer for OpenAFS binaries signed by Your File System Inc. I will provide additional details as I obtain them. Jeffrey Altman Your File System Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
