On 4/4/2015 1:03 AM, Jeffrey Altman wrote: > On 4/3/2015 3:39 PM, Dave Botsch wrote: >> Hi, Jeff >> >> The updates are very very much appreciated. Certainly, these changes >> will make life interesting in the future. >> >> A couple of followup questions, if you know the answers... >> >> When MS implements the new signing changes, whenever that is, is it >> expected that existing installations of the AFS client will break? Or >> is it expected that those will break? Or that clients up to a certain >> version, even if not yet installed, will work? > > I understand that the situation is very complex and confusing. You can > be rest assured that any system you have today that is running a driver > that Your File System signed up to this point will continue to function > in the future. Including if you upgrade such a Windows 7 system to > Windows 10 with the driver installed. The problems are going to begin > once Windows 10 is released to manufacturing because drivers signed > after that point must be signed using the new process if they are going > to continue to function after a system is upgraded to Windows 10.
Let me try to answer this question a different way: "Impact by OS version". Windows XP, Server 2003, Vista, Server 2008, Windows 7 (without KB3033929) and Server 2008 R2 (without KB3033929) None of these platforms have support for SHA-256 nor are there updates to support it. These platforms will continue to be able to install OpenAFS installation packages that are signed with SHA-1 certificates. Any installer package or driver signed with a SHA-256 certificate will fail to verify. Options: 1. Continue issuing drivers and installers signed with SHA-1 until the existing SHA-1 certificate expires. 2. Stop issuing new releases for these OS versions. Whichever OpenAFS release is the last release to be signed with SHA-1 is the last release that will work. Windows 7 (with KB3033929), Server 2008 R2 (with KB3033929), Windows 8, Server 2012, Windows 8.1, and Server 2012 R2 All of these platforms have support for SHA-256 signatures; whether the signatures is a normal SHA-256 certificate, an Extended Validation certificate, or a Microsoft issued signature. Options: 1. Sign installers and drivers with SHA-1 up until 31 Dec 2015. 2. Sign installers and drivers with SHA-256 certificate 3. Sign installers and drivers with EV SHA-256 certificate 4. Sign installers and drivers with Microsoft issued signature Windows 10 The platform has support for SHA-1 signatures but only for installers and drivers that were signed before the OS is released to manufacturing. After that SHA-256 signatures are required for installers and Microsoft issued signatures are required for file system drivers. Options: 1. Stop issuing new releases of OpenAFS after RTM. The last release prior to RTM will continue to work. 2. Obtain Microsoft signatures without certification 3. Obtain Microsoft signatures with certification ServerNext This platform requires EV SHA-256 signatures for installers and requires Microsoft signatures that include a certification assertion for file system drivers. Options: 1. Certify the file system driver and obtain Why should you care about Windows 10? Windows 10 is going to be a free upgrade to Windows 7, Windows 8, Windows 8.1 users. Statistics show that 8 out of 9 Windows 8 users upgraded to Windows 8.1 when the free in place OS upgrade was available. Windows 10 is going to be a free in-place upgrade that is going to improve performance, reduce power consumption, strengthen security, add support for the new universal app format and store, permit the execution of Xbox One games, and reduce the OS on disk footprint. By the time the Fall semester begins it is possible that 30% of Windows systems on campuses will be Windows 10. By the one year mark it could be that 80% of consumer Windows systems will be Windows 10. Why should you care about OpenAFS on Windows Server platforms? OpenAFS is deployed on Windows Server platforms by just about all organizations that use AFS. This could be to serve content via IIS or to host Terminal Server or Citrix sessions or because Server Core can be deployed without a UI. The forthcoming Server Nano will be totally headless. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
