On Jul 29, 2015, at 9:10 AM, Jeffrey Altman <[email protected]> wrote:
> On 7/29/2015 3:12 AM, Antoine Verheijen wrote: >> Putting my security hat on: certified drivers does not provide ANY >> additional degree of security whatsoever. It merely states that the >> certifier has blessed it using whatever criteria they use (in many >> cases, simply financial payment). >> >> What guarantee(s) is the certifier prepared to live up to via their >> certification? If none, why is it required? > > Certification provides quality control. Microsoft's signing of the > kernel drivers does not involve any payment. Microsoft is willing to > sign any drivers that have passed the required quality control checks > which include test suites, static analysis, and feature/capability lists. I'll accept this point at face value, in particular as I have no direct experience with Microsoft in this regard. Furthermore, I realize in hindsight that this not the venue to discuss an issue of this sort as it does not relate in any meaningful way to AFS, the real subject of this mailing list, and I should never have made my initial comments in this discussion list. I apologize for having done so. > The only additional security benefit of Microsoft signing the drivers as > opposed to permitting vendors to use issued cross signing certificates > is that a vendor cannot longer be hacked and have their signing key be > used without their knowledge to sign unapproved binaries without a paper > trail. This is a totally valid point, one which I had not considered, and which most certainly does provide increased security (albeit perhaps not of the sort I had in mind), clearly contradicting my initial assertion. :-) > Jeffrey Altman Once again, apologies for the inappropriate content. I'll try to be more considerate. :-) Bye for now. ------------------------------------------------------------------------ Antoine Verheijen Email: [email protected] . Phone: (780) 462-9696_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
