> From what I know, the new initiative does not require WHQL signing. It
only requires signing by the company which has the Verisign cert.
That is how I read it too. At first I thought we were talking about
required WHQL. This is at least workable even if expensive and a
pain in the butt.
Robert Newton
As soon as somebody connected DRM to Vista signing policy it became
clear to me that this is a done deal. The misnamed ‘wired home’, meaning
control over the licensed media stream into everybody’s
home/car/earplug, is where the money is, and the fate of lowly driver
developers and low box-count specialized platforms is not going to cause
anyone with decision making power in Redmond to lose sleep.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Wednesday, January 25, 2006 10:25 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
Wow! It even beat the rootkit thread?
Don’t you OSR folks have some influence in Redmond? Can you start a
dialog with them about this? It clearly affects a large part of the
driver developing community (and consumers in the long run, but they
won’t know it until it’s too late to do anything about it except maybe
switch to Linux)
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Tuesday, January 24, 2006 6:30 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
And with that, ladies and gentlemen, this thread becomes tied with the
discussion about ddkbuild.bat for the most replies to any thread in past
year.
This reply makes 66 replies total, plus the original post, thereby
putting it in the lead. I’m not sure I can stand the excitement.
Peter
OSR
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: bbrown@mc.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
As you’d expect, we’re working the issue as best we can. But this isn’t a DDK issue, or something where one of us can talk to a dev and get a bug fixed. It’s not even the type of policy issue that strictly impacts the driver development community.
Rather, this a major policy issue. I suspect the policy was decided at the senior VP level, and would take that level of attention to reverse it. While I’d be pleased to meet with *any* VP at Microsoft to discuss this issue at any time, I hope you won’t be surprised to hear that I haven’t received any such invitations 
What is most effective at that level is personal lobbying by the VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and corporate customers.
The fact that this policy makes life difficult for developers, testers, makers of specialized hardware devices, internal development organizations, and people who just want to innovate using Windows-64 – and that this will ultimately hurt the migration to Win64 – probably hasn’t even occurred to the powers that be. The questions are (a) will they realize this before it’s too late, (b) when they hear about this issue, will they receive enough context to gain a good enough grasp of the problem to care, (c) if so, will they bother to intercede – among the many issues competing for their attention during the Vista end-game – and give us an workable mitigation strategy?
Bets, anybody?
Peter
OSR
(Disclaimer: I have no internal knowledge of this, and all opinions
below are strictly my own and not necessarily Microsoft’s.)
Has anyone considered that malware, spyware, and rootkits are
increasingly loading in the kernel and becoming harder to detect? No
more kernel-based rootkits that aren’t trackable back to a corporation?
It just seems to me that having all kernel-mode bits signed seems like
it could greatly reduce this attack vector.
I’m just surprised this hasn’t come up already on the discussions.
.
-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Tuesday, January 24, 2006 7:46 AM
Subject: RE: X64 Windows Vista to require signed drivers
Microsoft, along with everybody else in the consumer computer industry,
is focused on replacing that thing on top of your tv with something that
they build/manage that streams content into your home that is licensed
and generates revenue. Lots of revenue. From this discussion it is clear
that the downside of this is that other uses of their OS, from general
purpose server systems to various forms of low box count specialized
systems are going to lose out when decisions are made and there are
conflicting goals.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Tuesday, January 24, 2006 9:52 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
This paragraph from the document sure does seem to support that:
“* Drivers must be signed for devices that stream protected
content. This includes audio drivers that use Protected User Mode Audio
(PUMA) and Protected Audio Path (PAP), and video device drivers that
handle protected video path-output protection management (PVP-OPM)
commands.”
As soon as I read that, I thought “So that’s the reason they’re doing
this.” I hate DRM. It protects a few media publishers and side effects
of things that get put in place to support DRM cripple everybody else -
ultimatley giving the consumer fewer choices which will lead to less
quality in the long run.
It seems to me that they could make this a requirement for only those
devices, though. Leave the rest of us alone.
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Tuesday, January 24, 2006 9:13 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
Someone pointed out to me yesterday (in an offline conversation) that
the real issue here is NOT related to drivers, but rather to DRM.
Microsoft has to lock down the set of certificates in order to implement
their strong DRM policy (otherwise, you could add your own certs and use
them to bypass the DRM apparently.) I’m not certain if that’s correct,
but the person who said this to me is reliable - and it makes a certain
type of sense. It explains why they won’t use just any root cert (which
certainly doesn’t matter for drivers, but doe matter for DRM).
I’m sure the folks at Microsoft did speak to their customers to
determine the impact this would have. After all, it is difficult to
imagine that one could make such a fundamental decision like this
without consulting with key customers (imagine the sheer embarrassment
factor if you need to recant after taking a strong policy position such
as this one.) So, while it will be inconvenient for us, they have
apparently determined that this is an acceptable cost (and if you don’t
like it, please refer to “Figure 1” 
)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
Sent: Monday, January 23, 2006 2:29 PM
To: ntdev redirect
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
I think the point about special-purpose drivers that are used in-house
or by third party companies in very specific markets is a good one.
There are TONS of these drivers, and requiring them to be signed is
nothing but a DISincentive for people to move to 64-bit Windows.
Sigh… I’m glad Microsoft is thinking about issues of driver security
and reliability, but I really wish they would enter into a dialog with
the community about these policies before mandating them. I dare say
that even THEY can’t think of every consequence of every proposed
policy.
Peter
OSR
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
MM wrote:
>
When I hear DRM, I associate it with audio and video protections, NOT
validating a cert in some driver.
Yes, same issue. I can imagine the line of thinking: anyone who would
go through the time and expense to get a corporate Verisign certificate
is going to have a team of corporate lawyers who will not allow any
non-DRM-aware drivers to leave their building.
Further, if such a driver IS released, the Verisign signature ensures
that the driver can be traced back to its source.
If you read the notices, this is all about protecting the audio and
video paths through your computer. Protecting them from who? Why, from
YOU, of course. The computer’s owner. In the eyes of the entertainment
industry, everyone of us is a closet copyright violator.
Now with this functionality in kernel land, why couldn’t it be added
to the filesystem (or a filter) to prevent me from having
‘unauthorized’ content on my HD or prevent me from ripping or copying
a CD?
Right. That’s exactly the point. Validated and signed drivers will not
ALLOW you to deal with “unauthorized” content. Today, you can do so,
but you have to feel guilty about it. Tomorrow, it will simply be
impossible.
This scenario would be the rumor I was referring too… If this is the
case, a lot of people are going to be upset.
Who? CD-sharing teenagers? Casual movie copiers? Can you think of a
single population who would be upset that matter in any significant
way? The scenario you described is exactly what te entertainment
industry wants, and they have vastly more money and influence than any
of the people who are going to be upset.
As you can probably tell, this whole trend makes me angry in a vague
sort of way. I think that’s partly because my own precious computer
industry, which has a long and healthy tradition of
antiestablishmentarianism, has fallen in lock step to make this happen.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I will suggest one other tack besides what Peter has said. Over the years I
have been involved with a number of efforts to work with Microsoft. It
always amazes me that a well written traditional letter will garner a
response from most Microsoft executives below the level of Balmer or Gates.
So I suggest if you really care, have the highest manager you can convince
in your organization send a letter to Jim Alchin. Keep the letter consise
targeting your biggest problem with the new policy.
No emails, these guys are bombarded, make it a letter on company stationary.
If Alchin’s office gets a number of letters, I suspect someone will at least
take a look.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
wrote in message news:xxxxx@ntdev…
>
>
> As you’d expect, we’re working the issue as best we can. But this isn’t a
> DDK issue, or something where one of us can talk to a dev and get a bug
> fixed. It’s not even the type of policy issue that strictly impacts the
> driver development community.
>
> Rather, this a major policy issue. I suspect the policy was decided at the
> senior VP level, and would take that level of attention to reverse it.
> While I’d be pleased to meet with any VP at Microsoft to discuss this
> issue at any time, I hope you won’t be surprised to hear that I haven’t
> received any such invitations
>
> What is most effective at that level is personal lobbying by the
> VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and
> corporate customers.
>
> The fact that this policy makes life difficult for developers, testers,
> makers of specialized hardware devices, internal development
> organizations, and people who just want to innovate using Windows-64 –
> and that this will ultimately hurt the migration to Win64 – probably
> hasn’t even occurred to the powers that be. The questions are (a) will
> they realize this before it’s too late, (b) when they hear about this
> issue, will they receive enough context to gain a good enough grasp of the
> problem to care, (c) if so, will they bother to intercede – among the
> many issues competing for their attention during the Vista end-game – and
> give us an workable mitigation strategy?
>
> Bets, anybody?
>
> Peter
> OSR
>
xxxxx@osr.com wrote:
What is most effective at that level is personal lobbying by the VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and corporate customers.
The problem is that at this level, these kinds of people don’t really
care that much about this policy. High-volume and strategic IHVs, OEMs,
and customers are likely to be either neutral or even possibly in favor
of this policy.
Even at my (relatively small though high-volume) company, this will only
be a minor inconvenience. I’ll have to make sure we have the right cert
(probably already do… but if not $500/year and a little extra work for
MIS is peanuts), update our build process to sign our drivers are they
are built for testing, and our customers will probably sign them
themselves when they get them anyway.
Really the only people this hurts badly enough for them to complain are
the little guys, students, and contractors.
I, personally, think it’s a huge mistake for Microsoft to not come up
with some way to allow standard Authenticode-signed drivers (signable
with the DDK and requiring the cert to be installed) to be installed on
Vista64. There’s no particularly good excuse for not allowing this.
The DRM excuse is stupid. Even the anti-virus excuse is stupid. How long
do you think it will take for an OS patch around this to become widely
available?
No one serious would ever ship a driver with such a patch installed by
their setup program, because their asses would be sued off. They
wouldn’t even just use Authenticode and hiddenly install their cert for
the same reasons. But the bad/stupid/lazy/cheap people won’t have
significant trouble dealing with it, or much in the way of compunction.
Ray
Case in point: We at Seagate are always improving our disc diagnostic
capabilities. Why? So that when you buy one of our drives you have this
warm fuzzy feeling that it will work as specified. To do this, we require
some out of the ordinary kernel code that will never be marketed. We can
attach this driver to any HBA on the market in order to diagnose and/or do
baseline testing on existing or new drive lines. No one writes these kinds
of diagnostic drivers that are primarily targeted at our products, and
which may do out of the ordinary things such as open the entire T10/T13
command sets to an application level task. Mind, you, in this case, the
HBA is simply a PCI bus mastering device, not even in the storage stack,
and there are times when testing will be destructive to the contents of
the disc.
Being rather heavily involved in producing this driver suite as well as a
few others, my question becomes just how Vista x64bit driver signing is
going to affect us? These are not marketed drivers, rather they are part
of an internal product we distribute to OEMs such as Dell, HP, IBM, and
etc. in other words our customers, to certify our drives in their
products.
Right now it sounds like for the foreseeable future we will be primarily
targeting XP/Vista 32 bit and XP 64 platforms only. Part of this package
is both DOS and Linux versions. What’s the impact in two years if we have
to use DOS or Linux to diagnose and develop drives that are targeted for
Vista, simply because the new windows driver policy for 64 bit Vista and
Longhorn Server is too restrictive? I’m sure every other kernel level
developer at WD, Hitachi, Fujitsu, and any other online storage
manufacturer is wondering much the same.
Gary G. Little
This is my opinion, and not necessarily that of my employer. If you have a
problem with it, talk to me, and not my bosses.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, January 25, 2006 10:17 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
As you’d expect, we’re working the issue as best we can. But this isn’t a
DDK issue, or something where one of us can talk to a dev and get a bug
fixed. It’s not even the type of policy issue that strictly impacts the
driver development community.
Rather, this a major policy issue. I suspect the policy was decided at the
senior VP level, and would take that level of attention to reverse it.
While I’d be pleased to meet with *any* VP at Microsoft to discuss this
issue at any time, I hope you won’t be surprised to hear that I haven’t
received any such invitations
What is most effective at that level is personal lobbying by the
VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and
corporate customers.
The fact that this policy makes life difficult for developers, testers,
makers of specialized hardware devices, internal development
organizations, and people who just want to innovate using Windows-64 –
and that this will ultimately hurt the migration to Win64 – probably
hasn’t even occurred to the powers that be. The questions are (a) will
they realize this before it’s too late, (b) when they hear about this
issue, will they receive enough context to gain a good enough grasp of the
problem to care, (c) if so, will they bother to intercede – among the
many issues competing for their attention during the Vista end-game – and
give us an workable mitigation strategy?
Bets, anybody?
Peter
OSR
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@seagate.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
“Henry Gabryjelski” wrote in message
news:xxxxx@ntdev…
(Disclaimer: I have no internal knowledge of this, and all opinions
below are strictly my own and not necessarily Microsoft’s.)
Has anyone considered that malware, spyware, and rootkits are
increasingly loading in the kernel and becoming harder to detect? No
more kernel-based rootkits that aren’t trackable back to a corporation?
It just seems to me that having all kernel-mode bits signed seems like
it could greatly reduce this attack vector.
I’m just surprised this hasn’t come up already on the discussions.
Henry,
The third-party DDK developers have perhaps the most serious commitment to
improving driver quality and platform security of any developer group
outside of Microsoft. Over the past few years MS has given us better tools
and information about improving driver security, wan most of us have taken
up the cause. On this list we constantly re-enforce best practices in this
area and fend off quite a few technical inquiries that clearly have a
malware intent.
HOWEVER, there are a LOT of situations where too much security is NOT a good
thing - especially in the millions of small vertical markets where
innovation and quick driver turn-around is critical. If Microsoft prevents
us from being able to respond to these customer’s needs, then the customers
will definitely elect to move to a different platform that offers the
flexibility they require for their legitimate business needs.
Thomas F. Divine, Windows DDK MVP
Henry,
So, I should give up my rights for the eleusive,
remote and uncertain posibility that I get …
infectd ??? Well, thanks no way.
It seems a thing which is en-vougue now , anyway,
in certain parts of the world, but I prefere to keep
my rights 
Thank you very much , but what you are insinuating
can be prevented simply by running the OS with an
account which doesnt allow driver instalations.
You really think I need MS to add DRM and signatures to avoid
a driver loading ? NT as it is allow this just well.
This is why it doesnt come up. Because it can already be done.
Greatly reduce this attack vector ? You must be kidding.
Educating users would reduce this attack vector. Eliminating
idiot software like IExplore and Outlook an all their weknesses
would greatly reduce the risks.
It would also help MS enginneers pay more attention to security bugs in
the OS in the first place, NT and derivated OSs
is a nightmare of bugs. Just look at the sheer number of the hotfixes and
security advisories
I dont need MS to tell what operations I can do or not
on my computer.
I also dont need MS to steal the right from me to run my own
drivers which run on my machine. Im entitled to run my own
creations, my own firewall for example, which I trust more
than a lot of shitty things created by companies. Im entitled
to run drivers developeed by 3rd parties. Im entitled \
to get and compile open source drivers and install them on my
machine if I feel so.
Dan
----- Original Message -----
From: “Henry Gabryjelski”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 25, 2006 7:13 PM
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
(Disclaimer: I have no internal knowledge of this, and all opinions
below are strictly my own and not necessarily Microsoft’s.)
Has anyone considered that malware, spyware, and rootkits are
increasingly loading in the kernel and becoming harder to detect? No
more kernel-based rootkits that aren’t trackable back to a corporation?
It just seems to me that having all kernel-mode bits signed seems like
it could greatly reduce this attack vector.
I’m just surprised this hasn’t come up already on the discussions.
.
-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Tuesday, January 24, 2006 7:46 AM
Subject: RE: X64 Windows Vista to require signed drivers
Microsoft, along with everybody else in the consumer computer industry,
is focused on replacing that thing on top of your tv with something that
they build/manage that streams content into your home that is licensed
and generates revenue. Lots of revenue. From this discussion it is clear
that the downside of this is that other uses of their OS, from general
purpose server systems to various forms of low box count specialized
systems are going to lose out when decisions are made and there are
conflicting goals.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Tuesday, January 24, 2006 9:52 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
This paragraph from the document sure does seem to support that:
“* Drivers must be signed for devices that stream protected
content. This includes audio drivers that use Protected User Mode Audio
(PUMA) and Protected Audio Path (PAP), and video device drivers that
handle protected video path-output protection management (PVP-OPM)
commands.”
As soon as I read that, I thought “So that’s the reason they’re doing
this.” I hate DRM. It protects a few media publishers and side effects
of things that get put in place to support DRM cripple everybody else -
ultimatley giving the consumer fewer choices which will lead to less
quality in the long run.
It seems to me that they could make this a requirement for only those
devices, though. Leave the rest of us alone.
Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Tuesday, January 24, 2006 9:13 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
Someone pointed out to me yesterday (in an offline conversation) that
the real issue here is NOT related to drivers, but rather to DRM.
Microsoft has to lock down the set of certificates in order to implement
their strong DRM policy (otherwise, you could add your own certs and use
them to bypass the DRM apparently.) I’m not certain if that’s correct,
but the person who said this to me is reliable - and it makes a certain
type of sense. It explains why they won’t use just any root cert (which
certainly doesn’t matter for drivers, but doe matter for DRM).
I’m sure the folks at Microsoft did speak to their customers to
determine the impact this would have. After all, it is difficult to
imagine that one could make such a fundamental decision like this
without consulting with key customers (imagine the sheer embarrassment
factor if you need to recant after taking a strong policy position such
as this one.) So, while it will be inconvenient for us, they have
apparently determined that this is an acceptable cost (and if you don’t
like it, please refer to “Figure 1” )
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter G. Viscarola
Sent: Monday, January 23, 2006 2:29 PM
To: ntdev redirect
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
I think the point about special-purpose drivers that are used in-house
or by third party companies in very specific markets is a good one.
There are TONS of these drivers, and requiring them to be signed is
nothing but a DISincentive for people to move to 64-bit Windows.
Sigh… I’m glad Microsoft is thinking about issues of driver security
and reliability, but I really wish they would enter into a dialog with
the community about these policies before mandating them. I dare say
that even THEY can’t think of every consequence of every proposed
policy.
Peter
OSR
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
>>Really the only people this hurts badly enough for them to complain are
>the little guys, students, and contractors.
You forget one thing: the USER right to install anything he wants on
the computer and the OS.
----- Original Message -----
From: “Ray Trent”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 25, 2006 7:18 PM
Subject: Re:[ntdev] X64 Windows Vista to require signed drivers
> xxxxx@osr.com wrote:
>> What is most effective at that level is personal lobbying by the
>> VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and
>> corporate customers.
>
> The problem is that at this level, these kinds of people don’t really care
> that much about this policy. High-volume and strategic IHVs, OEMs, and
> customers are likely to be either neutral or even possibly in favor of
> this policy.
>
> Even at my (relatively small though high-volume) company, this will only
> be a minor inconvenience. I’ll have to make sure we have the right cert
> (probably already do… but if not $500/year and a little extra work for
> MIS is peanuts), update our build process to sign our drivers are they are
> built for testing, and our customers will probably sign them themselves
> when they get them anyway.
>
> Really the only people this hurts badly enough for them to complain are
> the little guys, students, and contractors.
>
> I, personally, think it’s a huge mistake for Microsoft to not come up with
> some way to allow standard Authenticode-signed drivers (signable with the
> DDK and requiring the cert to be installed) to be installed on Vista64.
> There’s no particularly good excuse for not allowing this.
>
> The DRM excuse is stupid. Even the anti-virus excuse is stupid. How long
> do you think it will take for an OS patch around this to become widely
> available?
>
> No one serious would ever ship a driver with such a patch installed by
> their setup program, because their asses would be sued off. They
> wouldn’t even just use Authenticode and hiddenly install their cert for
> the same reasons. But the bad/stupid/lazy/cheap people won’t have
> significant trouble dealing with it, or much in the way of compunction.
>
> You can’t do trusted computing without actual trusted computing. BTW, has
> anyone heard anything from MS about this recently? There was deafening
> silence regarding NGSCB at WinHEC 2005… even all my direct contacts at
> MS that I was working with on trusted input actively and directly went
> silent around a year ago…
> –
> Ray
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Ankit Raizada wrote:
I dont understand one thing, to whom these DRM techniques are being
targated towards?
EVERYONE. The RIAA essentially believes that everyone violates
copyright on a regular basis. And, given their narrow definitions, they
are probably correct. How many of you have a TiVo? It is not at ALL
clear that it is strictly legal to use a TiVo for its intended use. You
may not have 10,000 Napster MP3s on your computer, but I’ll bet you’ve
downloaded a song or two. It was very common in the 1980s and 1990s to
own a dual-VHS tape decks. They were NOT all used for editing the
scenes of Junior’s 7th birthday party.
These are all very innocent activities that may be illegal in the
strictest sense. Don’t try to claim “fair use”. “Fair use” does not
dictate what is legal. “Fair use” simply lists some things which are
technically illegal, but which industry has agreed not to sue over. Yet.
Average Joes? no they dont need to do it themselves just find the
content already ripped out.
Average Joe won’t go to the trouble. Today, it’s so easy that Average
Joe assumes it must be legal. Tomorrow, it will be too hard, so he
won’t do it.
One more thing! btw I dont understand one thing, Is this policy really
enforcable to the extent that no one can break it? I mean what it will
take to patch the kernel mode crypto code to let pass everything!
Only the hardest of the hard-core would install such a thing. This is
about keeping the honest man (or the well-intentioned man) honest.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>> Right. That’s exactly the point. Validated and signed drivers will not
> ALLOW you to deal with “unauthorized” content. Today, you can do so,
> but you have to feel guilty about it. Tomorrow, it will simply be
> impossible.
Hahaha. Like if I really want to doit, whats to stop me to install
BSD or Linux or whatever other OS ?
Dan
----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, January 25, 2006 7:13 PM
Subject: Re: [ntdev] X64 Windows Vista to require signed drivers
> MM wrote:
>
>>>
>> When I hear DRM, I associate it with audio and video protections, NOT
>> validating a cert in some driver.
>
>
> Yes, same issue. I can imagine the line of thinking: anyone who would
> go through the time and expense to get a corporate Verisign certificate
> is going to have a team of corporate lawyers who will not allow any
> non-DRM-aware drivers to leave their building.
>
> Further, if such a driver IS released, the Verisign signature ensures
> that the driver can be traced back to its source.
>
> If you read the notices, this is all about protecting the audio and
> video paths through your computer. Protecting them from who? Why, from
> YOU, of course. The computer’s owner. In the eyes of the entertainment
> industry, everyone of us is a closet copyright violator.
>
>> Now with this functionality in kernel land, why couldn’t it be added
>> to the filesystem (or a filter) to prevent me from having
>> ‘unauthorized’ content on my HD or prevent me from ripping or copying
>> a CD?
>
>
> Right. That’s exactly the point. Validated and signed drivers will not
> ALLOW you to deal with “unauthorized” content. Today, you can do so,
> but you have to feel guilty about it. Tomorrow, it will simply be
> impossible.
>
>> This scenario would be the rumor I was referring too… If this is the
>> case, a lot of people are going to be upset.
>
>
> Who? CD-sharing teenagers? Casual movie copiers? Can you think of a
> single population who would be upset that matter in any significant
> way? The scenario you described is exactly what te entertainment
> industry wants, and they have vastly more money and influence than any
> of the people who are going to be upset.
>
> As you can probably tell, this whole trend makes me angry in a vague
> sort of way. I think that’s partly because my own precious computer
> industry, which has a long and healthy tradition of
> antiestablishmentarianism, has fallen in lock step to make this happen.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com
Well, of course – it’s so obvious as to be redundant. We’re talking about
Vista.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
Sent: Wednesday, January 25, 2006 12:33 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] X64 Windows Vista to require signed drivers
> Right. That’s exactly the point. Validated and signed drivers will
> not ALLOW you to deal with “unauthorized” content. Today, you can do
> so, but you have to feel guilty about it. Tomorrow, it will simply
> be impossible.
Hahaha. Like if I really want to doit, whats to stop me to install BSD or
Linux or whatever other OS ?
Dan
I have been collecting the feedback and summarizing it back to some of
the folks who are a part of the x64 signing decision.
Thx
d
– I can spell, I just can’t type.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Wednesday, January 25, 2006 8:17 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
As you’d expect, we’re working the issue as best we can. But this isn’t
a DDK issue, or something where one of us can talk to a dev and get a
bug fixed. It’s not even the type of policy issue that strictly impacts
the driver development community.
Rather, this a major policy issue. I suspect the policy was decided at
the senior VP level, and would take that level of attention to reverse
it. While I’d be pleased to meet with *any* VP at Microsoft to discuss
this issue at any time, I hope you won’t be surprised to hear that I
haven’t received any such invitations
What is most effective at that level is personal lobbying by the
VPs/CTOs/CIOs of high-volume and strategically important IHVs, OEMs, and
corporate customers.
The fact that this policy makes life difficult for developers, testers,
makers of specialized hardware devices, internal development
organizations, and people who just want to innovate using Windows-64 –
and that this will ultimately hurt the migration to Win64 – probably
hasn’t even occurred to the powers that be. The questions are (a) will
they realize this before it’s too late, (b) when they hear about this
issue, will they receive enough context to gain a good enough grasp of
the problem to care, (c) if so, will they bother to intercede – among
the many issues competing for their attention during the Vista end-game
– and give us an workable mitigation strategy?
Bets, anybody?
Peter
OSR
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Doran,
Thank you for your efforts. Whether there are modifications to the
policy or not, I appreciate your being the potential bearer of bad news.
Again, thanks for all the efforts on this and the all the other things you
do for the developer community.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Doron Holan” wrote in message
news:xxxxx@ntdev…
I have been collecting the feedback and summarizing it back to some of
the folks who are a part of the x64 signing decision.
Thx
d
– I can spell, I just can’t type.
Henry Gabryjelski wrote:
(Disclaimer: I have no internal knowledge of this, and all opinions
below are strictly my own and not necessarily Microsoft’s.)Has anyone considered that malware, spyware, and rootkits are
increasingly loading in the kernel and becoming harder to detect? No
more kernel-based rootkits that aren’t trackable back to a corporation?
It just seems to me that having all kernel-mode bits signed seems like
it could greatly reduce this attack vector.
Well, I might be talked into ‘signed’… in fact,
I pretty much agree that the default policy that
ships with Vista should be that drivers must
be signed.
What I don’t agree with are:
That it must be signed by a verisign certificate
That it isn’t a policy decision I can make, but one
forced on me by Microsoft.
Thanks,
Joseph
So, how should Microsoft change their policy?
Is it ok to require signing as long as other signing authorities besides
Verisign are allowable?
If signed drivers are optional, can any functionality be contingent only
using signed drivers? What about support tied to signed drivers?
-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, January 25, 2006 7:45 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed driversAs soon as somebody connected DRM to Vista signing policy it became
clear to me that this is a done deal. The misnamed ‘wired home’, meaning
control over the licensed media stream into everybody’s
home/car/earplug, is where the money is, and the fate of lowly driver
developers and low box-count specialized platforms is not going to cause
anyone with decision making power in Redmond to lose sleep.-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
Sent: Wednesday, January 25, 2006 10:25 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] X64 Windows Vista to require signed driversWow! It even beat the rootkit thread?
Don’t you OSR folks have some influence in Redmond? Can you start a
dialog with them about this? It clearly affects a large part of the
driver developing community (and consumers in the long run, but they
won’t know it until it’s too late to do anything about it except maybe
switch to Linux)Beverly
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
Sent: Tuesday, January 24, 2006 6:30 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] X64 Windows Vista to require signed driversAnd with that, ladies and gentlemen, this thread becomes tied with the
discussion about ddkbuild.bat for the most replies to any thread in past
year.This reply makes 66 replies total, plus the original post, thereby
putting it in the lead. I’m not sure I can stand the excitement.Peter
OSR
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: bbrown@mc.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
Dan Partelly wrote:
You forget one thing: the USER right to install anything he wants on
the computer and the OS.
Ray
Well first in the paper Microsoft refers to a BCDedit (the replacement for
boot.ini) switch that will be removed from production releases. The switch
allows untrusted modules similar to the way you can choose NX protection is
current OS’es. This is for in-house use, but if the in-house folks feel
they need it, shouldn’t they ask if others do also?
Second, have an alternate signing authority, that will work with the
independents, students, etc.
Third they are restricting what can be boot start, this is going to break
existing products and mean that a lot of common techniques are not allowed.
They need a wayt to allow any class of driver to be boot start, assuming if
follows the signing policy of the first point.
I should note this is my paraphrase of Max Shatskih excellent post on an MVP
private newsgroup. I fully support all that Max suggested.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
“Arthur Kreitman” wrote in message news:xxxxx@ntdev…
> So, how should Microsoft change their policy?
>
> Is it ok to require signing as long as other signing authorities besides
> Verisign are allowable?
>
> If signed drivers are optional, can any functionality be contingent only
> using signed drivers? What about support tied to signed drivers?
>
>
>> -----Original Message-----
>> From: Roddy, Mark [mailto:xxxxx@stratus.com]
>> Sent: Wednesday, January 25, 2006 7:45 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
>>
>> As soon as somebody connected DRM to Vista signing policy it became
>> clear to me that this is a done deal. The misnamed ‘wired home’, meaning
>> control over the licensed media stream into everybody’s
>> home/car/earplug, is where the money is, and the fate of lowly driver
>> developers and low box-count specialized platforms is not going to cause
>> anyone with decision making power in Redmond to lose sleep.
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Brown, Beverly
>> Sent: Wednesday, January 25, 2006 10:25 AM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] X64 Windows Vista to require signed drivers
>>
>> Wow! It even beat the rootkit thread?
>>
>> Don’t you OSR folks have some influence in Redmond? Can you start a
>> dialog with them about this? It clearly affects a large part of the
>> driver developing community (and consumers in the long run, but they
>> won’t know it until it’s too late to do anything about it except maybe
>> switch to Linux)
>>
>> Beverly
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@osr.com
>> Sent: Tuesday, January 24, 2006 6:30 PM
>> To: Windows System Software Devs Interest List
>> Subject: RE:[ntdev] X64 Windows Vista to require signed drivers
>>
>> And with that, ladies and gentlemen, this thread becomes tied with the
>> discussion about ddkbuild.bat for the most replies to any thread in past
>> year.
>>
>> This reply makes 66 replies total, plus the original post, thereby
>> putting it in the lead. I’m not sure I can stand the excitement.
>>
>> Peter
>> OSR
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: bbrown@mc.com To unsubscribe
>> send a blank email to xxxxx@lists.osr.com
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
>> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
>> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>