How big a deal

By Larry Seltzer  |  Posted 2006-01-24 Print this article Print

is it?"> You might be thinking now: "$500! Im in the wrong business!" And theres something to that thought. But, according to VeriSign, it doesnt just run a program to generate the signature and mail it off to you. The company does actual research to make sure that the entity that applied for the certificate is who it says it is and that it is a real organization.

I spoke to VeriSign about this about a year ago related to abuse of code-signing certificates raised by Ben Edelman. (I had to amend that column, but I think the basic points remained valid.) At the time, VeriSign referred me to a policy document on its site that listed all the rules it follows. That document isnt where it was back then, but this one appears to describe all the rules.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Are these requirements onerous? I have seen assertions (see this discussion on the matter) that only corporate entities can obtain a Class 3 certificate, but the VeriSign document doesnt seem to require it. It does require for individuals that the subscriber agreement be notarized and accompanied by three forms of identification. So, its going to cost some money to get one, but not big money, and its not that hard to do.

The requirement for kernel-mode drivers to be signed isnt the only new one in Windows Vista. These kernel-mode drivers must contain users who are not administrators and cannot install unsigned drivers in any mode. All drivers for devices that stream content must also be signed.

Its also worth noting that Microsofts plans for this process make some exceptions to make life a little easier for developers. For the prerelease period of Vista, at least until Release Candidate 1, there will be a configuration setting developers can use to bypass the requirement, but this will be removed in the release version of Vista. It also will be possible to create a special boot menu option for running the system without the kernel-mode signature requirement, but this choice will not persist to the next system boot.

Would the requirements make open-source development impractical, or even impossible? Clearly, it would make open-source development more difficult, depending on how you approach the issue. I dont think this is Microsofts goal, but I dont think it bothers them all that much either.

Its not clear how much open-source development is done with kernel-mode Windows, so the argument may be theoretical. But, clearly, all developers would need their own VeriSign certificate or access to someone elses. I havent got a clear answer on it, but I think it should be possible for an organization willing to put up the money to give liberal access of their certificate to others. Perhaps VeriSign frowns on such behavior; Im not sure what it does about it. But perhaps the central philosophical objective of the GPL is that users of programs should have the freedom to modify those programs to their needs and taste, and clearly Microsofts objectives for the Windows kernel conform to a different philosophy.

Kernel-mode Windows development is already a difficult and very specialized business. Not every schmo with Visual Basic can do it, and those who do it well are fairly rare. In the end, Microsofts new rules are an attempt to keep the unserious and malicious among us out of the kernel, and if theres some collateral damage, Im sure the company sees it as worthwhile to keep dirty, unaccountable code out of the Windows kernel. Its a reasonable objective.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel