Re: standards status in the industry - opinion?

[Barrie Dempster <barrie () reboot-robot net>]

On Mon, 2006-01-09 at 13:50 +0100, James Kehl wrote:

> Another aspect might be the cost/tax to get your drivers certified.
> I don't know the process myself, but chances are you would have
> to pay, pay big, and pay whenever you released an update.


Indeed, that's what I was getting at with "the hoops MS make you jump
through" in a previous post. The users excuse is they just don't care
enough to know the difference, the developers excuse is that MS make it
too difficult, technically or economically, to comply.

> (Has anyone seen a certified Windows driver that wasn't bundled with a MS
> product?)
>
> I'm surprised nobody's skipped the hassle and just installed their own
> root cert. The fact the installer's running as Administrator implies Game
> Over in security terms, anyway.

There is nothing wrong with doing that. I'd love to see drivers and
other software signed by people other than MS that network admins can
use in a chain of trust. This combined with MS handling all of their own
software well, would be a very good solution and could quite easily
cover large numbers of vendors in the way SSL certificates on websites
scales well. This makes the whole process cheaper and easier. I'd like
to see more use of software signing using this sort of mechanism, it's a
very valid mechanism to help with the problem of untrusted code within
the enterprise network.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.