« VMware for Linux 2.x: A Credible Alternative to Dual Booting | Main | Floridians Get the Government They Deserve, All Americans Pay »

Questions About Unsigned Code on Microsoft's Whistler OS

Earlier today, we learned that Whistler, a new operating system under development at Microsoft, may be designed to provide users with the ability to stop any code that is not digitally signed from being executed. As it was described on Slashdot and ZDnet, this security scheme would not be granular, thereby appealing to users and IT managers who do not have the expertise to determine the appropriateness of unsigned code.

It may be a bit early to question the approach since we've seen nothing official, but, we thought we would make a couple of observations about the drawbacks to the design as it has been described in the press. Our primary concerns are with the impact this type of security mechanism would have on template-driven Web publishing environments and P2P applications that we have seen or understand to be under development at this time.

Template-Driven Web Publishing Environments

At CTDATA, we use the Slashcode Web Publishing system for a lot of our Web Site development and operations. The main distribution of Slashcode does not currently run under Windows NT or 2000 without substantial modification. The next release of Slashcode, code-named Bender, provides a great deal more flexibility with respect to target databases and would make a much better candidate for use on Windows.

Although it would be a relatively trivial process for a business that is part of the Slashcode development community (like CTDATA) to digitally sign each component of Slashcode that it has tested and is willing to support, a few esoteric issues would come up rather quickly:

  • Is the ActiveState Perl distribution going to honor the user's wishes and only execute digitally signed Perl scripts?
  • How will executable code that resides in BLOBs within the SQL database be addressed, since these code elements are loaded and executed by components of the Slashcode system?
Clearly, these concerns would not only affect platforms like Slashcode. They would also come up in Web Publishing environments with far larger users bases, like Vignette V/5, Interwoven TeamSite, and Allaire Spectra. All of these products, to one extent or another, depend upon the ability to embed executable code in Web Page templates and store that code in their back end databases.

These issues are exclusively of concern to Corporate IT people and consultants operating in this space. However, code-signing issues may affect a much larger swath of the PC using population, since:

  • Whistler is designed to bridge the gap between Windows 2000 and ME,
  • P2P applications may take off in either the corporate or home use market segments, and
  • Corporations may be forced to impose greater security on the home PCs of people who telecommute, as a result of VPN exploits like those that have plagued Microsoft recently.

P2P Applications

We must admit that we are casual observers of this part of the software market, but we wonder how a code-signing regime like the one that Microsoft is reportedly contemplating would affect P2P applications like RadioUserland and Groove. At this point, we can only wonder, since we are not users of either application.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


CTDATA Venutures (CTDATA) develops Internet and Intranet applications for corporations and non profit organizations. Our services include:

  • Consulting services for Movable Type and TypePad-based publishing systems (visit our Weblog Improvement website for more information),
  • Financial services business process consulting,
  • Content management system and knowledge management system consulting,
  • Apache web server engineering and hosting,
  • MySQL, Sybase, and Microsoft SQL Server architecture and development,
  • SOAP, REST, and XML-RPC system architecture and programming, including Amazon Web Services and
  • Weblog publishing.
For more information, contact Dave Aiello by email at dave [at] daveaiello.com or call him at +1-267-352-4420.
Copyright © 1995-2010, CTDATA Ventures. All Rights Reserved.
Powered by
Movable Type 4.25