Wednesday, August 16, 2006

EV and RMS and Uncle Bill - Oh my!

So recently I've been playing with Microsoft's Rights Management Services products and their interactions with our beloved EV. Turns out that EV plays well with others. Sweet!

The first hurdle was getting the RMS system set up, you can download all the bits from here. You're gonna need the server portion (for those of you playing along with the home game), the client portion and don't forget to grab the IE addon, it'll come in handy later.

When you pull the files down and install them you'll notice that there are several help files installed, pull up the main one and go to the "Quick Start Guide", that's a good place to start. The file mentions several pre-req's that you'll need to install, but you're a seasoned EV admin so you eat pre-req's for breakfast, right?

Once those are setup the guide will walk you through provisioning the first server in the AD and here's where (at least philosophically) I run into some issues. I know that in any crypto environment you need an issuing authority. Well of course this is crypto. Remember all the old interfaces that MS built into Office to crypto the hell out of your docs? RMS is all that with a server service and a healthy dose of rights added on top. No bag of chips, sorry.

Anyway to paraphrase Henry Ford, you can choose any issuing authority you want to, as long as it's Microsoft. Ugh. Now, don't get me wrong, as ex-Softie I love them, but I've never been blind to their faults and while they can do a lot of stuff really well, let's just say that maybe they're a little... well... security challenged. Not like the VA system of course, but still.

Do you want your crypto and rights management to seamlessly integrate with Office and AD? You say you want EV to snuggle up in bed with this system and get all cosey? OK, but you have to hand the master keys over to Uncle Bill.


Yup, at any time that Microsoft wants to they could (possibly) revoke your certificate and shut down your access to your own information. Or better yet they could break into those oh-so-protected files and peek at the contents. Of course the install docs come with a nice little disclaimer that they won't do this without direct orders from a judge. Oh ok then, that's better.

Or not. Used to be, a long time ago, like last summer, that you could use Windows Media Center to record episodes of HBO's Sopranos. Nice! You could even go so far as to burn those episodes to CD/DVD and watch. Keep in mind that this isn't illegal. Laws of Fair Use clearly state that this is legal as long as you aren't selling those copies. You paid for the episode when you subscribed to HBO and you can make a personal recording and transcribe it to any media you want. Just don't sell it.

Well lo and behold HBO didn't like this. So along comes a critical update for Media Center that breaks your ability to burn episodes of Sopranos to discs. Oh you can still record them in Media Center, but that's where the data stops. So sorry.

Now where did I put that master key??


