Microsoft Privileged Certificate Technology Requirements

  • Article

Application code submitted to a certificate authority to be signed with a privileged certificate shall comply with the following requirements:

A. Application code shall not:

  1. Modify the value or function of any security policy, including without limitation, any of the security policies accessible through the Security Policy CSP
  2. Modify any keys or name/value pairs in the following registry locations:
    1. HKLM\Drivers
    2. HKLM\Hardware
    3. HKLM\Init
    4. HKLM\Comm
    5. HKLM\Security
    6. HKLM\System
  3. Modify, add, or remove any certificates in the following CAPI stores:
    1. Privileged Execution Trust Authorities
    2. Unprivileged Execution Trust Authorities
    3. Software Publisher Certificate
  4. Modify the application and certification revocation lists
  5. Send any device configuration messages to the CM, block any device configuration messages being sent to the device, or modify the device configuration system
  6. Access or modify the Metabase, the Metabase CSP and the underlying database
  7. Modify or circumvent any DRM protection of any device, content, or applications
  8. Overwrite or shadow any system files
  9. Modify any part of the ROM image
  10. Modify the boot sequence
  11. Access any part of the device hardware through any means other than the APIs published in the Software Development SDK for the particular version of the MS Smartphone software.

B. Application code shall only:

1. access and use those APIs that are listed in the Software Development Kit (“SDK”) for the particular version of Microsoft Smartphone Software (e.g., 2002, 2003, etc.);

2. access and use DeviceIDs and other device information only through system APIs listed in the SDK for the particular version of the Smartphone Software;

3. access and use file systems through the file system APIs listed in the SDK for the particular version of such Microsoft Smartphone Software.

C. Notwithstanding the requirements set forth in A and B of these Microsoft Privileged Certificate Technology Requirements, device driver application code may:

1. Solely to the extent necessary for making the hardware peripheral device functional, modify the keys or name/value pairs in the registry locations the following registries:

a. HKLM\Drivers

b. HKLM\Hardware

c. HKLM\Init

2. Solely to the extent necessary for the development of the device driver:

a.  access and use any of the Smartphone Software APIs

b. access the device hardware directly using means such as assembly code or direct memory manipulation