Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are vulnerable bootloaders signed with the UEFI CA. Disabling less heavily vetted CA on devices that are being sold as basically hardened, makes sense. But yeah, one aspect of it might be making it easier for enterprises, that's a large focus.


Well that's what the revocation list is for, but yes I can imagine choosing the nuclear option of just dropping the CA is attractive because it's less work for everyone involved.


There are also vulnerable bootloaders signed with the MS production CA. The DBX set is not just shim hashes, you know.

If MS's distrusts its own ability to vet other people's code, why trust their ability to vet their own code?


> If MS's distrusts its own ability to vet other people's code, why trust their ability to vet their own code?

If you want to do the legwork yourself, feel free to roll your own PKI and sign things you trust yourself.


This fails to answer the question.


It was a leading question, answer to which only you can know based on your threat model. I did however say what you can do if you don't trust Microsoft, which also makes the question quite irrelevant.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: