> I guess my point is that it's unreasonable to expect a manufacturer to ship a computer with a bunch of certificates. I'd even say that it wouldn't be that secure.
How exactly do you think a root trust should be established? Should it just boot up and start grabbing whatever certificates it thinks might be authentic over the network?
But the issue is that if there's a "root" certificate installed, then we're more or less in the current situation, where MS has that root certificate and anyone else who wants to have a bootloader must get it signed by MS.
Sure, there could be some kind of "neutral" entity in charge of this, but the issue remains.
Then there's also the issue of managing certificate revocations. Don't know how that works, currently. Maybe via firmware updates? But then, older computers are SoL.
Instead, what I think should be done, is to improve the workflow and documentation for installing one's own certificates. It's what I do on my own PC to run Arch (whose bootloader is not signed by MS) and I also signed MS's certificates so I can dual-boot. But the whole process is somewhat involved, it's not a simple "click a few buttons and you're done" kind of deal.
How exactly do you think a root trust should be established? Should it just boot up and start grabbing whatever certificates it thinks might be authentic over the network?