On Mon, Jun 21, 2021 at 12:54:31PM +0000, Steve McIntyre wrote: > [ Apologies, missed this last week... ]
No need to apologise: I appreciate the detailed answer. > > - do you know any other alternative CA besides Microsoft [...] > I've been in a number of discussions about this over the last few > years, particularly when talking about adding arm64 Secure Boot and > *maybe* finding somebody else to act as CA for that. There's a few > important (but probably not well-understood) aspect ofs the CA role > here: > > * the entity providing the CA needs to be stable (changing things is > expensive and hard) > * they need to be trustworthy - having an existing long-term business > relationship with the OEMs is a major feature here > * they need to be *large* - if there is a major mistake that might > cause a problem on a lot of machines in production, the potential > cost liability (and lawsuits) from OEMs is *huge* This makes sense. It still feels... weird to have one company do it who has a bone to pick in the market. Watching Oracle/Java doesn't give me good feelings about that. It is even much more fundamental, because it's more or less all of the "general purpose computing devices" we are talking about here. > There are not many companies who would fit here. Intel and AMD are > both very interested in enhancing trust and security at this kind of > level, but have competing products and ideas, for example. That's why I think this shouldn't be done by "a company", but by a non-profit industry consortium, of which there are enough examples around. > > - is there any internationally legal binding of Microsoft for > > them to provide that service in the future, in a fair and non > > discriminatory way? > > That is a question I *can't* answer as I've not seen anything > personally. But I would be shocked if agreements like that have not > been made with various vendors. This can cut both ways. Vendors have interests (and be it that other competing vendors be kept out of the market). If things don't happen transparently... > Having worked with Microsoft and a number of representatives from the > Linux distros, I *can* confirm that Microsoft care about Linux and SB > working well. Hell, they're even using SB (shim, etc.) themselves for > their own small Linux distro. That's not a *guarantee* of future > goodwill, but they're not about to break things here on a whim. Winds change. The above example of Oracle/Java (as that horrible SCO saga, remember?) should teach people some care... Colour me... sceptical. Cheers - t
signature.asc
Description: Digital signature
