On Sat, Jun 2, 2012 at 10:04 PM, BRM <[email protected]> wrote: >> From: Michael Mol <[email protected]> >
[snip] > > In theory that's how key signing systems are suppose to work. > In practice, they rarely implement the blacklists as they are (i) hard to > maintain, > and (ii) hard to distribute in an effective manner. Indeed. While Firefox, Chromium, et al check certificate revocation lists, Microsoft doesn't; they distribute them as part of Windows Update. > > Honestly, I don't expect SecureBoot to last very long. > Either MS and the OEMs will be forced to always allow users to disable it, > or they'll be simply drop it - kind of like they did with TPM requirements > that were > talked about 10 years back and never came to fruition. TPM is still around for organizations which can use them. And, honestly, I've been annoyed that they haven't been widespread, nor easy to pick up in the aftermarket. (They come with a random number generator...just about any HRNG is going to be better than none.) I see something like SecureBoot as being useful in corporate and military security contexts. I don't see it lasting in SOHO environments. [snip] >> What kind of signature is the bootloader checking, anyway? > > Regardless of the check, it'll never be sufficient. Sure; ultimately, all DRM solutions get cracked. -- :wq
