> From: Michael Mol <[email protected]> >On Sat, Jun 2, 2012 at 10:04 PM, BRM <[email protected]> wrote: >>> From: Michael Mol <[email protected]> >[snip] >> In theory that's how key signing systems are suppose to work. >> In practice, they rarely implement the blacklists as they are (i) hard to >> maintain, >> and (ii) hard to distribute in an effective manner. > >Indeed. While Firefox, Chromium, et al check certificate revocation >lists, Microsoft doesn't; they distribute them as part of Windows >Update.
Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers. >> Honestly, I don't expect SecureBoot to last very long. >> Either MS and the OEMs will be forced to always allow users to disable it, >> or they'll be simply drop it - kind of like they did with TPM requirements >> that were >> talked about 10 years back and never came to fruition. > >TPM is still around for organizations which can use them. And, >honestly, I've been annoyed that they haven't been widespread, nor >easy to pick up in the aftermarket. (They come with a random number >generator...just about any HRNG is going to be better than none.) Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. When it was proposed, it was to include "SecureBoot" and enable secure Internet transactions, etc. None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot. >I see something like SecureBoot as being useful in corporate and >military security contexts. I don't see it lasting in SOHO >environments. Certain environments as you say may find it useful; but then those environments already have very stringent controls over the computers in those environments, often to the inability of people to do their job. >[snip] >>> What kind of signature is the bootloader checking, anyway? >> Regardless of the check, it'll never be sufficient. >Sure; ultimately, all DRM solutions get cracked. TPM and SecureBoot will by design fail. We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur. Ben
