1 |
> From: Michael Mol <mikemol@×××××.com> |
2 |
|
3 |
>On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@×××××.com> wrote: |
4 |
>>> From: Michael Mol <mikemol@×××××.com> |
5 |
>[snip] |
6 |
>> In theory that's how key signing systems are suppose to work. |
7 |
>> In practice, they rarely implement the blacklists as they are (i) hard to maintain, |
8 |
>> and (ii) hard to distribute in an effective manner. |
9 |
> |
10 |
>Indeed. While Firefox, Chromium, et al check certificate revocation |
11 |
>lists, Microsoft doesn't; they distribute them as part of Windows |
12 |
>Update. |
13 |
|
14 |
|
15 |
Which can then be intercepted by IT in any IT department that stages Windows Update using their own servers. |
16 |
|
17 |
|
18 |
>> Honestly, I don't expect SecureBoot to last very long. |
19 |
>> Either MS and the OEMs will be forced to always allow users to disable it, |
20 |
>> or they'll be simply drop it - kind of like they did with TPM requirements that were |
21 |
>> talked about 10 years back and never came to fruition. |
22 |
> |
23 |
>TPM is still around for organizations which can use them. And, |
24 |
>honestly, I've been annoyed that they haven't been widespread, nor |
25 |
>easy to pick up in the aftermarket. (They come with a random number |
26 |
>generator...just about any HRNG is going to be better than none.) |
27 |
|
28 |
|
29 |
Yes TPM (originally named Palladium) is still around. However its use is almost non-existent. |
30 |
When it was proposed, it was to include "SecureBoot" and enable secure Internet transactions, etc. |
31 |
None of that came to fruition. Now, after over a decade of ignoring it, they are trying it one step at a time, first with SecureBoot. |
32 |
|
33 |
|
34 |
>I see something like SecureBoot as being useful in corporate and |
35 |
>military security contexts. I don't see it lasting in SOHO |
36 |
>environments. |
37 |
|
38 |
|
39 |
Certain environments as you say may find it useful; but then those environments already have very stringent controls |
40 |
over the computers in those environments, often to the inability of people to do their job. |
41 |
|
42 |
|
43 |
>[snip] |
44 |
>>> What kind of signature is the bootloader checking, anyway? |
45 |
>> Regardless of the check, it'll never be sufficient. |
46 |
>Sure; ultimately, all DRM solutions get cracked. |
47 |
|
48 |
|
49 |
TPM and SecureBoot will by design fail. |
50 |
We'll see if SecureBoot actually even makes it to market; if it does, expect some Class Action lawsuits to occur. |
51 |
|
52 |
Ben |