1 |
On Sat, Jun 2, 2012 at 10:04 PM, BRM <bm_witness@×××××.com> wrote: |
2 |
>> From: Michael Mol <mikemol@×××××.com> |
3 |
> |
4 |
|
5 |
[snip] |
6 |
|
7 |
> |
8 |
> In theory that's how key signing systems are suppose to work. |
9 |
> In practice, they rarely implement the blacklists as they are (i) hard to maintain, |
10 |
> and (ii) hard to distribute in an effective manner. |
11 |
|
12 |
Indeed. While Firefox, Chromium, et al check certificate revocation |
13 |
lists, Microsoft doesn't; they distribute them as part of Windows |
14 |
Update. |
15 |
|
16 |
> |
17 |
> Honestly, I don't expect SecureBoot to last very long. |
18 |
> Either MS and the OEMs will be forced to always allow users to disable it, |
19 |
> or they'll be simply drop it - kind of like they did with TPM requirements that were |
20 |
> talked about 10 years back and never came to fruition. |
21 |
|
22 |
TPM is still around for organizations which can use them. And, |
23 |
honestly, I've been annoyed that they haven't been widespread, nor |
24 |
easy to pick up in the aftermarket. (They come with a random number |
25 |
generator...just about any HRNG is going to be better than none.) |
26 |
|
27 |
I see something like SecureBoot as being useful in corporate and |
28 |
military security contexts. I don't see it lasting in SOHO |
29 |
environments. |
30 |
|
31 |
[snip] |
32 |
|
33 |
>> What kind of signature is the bootloader checking, anyway? |
34 |
> |
35 |
> Regardless of the check, it'll never be sufficient. |
36 |
|
37 |
Sure; ultimately, all DRM solutions get cracked. |
38 |
|
39 |
-- |
40 |
:wq |