We are supposed to trust the CA that issues the EK certificate. The chain of trust from
this point on allows creation of other keys for signing and storage. But what if we are
not sure if the CA for the EK is 100% trustable given that the TPM vendor is not totally
trustable? Is there any way to trust all the latter key creations?
The spec says users can create their own EK and use their own CA to certify it. Can this
approach solve the above problem?