*countable infinities only
pjones at redhat.com
Thu May 31 19:53:55 UTC 2012
On 05/31/2012 02:55 PM, Chris Adams wrote:
> Once upon a time, Peter Jones<pjones at redhat.com> said:
>> That's why we didn't simply ask vendors to ship our key. That would be
>> /less/ equitable to other distributions than the solution we're looking at
>> right now.
> Has any thought been given to setting up group between various Open
> Source distributions (Linux, BSD) to be a Secure Boot signer (with
> security-oriented rules about what gets signed, probably similar to
> whatever Microsoft is using today) and then getting vendors to include
> the master key along site Microsoft's?
Yeah, that was discussed. We tried to get LF to do it, and they looked into
it and basically they're not interested.
I can't speculate as to their reasons, but running a CA is *incredibly*
expensive, there's a significant tort liability, and there's not a clear
advantage to that over using MS's CA. We'd be in exactly the same position,
just with a different signer who can't afford to subsidize the cost - $99
one time cost to join is, as I understand it, a significant discount from
MS's costs to operate it. And you'd still have many of the same problems -
you'd still have to be in the "verify that you're who you say you are when
you join" game, for example. So in that scenario it'd cost significantly
more and we'd have somebody set up effectively as a simultaneous competitor,
in terms of capabilities required to do an effective job, to Verisign and
Dun & Bradstreet.
Plus these discussions were happening right as kernel.org was down because
they got rooted badly, so their track record was somewhat suspect as to whether
they'd even be able to pull off a CA that could be trusted.
So, I mean, if you want to get in that business, feel free to pitch it as
a startup. I don't need credit for the idea.
More information about the devel