Comment # 20 on bug 1209006 from Martin Wilck

(In reply to Michal Suchanek from comment #19)

> Or just verify everything with the platform keyring. It's trusted for kernel
> verification, anyway. Why that distinction?

I agree. 

As noted above, I fail to understand what additional security upstream's
MokListTrustedRT buys us. Repeating my previous question, why would anyone put
keys into MoK which they don't trust? And while it's somewhat understandable
that some people might not want to trust Microsoft's keys in the db (because of
general contempt for Microsoft or what not), doing so doesn't provide any extra
security, either. After all the firmware has already been verified by just
these keys.