On Wed, 06 Jun 2012 21:19:28 +0200, Bruno Friedmann wrote:
So what if SUSE/openSUSE were to get a signing key signed by Verisign, allowing OBS to issue signing certificates that had a valid chain of trust back to a CA that's on the 'approved' list?
Seems that if OBS could just sign kernel images with a valid certificate, that might solve the problem. It might introduce another issue, though - that of someone using OBS to build a 'malware' kernel that was signed by OBS.
Even better, help CACert to get a sub-ca key that work with uefi, and then use that free & open circle of trust.
There's an idea. Since the certificates issued to sign OBS-project builds would be individual certs, if a malware build was released, the key could be revoked, problem solved (as long as UEFI supports certificate revocation) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org