On Thu, 07 Jun 2012 13:17:41 -0400, Andrew Joakimsen wrote:
This would kind of defeat the purpose... Then anyone could take this bootloader and boot everything.
It will get the certificate revoked quite fast (although I do not how they do it).
So wouldn't the certificate be revoked if we put it in the OBS and SuSE Studio and let anyone sign their stuff?
If you're referring to the idea I suggested, I wasn't suggesting that a single certificate be used for all of OBS and Studio, but rather that there be a CA server with a trusted chain back to Verisign, and that upon request, Studio and OBS could issue a unique certificate with a valid chain of trust back to Verisign that could be revoked by OBS/Studio if it were abused in some way. But that assumes that CRLs could be used by UEFI, and it's not clear to me that they could be - since it's implemented in hardware and updating the CRL would require Internet connectivity. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org