On Wed, 06 Jun 2012 20:57:19 +0200, Pascal Bleser wrote:
It seems to me to be essentially the same as when you want a TLS certificate for e.g. doing HTTPS: you send a request to a root CA (Certificate Authority) (such as Verisign, Thawte, ...), pay a fee, and they send you back your certificate, signed by them.
In the same way as e.g. Verisign's CA certificate (which is used to verify that _your_ certificate has been signed by their private key) is included in all the CA certificate bundles (by Mozilla for Firefox, by Google for Chrome, by Opera for Opera, for the operating system, ...), Microsoft's CA certificate (or its technical equivalent in UEFI) is included and, hence, trusted, by hardware vendors. I don't know whether there are other CAs that can be asked to sign our openSUSE release images though.
So, about "one time or not": it is one time for each openSUSE release image we want to be installable on hardware that uses UEFI.
For custom images, such as those created by SUSE Studio, it's toast, indeed.
So what if SUSE/openSUSE were to get a signing key signed by Verisign, allowing OBS to issue signing certificates that had a valid chain of trust back to a CA that's on the 'approved' list? Seems that if OBS could just sign kernel images with a valid certificate, that might solve the problem. It might introduce another issue, though - that of someone using OBS to build a 'malware' kernel that was signed by OBS. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org