It's dead, Jim! (UEFI CA expiry)
19 points by legoktm
19 points by legoktm
Chasing the "previously on..." links back to the source gives you some context for why this is actually interesting.
What's the point of UEFI SecureBoot key expiry? Is this just a dance we're all supposed to do every 10 years? What attack vectors are we protected from where 10 years is too short?
Cryptography evolves, there might be new attacks in 15 years time. Although the 2011 certificate already used sha256 signatures with a 2048-bit RSA key, which AFAICT is still unbreakable today, so this particular key rollover didn't improve security in any way (other than invalidating all old signatures, but that can be done with DBX updates anyway)
I don't know how the 15 years number was chosen though.
If you can update the devices' firmware to support new cryptography, you can also make it not trust the now-insecure cryptography.
It's amazing to me that people still do "Secure" Boot with Microsoft keys as if it's not pure security theater.
Why is it theater? I only use it on my travel laptop, but it’s annoying, so if not useful would prefer to disable it.
It boggles my mind that so many FLOSS systems boot only by the grace of Microslop.
Why is this still the case? No FOSS org has bothered to create a certificate, or they’ve not been able to get it put in proprietary firmware?
What about coreboot devices?