| ▲ | xg15 4 days ago | |||||||
> So, uh, what's the story here? Why is there any engineering effort going on at all? [...] Microsoft will shortly start signing things with a new certificate that chains to a new root, and most systems don't trust that new root. [...] If something is signed purely with the new certificate then it won't boot on something that only trusts the old certificate (which shouldn't be a realistic scenario due to the above), but if something is signed purely with the old certificate then it won't boot on something that only trusts the new certificate. So, dumb question: If the expiry dates are not enforced, why rotate the certificates at all? The only consequences of Microsoft introducing new keys seems to be that compatibility with old software and systems will over time become worse. But what's the upside - or the actual threat model this is defending against? | ||||||||
| ▲ | Harvesterify a day ago | parent | next [-] | |||||||
The rotation is not related to the UEFI capability to check/enforce the expiration, but the capability to sign future shim/OpROMs/drivers/bootloaders. | ||||||||
| ▲ | WhyNotHugo 4 days ago | parent | prev [-] | |||||||
I suspect new hardware will need to have only the new certificate if they want some sort of compatibility certification. | ||||||||
| ||||||||