* Marty: > What I call "the manifesto" [1] claims that UEFI SecureBoot is needed > in a "post Snowden World."
I don't think it's true. Apple and some Android devices are already locked down very tightly, and it is not clear that this has helped to protect users' privacy and prevent access to stored information without their authorization. Independent of that, we previously discussed the Microsoft Secure Boot policy change/clarification: <https://lists.debian.org/debian-project/2014/01/msg00042.html> The referenced policy keeps changing (the article has been revised a couple of times since publication). The current iteration approximately matches which was discussed in the thread on debian-project. (An older version required use of an EV-compliant code signing CA for the embedded CA certificates, which means FIPS 140-2 Level *3*, which is really expensive to implement.) There is also the larger policy question if we want platform lockdown through a cryptographically verified boot process, and cryptographically secured userspace, including remote attestation capabilities. Mozilla has announced that they plan to add DRM support to Firefox: <https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/> Coupled with remote attestation, this could enable web site operators to restrict access to client devices which use vendor keys and run authorized Firefox binaries only. In this possible outcome, the ability of device owners to enroll their own keys would be increasingly meaningless because once you do that, you'd lose access to lots of online content (probably even your Gmail inbox—because an unauthorized browser could have automation to accelerate sending spam). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87d29dttu2....@mid.deneb.enyo.de
