Implementing UEFI Secure Boot in Fedora

Distributing vendor keys to every hardware manufacturer on the planet is eminently unscalable, of course. It is clearly in the general interest that the keys that every system needs to carry come from an independent signing body. A vendor like Microsoft could change its policies overnight for a variety of reasons.

The first alternative that comes to mind is a hardware manufacturers association like the PCI-SIG. The IEEE sounds like a reasonable possibility as well. Another option might be to have a centralized body carry only a list of keys that "every" device should carry, and have the actual signing be done by independent key signing authorities like Verisign. Decide on a realistic number of standard authoritative keys (a dozen perhaps) and let KSAs bid for the privilege of providing one of them.

Of course it would nice to have a trusted non-profit KSA, provided one could come up with the necessary resources to operate one. If a sufficient number of vendors agreed, they could form a non-profit KSA and dispense with the need for independent for-profit KSAs to do the job instead. Either way, some independent organization needs to be in charge of the list of keys to be installed on essentially every device.