My point wasn't a legal one but an economic one. Every additional legal obligation that the manufacturer/distributor faces introduces a compliance cost. Even if Canonical could never be placed in a position where it would be forced to respond and release the key, it does not benefit Canonical to make the distributors life any harder. With Grub2 a licensed Canonical partner (and to presumably be able to use the trademarks and marketing materials associated with that) has to (at least):
a) Follow all the MSFT standards
b) Test and verify the selected hardware with Ubuntu
c) Have an open source compliant installed system
d) Have an open source compliant firmware implementation (that allows users to disable secure boot)
(d) may not seem like much, but I would speculate that Canonical could indemnify the distributor for (c) by saying "use *THIS* disk image, and throw our business card in the box, and we will take all the associated legal liability for open source compliance," but if they were to indemnify (d) then Canonical probably could be forced to give away their key. Since Canonical make that offer (and retain the functionality of secure boot/not have their keys disabled by MSFT) they would have to leave that liability with the distributor, and that the added liability might be enough that some distributors would rather just ignore this smaller market.
MSFT has the advantage of being in a position of market power and can force companies to accept their terms. Linux distributors don't have that power and have to negotiate, I suspect not having GPLv3 bootloaders helps Canonical's negotiating position, and the EFF didn't consider that in their statement. That was my original point (in far fewer words).
PS Interestingly, there are now reports that the SFLC gave Canonical a letter indicating that the keys would have to be turned over in some scenarios. We will probably never know, but I'd bet it has something to do with an indemnification clause in whatever agreements Canonical signs with its distributors. The EFF is obviously technically correct that there would be no way the violations of one party could force an unaffiliated 3rd party to give away signing keys, but I doubt "unaffiliated 3rd party" accurately describes the relationship between Canonical and its distributors. So I don't think this is FUDing.