Recent Features
| |||||||||||||
LSS: Secure BootLSS: Secure BootPosted Sep 23, 2012 22:46 UTC (Sun) by hummassa (subscriber, #307)In reply to: LSS: Secure Boot by nix Parent article: LSS: Secure Boot
YES, Please.
People imagining these schemes forget that crypto keys are leaked and recovered all the time IRL. And that if you are not a government, you can always use the wrench method. https://xkcd.com/538/
(Log in to post comments)
LSS: Secure Boot Posted Sep 24, 2012 3:50 UTC (Mon) by raven667 (subscriber, #5198) [Link]
I'm sorry, are you asserting that Verisign and other major entities are leaking their root keys all the time? We're not talking about passwords for your disk encryption, we're talking about real professionally managed CAs. If some vendors signing infrastructure were compromised to sign arbitrary binaries, like the DigiNotar incident, then that subroot can be blacklisted without affecting other vendors. The root has to sign so very few things that it has very little attack surface area.
LSS: Secure Boot Posted Sep 24, 2012 8:41 UTC (Mon) by nix (subscriber, #2304) [Link]
Several major keys from various CAs have been compromised already: more will come. If this scheme really gets going, these keys will be a *major* target -- do you really imagine that nobody with sufficient resources to get a copy won't try? (Perhaps, if they are sufficiently clever and lucky, they might even arrange to get the *only* copy: that'd be amazingly useful to extort money from MS with, though very hard since I'm sure MS have lots of backups).
|
|||||||||||||