However, as of today, there probably isn't a single independent organization that is set up to run an operation like this. So the vendors that care are likely to have to either establish a new non-profit key signing authority, persuade an existing non-profit like the Apache Foundation to take on the job (with the appropriate contributions of time and resources), or establish a private for-profit key signing model where multiple independent, for-profit KSAs (think Verisign) have the ability to validate and sign binaries on a fee for service basis.
As it stands, from a multi-vendor point of view, it is unbelievable how poorly this was thought out. It is so bad that the whole scheme could probably be shut down on anti-trust grounds alone. It is a de facto conspiracy in restraint of trade.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds