On 8/2/20 1:19 PM, John Pierce wrote:
One of the things that bugs me about PKI trust chains like this, what happens if the unthinkable happens, and Microsoft's RootCA gets compromised and has to be revoked... does that mean every single piece of UEFI hardware out there needs a BIOS upgrade?
Yes. They'll be vulnerable to malware signed by the old CA until they're updated.
That's better than systems without a PKI trust chain, which are vulnerable all of the time.