On 03/27/2013 09:25 AM, m.roth at 5-cent.us wrote: > why is it that the OEM does not provide the UEFI key with the > hardware FOR THAT BOARD AND UEFI, rather than have it provided by M$? Because then you'd have to install a version of Windows (or any other OS) signed FOR THAT BOARD AND UEFI. Secure Boot has its design rooted in x509, just like SSL. There could be more than one trusted CA, and will be when users install one of their own. However, the more CAs there are, the greater the risk of malware being signed and compromising the security of the system. MS doesn't provide the signing service, anyway. Verisign does.