RedHat intends to distribute/register signing keys for RedHat and Fedora boot-loaders. The plan seems to be to require one more hoop for distros to jump through to boot on future systems. The idea is that signed boot-loaders will increase security. I see an unholy mess, another layer of complexity in IT that is not really necessary for folks with physical security of their IT.
I work a lot with LTSP. Anything that makes it more difficult to boot a client machine is unwelcome. Is every OEM on the planet going to host thousands of signatures for every existing and future distro on the planet? No. This raises the barrier to entry for new distros, too. No longer will a new distro be able to boot on every hardware in existence. The idea that this kind of security will be “easy” is insane. If it were “easy” it would not be secure at all. Does anyone believe the malware artists won’t open their own key markets? Will keys that are compromised be recalled, killing many installations on a whim? Depending on M$ and its OEM-”partners” to facilitate the spread of FLOSS is madness.
“Some conspiracy theorists bristle at the thought of Red Hat and other Linux distributions using a Microsoft initiated key registration scheme. Suffice it to say that Red Hat would not have endorsed this model if we were not comfortable that it is a good-faith initiative.”
How soon they forget. Why trust compulsive serial bullies?