> On 12/22/22 15:39, Lennart Poettering wrote: > > > > Well, the thing with a chain of trust is the fact that the only chain > the user can trust is the one that he himself or the host device he owns > and operates generated that trust of chain, from link 0 in that chain. ( > And we all know how browsers handle self signed certificates who are no > less secure than those issued ) > > If the user does not generate or otherwise have control over *all* the > links in the trust chain, that chain cant be considered trusted now can > it, which in turn begs the question why partake in this industry > security theater which may brick or otherwise make the end users life > more miserable or even exclude certain types of devices, if in the end > of the day, the host or the end user is not "secure" for it. > > Are those efforts truly for the end user or just to meet some > industry/government requirements ( some governments require backdoor > entrance(s) from vendors for "lawful inspection", backdoor(s) that might > be implement or otherwise supported in the trust chain itself if the > host or user has not full control over that chain ). For the vast, vast, vast majority of users a chain of trust that anchors to the device manufacturer is more than enough, and solves real-world problems with rootkits and such things. End users have to trust the hardware vendors anyway. For the tiny minority of use cases where that is not enough (and I'm pretty sure nobody here is actually interesting enough to fall into that group) rolling your own PK is always possible. Seriously, this "debate" is no longer a debate, it's been done and dusted in the 15 years or so secure boot has been a thing, it's been over for a long while and it's really time to stop rehashing tired and debunked nonsense. We have more important things to do. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
