On 5/2/16, dj@deadhat.com <dj@deadhat.com> wrote:
The CA that needs to exist would the the USB-IF.
Who cares what CA exists. So long as it is *optional* to the user. Remember SecureBoot... You can find many motherboards with SecureBoot that have the Microsoft PK's locked in the BIOS. Best you can do is 'disable' it and not be 'secure' anymore. The Linux crowd went apeshit over it, and rightfully so. Then they dropped to their knees and wrote silly stub loaders and submitted them to their Microsoft Overlord for signing. They are still submitting to this scheme today, even though they don't have to... Because if you look, you can find boards that allow completely deleting the Microsoft keys and installing and managing your own in the BIOS, and opensource tools to sign and authorize your own loaders do exist. Buy those boards instead. Tech can be useful, but you better fight for, select, and maintain your private right and control over it.