One thing is not clear to me: Does "signing by Microsoft" mean that Fedora will provide Microsoft with the binary bootloader and Microsoft will return what Fedora can only hope is a signed, but otherwise unmodified copy of it, or will Microsoft provide a signing key that the Fedora project can use to sign its bootloader using open-source software?

Because the first option, to be quite frank, sounds beyond unacceptable to me.