>>cleverly designed binary may be able to validate even though it contains unsigned code Someone can just write and sign the bytecoode interpreter. Then what? Even though the interpreter itself is not malicious it could be used for malicious purposes. Where do you draw a line? Will you ban thin hypervisors because some flaw could allow unsigned VM code to change something on the host? >>People desperately want to believe that the Secure Boot implementation is fundamentally >>broken, and that's just not true. But it is true. Certificate Authority system is broken. Adding a 3rd party to a chain of trust reduces security by increasing the number of entities you implicitly trust. The whole CA thing is just a money raking scheme, a big boys club membership pass. >>For starters, you'll need to provide some form of plausible ID for Verisign to >>authenticate you and hand over access. Yes, as if someone from Russia or China couldn't do that. Good luck trying to arrest them. Anyway, Verisign wouldn't be the first security company that got compromised. Verisign has been tricked into issuing certificates in Microsoft's name: http://news.cnet.com/2100-1001-254628.html Diginotar has been breached: http://isc.sans.edu/diary.html?storyid=11500 RSA has been breached: http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all Microsoft's own certificates were compromised few days ago and had to be revoked, not to mention that they have allowed Flame malware to exist and do its bidding. It's almost as if that was a deliberate backdoor waiting to be exploited: http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx And what if someone with enough determination actually physically breached into Verisign and got the UEFI root CA thus compromising everything? How is that going to be revoked? Will it require user consent, or will it be silent, mandatory key update? What will happen with user added keys? Will you trust the state of potentially compromised system or you will zap the key store and just load the new key? Will you have to pay again to sign with a new key? The whole point of secure boot is not to secure our computers from malicious software (did anyone seriously believed that for one second?), but to secure software and media content that we "the pirates" might try to "steal". Next thing you won't be able to pass the BIOS boot screen unless the computer is online and can check for updated or revoked certificates. From that point onwards it is just a matter of months before they will silently start scanning your data and sending it to them through the out-of-band network channel.