is this true

swfiua at swfiua at
Mon Oct 3 21:29:20 UTC 2011

On Mon, Oct 3, 2011 at 11:41 AM, Deryl R. Doucette <me at>wrote:

> On 2011-10-03, at 9:59 AM, swfiua at wrote:
> > I know very little about the UEFI implementation, but do know a fair bit
> about public key cryptography.
> >
> > If the UEFI implementation is done right then the keys that are embedded
> in the boot loader should be public keys and, by definition, there is no
> need to keep them secret.
> >
> <snip>
> You have it backwards.
> The stored keys would have to be private keys, and the OS installs would
> have to have the public keys. Not the other way around. And since the
> signing keys

Are you sure?

What we have here is a digital signature:

The OS'es need to be signed using a private key.   Microsoft would keep this
key secret, otherwise anyone can go and sign the OS.

The neat thing about public key is that you can make the key needed to
confirm the signature public -- so anyone can check that the OS really was
signed by the owner of the private key that corresponds to the public key.

So, UEFI only needs the public keys.   If it is storing private keys then it
is worse than useless.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ubuntu-ca mailing list