I forwarded this to the EFI list, for a response from Intel:
http://sourceforge.net/mailarchive/message.php?msg_id=29329799
-------- Original Message --------
Subject: Re: [edk2] Fwd: Re: UEFI Authenticode Code - is it any good?
Date: Tue, 29 May 2012 08:47:51 +0000
From: Long, Qin <qin.l...@intel.com>
Reply-To: edk2-de...@lists.sourceforge.net
To: edk2-de...@lists.sourceforge.net <edk2-de...@lists.sourceforge.net>
Yes. We are looking at this.
Strictly speaking, it's one workaround solution to meet intermediate
certificate support for UEFI Authenticode and secure boot. OpenSSL has
no direct supports for this, which always try to verify the whole cert
chain. We introduced one callback mechanism (openssl-native) to bypass
its strict chain checking, and also try to avoid to bring more security
risks.
For the trusted cert store mentioned below, we used "authenticated
variable" mechanism for this support. It's also one important UEFI
security feature. (It's just one clarification for the question from
below Felix's mail).
We also noticed OpenSSL community ever tried some experiences to add the
supports for this kind of intermediate root. Please refer to the
following threads:
http://marc.info/?l=openssl-users&m=128943213002702
Once any formal / official support is ready, we will catch the update.
And if any security risks were found based on current workaround, please
let us know, and we will fix them asap.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
