Garrett: Secure boot certificate rollover is real but probably won't hurt you

Matthew Garrett has posted a detailed followup toour recent article on the comingexpiration of Microsoft's Secure Boot signing key.

The upshot is that nobody actually enforces these expiry dates - here'sthe reference code that disables it. In a year's time we'llhave gone past the expiration date for 'Microsoft Windows UEFIDriver Publisher' and everything will still be working, and a fewmonths later 'Microsoft Windows Production PCA 2011' will alsoexpire and systems will keep booting Windows despite being signedwith a now-expired certificate. This isn't a Y2K scenario whereeverything keeps working because people have done a huge amount ofwork - it's a situation where everything keeps working even ifnobody does any work.