Today, Jody Cloutier of Microsoft announced upcoming changes to Microsoft’s root certs.

Notice of Pending Microsoft Root Update: On August 18, 2015, Microsoft’s Trusted Root Certificate Program will release a scheduled update to the Trusted Root Store. This update will include the addition of EKUs to roots owned by two current partners of Microsoft’s Trusted Root Certificate Program: Guang Dong Certificate Authority, based out of China, and Government of India, CCA. Microsoft will be enabling Guang Dong’s root, GDCA TrustAUTH R5 ROOT, for EV (Extended Validation); Microsoft will be enabling the Government of India, CCA’s root, CCA India 2015, for Server Authentication and Code Signing. To download the new root package for testing, please visit  http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/test
For the most-current list of Program participants and enrolled roots, please see
 http://social.technet.microsoft.com/wiki/contents/articles/31634.microsoft-trusted-root-certificate-program-participants.aspx
http://aka.ms/rootcert

(The WindowsUpdate.com URL above doesn’ t work for me, perhaps I need to be running Windows, or be a member of the CA/Browser Forum?)
Anyway, this makes me wonder about the new PKI burned into silicon, at multiple levels, see the various PKI used by Intel these days:
firmwaresecurity.com/2015/08/01/book-review-platform-embedded-security-technology-revealed/
But specifically for UEFI, the Secure Boot PKI, any OEM/IHV signed drivers: how do consumers test — via OSCP, CRL, or other mechanisms — that their certs are valid/up-to-date? Same goes for PKI in coreboot used in Chrome, in Verified U-Boot, and most firmware security technologies. If you’re building UEFI with Secure Boot enabled for QEMU/OVMF from source, you can test the certs you’re building with. But once the consumer has a system with all the baked-in certs in the firmware, how does a system administrator test the certs? Most of the crypto-based security features in UEFI (and elsewhere) is only good if you can trust the certs, and you need to be able to check them in order to trust them, over time. I wish I knew the answer. If someone knows the answer, please email me, thanks!

(BTW: quick howto use this WordPress blog. Clicking on upper-left icon drops down a menu with a tag cloud, a search dialog, and a blogroll. I’ll fix the archives/history there eventually… If you click on the ‘firmware hacking logo’ in the top, that’ll email me. All this is stock WordPress.com defaults, I’m slowly learning how to customize and improve WordPress sites. Please email me if you have any serious usability issues that I can fix. Working on adding some static HTML files as Resources off top of main page via “menu”… Everything is in the “uncategorized” category, don’t bother looking for other categories; instead of categories, use the search or tag features, eventually the archives/history may become useful.)