[fujigawa]

> For-profit companies cannot be in control of these mechanisms.

But they are not in control of Secure Boot.

Microsoft runs a root CA that is pre-installed on most PCs. It could have been Verisign or someone else, but MS made sense at the time, likely because they had additional code signing expertise.

You are free to delete these keys and/or install your own. If there wasn't preexisting infrastructure, Secure Boot would be DOA for most people.

[trinsic2]

Microsoft can force manufacturers to can change the way that works at any time, its vendor specific and they are totally in control, via pressure on manufactures to toe that line if they want to continue sell computers with Windows.

[rightbyte]

> But they are not in control of Secure Boot.

> Microsoft runs a root CA that is pre-installed on most PCs.

How can you write those two statements on two adjacent rows? In practice that makes MS a gatekeeper.