For you and me, that’s fine, but for little johnny first time, it’s adding friction and new points of failure that push the whole idea further away from their comfort zone.
It could be argued that Microsoft knows this and is deliberately weaponizing peoples insecurities to keep them in line.
Also, “Been available since 2023” means Microsoft gave distros 2-3 years to implement the new signing keys. Yet they’ll give themselves decades between signing and updating their own root certificates.
Example: on my work machine, “Microsoft RSA Root Certificate Authority 2017” is valid from 2019 to 2042. It’s valid for 25 years, but it took Microsoft 2 whole years to deploy the certificate within it’s own structure, specifically to get all the relevant sign-offs needed to issue the cert.
For you and me, that’s fine, but for little johnny first time, it’s adding friction and new points of failure that push the whole idea further away from their comfort zone.
It could be argued that Microsoft knows this and is deliberately weaponizing peoples insecurities to keep them in line.
Also, “Been available since 2023” means Microsoft gave distros 2-3 years to implement the new signing keys. Yet they’ll give themselves decades between signing and updating their own root certificates.
Example: on my work machine, “Microsoft RSA Root Certificate Authority 2017” is valid from 2019 to 2042. It’s valid for 25 years, but it took Microsoft 2 whole years to deploy the certificate within it’s own structure, specifically to get all the relevant sign-offs needed to issue the cert.