[META] Migration path from 2011 third party CA to 2023 third party CA certificate

[caschulz88]

Hey there,

I was wondering if you already published some kind of migration strategy all the shim based projects should be applying when talking about switching from 2011 third party CA certificate and our currently signed shim loader to the 2023 third party CA certificate, which Microsoft already started to roll out on first machines since spring this year.

Will there be a choice from which CA an submitted shim should get signed or do you plan to do the signing with both CAs for some limited time frame? Do you also publish some best practice guide based on Microsoft timelines for the third party CA version rollout? I bet Microsoft wants to set the old third party CA on DBX at some point. How to make sure that someone didn't miss anything?

As everybody might be affected by this future situation I wanted to open this thread for discussion and to get some official statement. I couldn't find anything official from Microsoft so far on those questions.

Thanks a lot!

[SherifNagy]

So far, we have no update from MSFT, shim submission are still signed with 2011 CA , so I guess we will have to wait until we get new updates, will keep the ticket open for tracking it.