Matthew Garrett has made a correction in his statement that might make this more palatable:
The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access edit: The $99 goes to Verisign, not Microsoft - further edit: once paid you can sign as many binaries as you want), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
I see several unaddressed issues with UEFI. One is the signing authority uses certificates from Verisign. 2) There is no alternate signing authority (Thwate is one I like).
Another issue is the problem with installing a system when there is no internet. How can we complete this activity?
The third one has to do with Virtual Machines (VM). If the VM has to also have a certificate, then will it be necessary for the operating system that is installed under VM to need one too?
If I add or remove a printer, or a different hard disk, are these hardware devices going to be secured as well?
With UEFI, what I foresee as a tendency is for operating systems to be deployed on the web, and we will do a remote boot. That way, one source on the web has all the updates and we always have the most recent version. Our data may be local, but we boot mint, fedora, debian, etc, from a website via a remote file system and fast internet.
One justification for UEFI was security. That implies that rights management software such as Selinux and other rights management software will become redundant. That may be a plus if these things do not have to be maintained.
For me, even with UEFI, if you do a dual boot configuration, there is a likelihood that from Linux you may not be able to read your unencrypted Windows Partitions. I share files between Windows 7 and Linux from Linux and would not want to stop doing this.
We think we require hard disks greater than 3 terrabytes each. I think that we are better off with several smaller hard disks, first of all, for rapid access, and secondly, for spreading data across smaller drives which together, give a seamless impression of petabyte storage. SSD's may also change the whole discussion about UEFI.
UEFI bios should be discarded in favor of a TPM. (Trusted Platform Module). The TPM has a microprocessor and functions as a smart card and more. Now someone would tell me that we need both, UEFI and TPM.
Sigh.... A discussion until reality comes to all of us with new hardware.