Product SiteDocumentation Site

1.5.4. Unproven Revocation Procedures

We do not know if the business processes surrounding revocation actually work. Revocations are complex because they have to be synchronized among operating system vendors to support dual-boot configurations. Without such coordination, a signature on a boot path could be revoked before the underlying operating system had a chance to update it. This would leave systems unbootable.
It is not clear under what circumstances Microsoft will issue an unsolicited revocation. Potential revocation reasons are a failure to reach the security objective (that is, execution of unsigned code in kernel mode is possible under lab conditions), or actual exploitation of such a failure to compromise the boot path of Windows 8 systems outside labs. The latter could also apply to Secure Boot workarounds which load unsigned code after user interaction.