I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

In the web PKI, the "leaf" certificates can be easily chained back to the root CA/trust anchor. If UEFI were sensible, the same thing would be done with secure boot and we could avoid needing to deploy separate KEK and DB/CA certificates and simply include a signed chain (up to the KEK) with every bootmgr. Why don't we? Does it all come down to revocation checks being impractical (but isn't that the case anyway and why we have a DBX)? What's the engineering challenge that makes what we're doing now the "least worst" option?