Will Microsoft ever give us back the abiity to install Win11 fresh without forcing us to give it ownership of our TPM or our Bitlocker recovery key? (`oobe\bypassnro` no longer works.)

By removing this abiity, it's basically coercing people who have no choice about running Windows into their Bitlocker recovery key being accessible via the Third Party Doctrine (which holds people have no expectation of privacy of information they -voluntarily- share with third parties). The way Microsoft has implemented it amounts to key escrow on a scale the Clipper Chip could only dream of -- because it's held by one company, and legally accessible via an administrative subpoena, not even a warrant.

Prudential uses it (partly for its logging facilities, partly for its ACLs, partly because they know that they can control what information is shown to/used/dealt with/modified by any part of their business).

Philips uses it for internal workflow and business intelligence.

Certifying Authority keys are assets, and thus capable of being transferred. The original name might be out of business, but the keys still exist.

I don't know if there's an ongoing audit requirement in that case, though.

No, it's not. Mozilla knows of at least one instance where a user on a public wifi network had communications with a TLS-secured site MITM'd, and she allowed it by creating a security exception for an unknown CA that issued a certificate to CN=*.

Comodo's "authorityInformationAccess" only provides an OCSP responder URL, not a CRL. Apple's Keychain doesn't really handle OCSP by default (you have to go into Keychain Access, go to properties, go to the Certificates tab, and select OCSP: Best Attempt).

However, that's a "soft fail" mode, and if you block the OCSP responder host, it'll still allow it both in Firefox and Safari.

Mozilla and MS have made it as difficult as possible to inspect the certificate. Safari (and Apple's Keychain Manager) make it easier, but it's still a lot of information to try to digest.

I wish you'd put your two cents in on the dev-tech-crypto@mozilla.org mailing list.

Right now, they're avoiding removing the trust bits because that would essentially mean 3 months of not being able to authenticate Comodo certificates. They claim that it's because they don't want to inconvenience the end-users, but I tend to think that they're doing it because they've been paid not to.

SSL (now TLS) does allow certificate-less operation, and has since SSLv2. In that case, the key agreement is done via ephemeral Diffie-Hellman (DH without any static/attested key).

Why do you think Microsoft stopped trusting external CAs for its updates in Vista? It runs its own in-house CA at this point, and that's the only CA that can issue certificates that can sign updates for Windows.