The 3rd party UEFI CA key is implemented by the Shim, which is an attack vector. To be certified by default for the shim, the workflow is a github issue [0]. This is not necessarily bad, but a vector for social-engineering and more.
If an attacker is signed by the shim, he can execute trusted code on most machines without problems.
IMO it is better to leave this choice to the user to take this risk and enable the shim. Who installs linux should make this choice consciously
Booting via Shim will result in different PCR 7 values, which mean you can ensure that the OS won't boot if an attacker has subverted a signed version of Shim to execute Windows rather than the expected OS.
The 3rd party UEFI CA key is implemented by the Shim, which is an attack vector. To be certified by default for the shim, the workflow is a github issue [0]. This is not necessarily bad, but a vector for social-engineering and more.
If an attacker is signed by the shim, he can execute trusted code on most machines without problems.
IMO it is better to leave this choice to the user to take this risk and enable the shim. Who installs linux should make this choice consciously
[0]: https://github.com/rhboot/shim-review