The answer is in the article I pointed to:
A lot of our users want to build their own kernels. Some even want to build
their own distributions. Signing our bootloader and kernel is an impediment
to that. We'll be providing all the tools we use for signing our binaries,
but for obvious reasons we can't hand out our keys. There's three approaches
here. The first is for a user to generate their own key and enrol it in their
system firmware. We'll trust anything that's signed with a key that's present
in the firmware. The second is to rebuild the shim loader with their own key
installed and then pay $99 and sign that with Microsoft. That means that
they'll be able to give copies to anyone else and let them install it without
any fiddling. The third is to just disable secure boot entirely, at which
point the machine should return to granting the same set of freedoms as it
currently does.