If you want to argue for client side controls, I’m on your side. I’ve expressed this opinion elsewhere in this thread.
I’m well educastes on what remote attestation means, and I know it’s the status quo. But it is not required by law. And I’d very much like for it to continue being optional indefinitely, and not bundled with a different “save the children” law.
More specifically, I don’t want to have to prove to the OEM that I’m an adult to unlock my bootloader or disable SecureBoot. Or, more realistically, I don’t want OEMs deciding it’s cheaper to stop offering that choice because they don’t want to risk unlocking the bootloader on a child’s device.
> If you want to argue for client side controls, I’m on your side
Yes, then we're coming from the same place here.
> I’m well educastes on what remote attestation means, and I know it’s the status quo
I wouldn't describe remote attestation as the status quo. I generally use the web from my libre desktop, and apart from all the constant nagwalls (Cloudflare et al), I can access sites just fine. Perhaps on many mobile apps it's become some kind of status quo ("Play Integrity" I think it's called?), but even mobile browsers don't do attestation (WEI, or whatever they've renamed it to these days), IIUC.
> But it is not required by law
This is a red herring. None of these laws are proposing to require remote attestation, but rather anything that puts the onus on big tech to "verify age" (aka verify identity) will eventually lead to it being de facto required, with no direct law required.
> More specifically, I don’t want to have to prove to the OEM that I’m an adult to unlock my bootloader or disable SecureBoot. Or, more realistically, I don’t want OEMs deciding it’s cheaper to stop offering that choice because they don’t want to risk unlocking the bootloader on a child’s device.
I'm right with you about the knife-edge we're currently teetering on, where what is a pragmatic system that "merely" has gotchas could get more restrictive at any time. But Google already requires you prove you're the device owner to unlock a bootloader, and far too many manufacturers already don't let you unlock. But if done right, then none of this really matters for the parental controls use case - rather when unlocking the bootloader erases the whole device, that is the flag that lets a parent know.
I’m well educastes on what remote attestation means, and I know it’s the status quo. But it is not required by law. And I’d very much like for it to continue being optional indefinitely, and not bundled with a different “save the children” law.
More specifically, I don’t want to have to prove to the OEM that I’m an adult to unlock my bootloader or disable SecureBoot. Or, more realistically, I don’t want OEMs deciding it’s cheaper to stop offering that choice because they don’t want to risk unlocking the bootloader on a child’s device.