I am not unaware of the potential dangers of device attestation.
> Would you be ok if for example your government's website to pay your taxes mandated a device with attestation knowing you can only get one from Google, Apple or Microsoft ?
My point is this is already possible today. A lot of apps do it. An open attestation API means that, at least theoretically, systems not owned by one of those three providers could be used. Today you get, functionally, a signal of "this is blessed android or not". An alternative world where the device attests "I am grapheneOS" and it is up to the service to accept that attestation or not is strictly better than the ability today.
I am not unaware of the potential dangers of device attestation.
> Would you be ok if for example your government's website to pay your taxes mandated a device with attestation knowing you can only get one from Google, Apple or Microsoft ?
My point is this is already possible today. A lot of apps do it. An open attestation API means that, at least theoretically, systems not owned by one of those three providers could be used. Today you get, functionally, a signal of "this is blessed android or not". An alternative world where the device attests "I am grapheneOS" and it is up to the service to accept that attestation or not is strictly better than the ability today.