If I was the EU I would ban consumer devices from supporting remote attestation.
@retr0id Would that ban U2F tokens with nonextractable keys?
@robryk Do U2F tokens do remote attestation?
Follow
Some of them do it in the most obvious sense (i.e. they have manufacturer-provided private key used to sign statements that mean "this enrollment has been processed by a u2f key produced by the manufacturer").
But fair point, if we define "remote attestation" as a mechanism that prevents the user from substituting parts of the system with self-developed replacements then unless the former is used _or_ the user uses a pre-enrolled u2f key, they can always use a software-emulated u2f key.
