> You can’t have your kitchen knife exploited by a hacker team in North Korea, who shotgun attacks half of the public Internet infrastructure and uses the proceeds to fund the national nuclear program, can you? (I somewhat exaggerate, but you get the idea.)
Isn’t the status quo, that you need to intentionally choose to allow this?
Yes (well, kinda - attested systems can be and are vulnerable too), and remote attestation is completely orthogonal to that threat anyway. Securing the boot chain does not involve letting apps verify the environment they run in, it's an extra (anti-)feature that's built on top of secure boot chains.
It's also really incredible how people can see "user being in control" and just immediately jump to "user having to be an infosec expert", as if one implied the other. You can't really discuss things in good faith in such climate :(
Bootloader patching is just what you chose to use in your original false analogy. Letting apps verify the environment they run in is just as critical for the purposes of guaranteeing the digital identity. It’s all pieces of the puzzle.
It's not. I can guarantee my identity by e.g. scanning my ID card on a system with absolutely no secure boot chain. I can also guarantee a secure boot chain with my patched bootloader. Neither of these things require apps to verify the environment they run in.
> I can guarantee my identity by e.g. scanning my ID card on a system with absolutely no secure boot chain.
Your ID card is on your phone. Go ahead, guarantee you’re not using a duplicate of someone else’s ID card, that no one could duplicate your card, with a mainstream widely available consumer phone.
> I can also guarantee a secure boot chain with my patched bootloader.
Go ahead, show how your grandma automatically guarantees to interested parties that I or whoever else didn’t patch her bootloader to run a backdoored OS, while using a mainstream widely available consumer phone.
> Neither of these things require apps to verify the environment they run in.
Demonstrate a mainstream, widely available consumer phone that does these things without requiring apps to verify the environment they run it.
We can continue this infinitely, but if you keep making sweeping contrarian statements without contributing the proof required then it’s just not worth it.
> Your ID card is on your phone.
No, it's not. It lays on the desk next to me right now. I can communicate with it over NFC and I can't duplicate it. There's a debit card next to it and the same applies there - though it can also be communicated with by using a smartcard reader, which can't be done with my ID.
> guarantees to interested parties
The only interested party is my grandma, and she'll come to me to help her because her phone will stop working when the boot chain gets compromised (as it should).
> Demonstrate a mainstream, widely available consumer phone that does these things without requiring apps to verify the environment they run it.
Pretty much all of them today? Letting apps verify the environment is an extra feature built on top of secure boot chains, not the other way around. We're only having this discussion because having secure boot chains enables app attestation to work in the first place, and letting the user patch things is just a matter of key management policies. If you think these are "sweeping contrarian statements", you may want to spend some time learning how these things work.
This is not a technical problem, technical aspects have been already solved a long time ago. This is a social/political problem of who holds power over whom.
On iOS, the worst you can do is not update your OS and thus be vulnerable to exploits. There is no setting that a casual user could be social engineered into enabling that would allow the OS to be patched.