No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up.
To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores
This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission.
Maybe I needed to say "it merely requires the existence ...". Because I then do go on to say:
> And they are only required on the devices actually given to kids
My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device!
Perhaps my other comment will show you where I'm coming from better: https://news.ycombinator.com/item?id=48645646
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
...I guess I don't really see the difference.
Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.
For starters here, the difference is that only devices that parents give to kids need to have secure boot and controlled software sources. The point is that every other device remains completely unaffected.
But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome.
(also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay)