Comment by Aachen

All of this assumes that the device, a relaying party for your identity document, needs to be secure in the first place. We don't attest the OS of the router and your ISP before being allowed to use them to relay this information to pornhub. Why does your phone need to be under a third party's control just to relay information that the government already signed onto your NFC-enabled identity documents?

But even if you were to want user's phones to be roots of trust...

> as far as I know, they are the only Android OS publisher (and perhaps the only Linux publisher?) that bothered to implement hardware-to-app attestation chaining

GrapheneOS does that. They guarantee this more than Google because Google allows devices with known vulnerabilities: https://grapheneos.social/@GrapheneOS/114864326550572663 (rest of the thread is worth reading, too)

Using Google Play's instead of Android's attestation framework means that nobody else ever could enter this market indeed, no matter how secure the OS