Comment by Dylan16807

>The way to allow them or ban them is via remote attestation. How else would they be able to do that?

The first check should be if it's their device. If the device has the correct key to show it's theirs, they could allow it right there. Or they can go further for extra security, to ask for remote attestation of their device.

If the device claims to be owned by anyone else, they should not ask for remote attestation. Why would they need it? They already have all the information they need to decide whether to allow or block. "My washing machine (unrooted)" and "claims to be my washing machine (rooted)" should be treated exactly the same by them. Allow both or ban both, depending on the purpose of the network.