[blintzing]

If the device doesn't have a secure element, how can anyone take it seriously as a strong root of trust? The page lists several recent attacks on secure element, but that's not really enough to convince me that no secure element is needed.

[cr7pt0]

This is an interesting question. I would like to see more discussion like this in the security community. Of course this question should be proceeded by the question of what actually qualifies as a secure element? Who decides it's secure? If it's just an MCU with some basic security features you have to sign an N DA to even test is that a secure element? Is it possible to create an open source secure element without an NDA required?