[dwaite]

> In order to revoke a specific device without cooperation of the device itself, which is one of their advantageous claims, they do.

My understanding is that there are methods to revoke a particular group key under DAA, which would prevent that device from being able to retrieve attestations in the future.

That said, revoking individual devices is somewhat nonsense from a security point of view. There's nothing (other than the difficulty of the hack itself) that prevents a compromise of one phone from being replicated across the entire production line, which impacts the security reputation of the entire line.

Also, it is hard to imagine the use case for identifying and revoking the attestation for a single user's devices that isn't troubling.