[CobrastanJorji]

I'm trying to think of a situation where this is objectively bad, and I having trouble thinking of areas where this is objectively bad. The best I came up with is purchasing an elevator, which has a key for firemen. I wouldn't really want to just give everybody a copy of that key. But on the other hand, you can buy that key on Amazon for $5. It would maybe help people think about security a bit more if they bought a TSA-approved lock and it came with a TSA key with a little warning that read "Note: this key opens any TSA-approved locks, please only open your own baggage."

One possibility is around DNS. A public/private keypair is basically a lock and a key. If you can't put ANY public keys on my device without giving me the private key, HTTPS is going to be problematic. Software updates become a little scarier as well, since a man-in-the-middle attack becomes MUCH easier to pull off. But perhaps the answer there is, like DNS on a desktop computer, to simply allow the user to edit those local keys. As long as there's a "Yes, I am also cool with installing unsigned software updates," then I don't see a problem.

[guerrilla]

> I wouldn't really want to just give everybody a copy of that key.

Why would you give the key to everybody? Just give it to the owner... That's what I want. I shouldn't need to hack my own smartphone or have to solder a board to my Xbox to run my own code on it.

[sneak]

The reason Apple doesn't do this is because users will get deceived into providing those keys to malicious entities which will compromise their devices and everything on them in exchange for the promise of free games, or free in-game currency, or whatever.

[samueldr]

Thinking about situations [...] > where this is objectively bad

Thinking here about a smartphone. Note that I'm explaining the current state of things, I am *not* excusing the state of things.

Directly for end-users, generally no real scenario where it's bad as long as they can enroll their own keys in a safe fashion preventing evil-maid type attacks.

Tangentially for end-users, locked devices are easier to make worthless for thieves. FRP on Android, or whatever Apple does, when it's locked to a user account even when reset. This is one thing that would become harder to implement when the root of trust can be manipulated on the device.

Then there's supply chain integrity for OEMs. This is the reason some android vendors only allow unlocking when attached to an online account after a delay (e.g. xiaomi). Some unscrupulous vendors would open the box, replace the system image with a malware-ridden system image, and sell those to end-users.

Finally, there's somewhat a case for DRM and similar uses. The current implementations are built on the current "security" model, where it's security for the businesses first, then security for end-users last.

Still, I agree wholeheartedly that users should be in control of the root of trust, in a way that does not reduce their abilities to use their owned devices. Add to that that standards-based boot should be used. All the time. All devices.