[SimingtonFCC]

Re your point 4 in particular, I feel your pain -- I said "exposed public keys, expired certs" in the OP for a reason. The current item doesn't contemplate a requirement to tie these off as such, but I'd be interested to see if commenters ask for this as part of getting a stronger label.

[mschuster91]

Thanks for your response!

To add on the "label" point: I don't think labels are enough, not in a world where consumers (private, commercial and governments) primarily look at the price in purchase decisions. At least a base set of legally binding requirements must be established.

ETA: I'd also love to see an exception for small scale / startups. Like < 1000 units sold per model and year. That allows quick iterations while the large offenders still have to comply.

[SimingtonFCC]

Thanks for yours!

It depends how much the labels shape behavior. I'm envisioning a "high-tier" label that says that risks X, Y and Z have been addressed by M means and that, e.g., addressing risk Z meant sweeping stated databases for known security holes, committing to security-only patches for N years, and hiring J compan(ies) to sweep your firmware within specified parameters -- or whatever other things from the wish list of infosec pros that people like posters in this thread choose to advocate for. Hopefully that would be better than what we have now, which is mainly price/churn-driven minimum viable product.

Re your exception: I don't think mandatory labels are on the horizon in the USA, but this could indeed be a problem under other regulatory regimes.