The strongest reaction was not about the mechanics. It was about power. People were fine with attestation inside a company fleet, embedded devices phoning home, or a hardened personal setup under the owner's keys. They were hostile to attestation when the root of trust belongs to Apple, Google, Microsoft, a game publisher, a streaming service, or a government. That distinction dominated everything else. In this framing, the same primitive that keeps rootkits out of employee laptops also lets vendors block rooted phones, refuse service to alternative operating systems, and make software access conditional on running code you cannot inspect or modify.
The more technical comments pushed past the usual freedom-versus-security argument and focused on where attestation is weaker than the clean story suggests. Several pointed out that server TPM deployments are often poor against physical attacks, especially when the TPM is a separate component on an exposed bus. A valid manufacturer certificate only proves the TPM is real, not that it is the TPM attached to your server rather than an attacker's device replaying the right measurements. That turns onboarding and device binding into the real problem. Others added that the ecosystem is still rough. Windows has relatively mature plumbing through Active Directory Certificate Services and TPM key attestation. Linux tooling is patchier, Mac support is unclear, and open source implementations are thinner than the concept's importance would suggest.
The practical consensus landed in a narrower place than the article's broad enthusiasm. Attestation is useful as one layer in a defense stack, especially for controlled infrastructure. It does not prove a machine is safe after boot, it does not erase the need for endpoint detection and response, and it is not magic against attackers with physical access or hardware flaws. Used inside a fleet you own, it can raise the cost of compromise in a meaningful way. Used as a gatekeeper on consumer devices, people expect it to become a blunt instrument for
DRM, anti-competitive lock-in, and policy enforcement.