Block users all you want, but don't expect me to "attest my hardware and software" from a 3rd party. Let alone make this a standard and think about leaving the keys to parties which are probably "themselves" only.
How on earth the expectation can be giving authority to third parties to set my hardware and software to be validated so they attest to an arbitrary standard which I will never have control over?
See the current SSL certificate authorities mess. I have to pay to a third party to asure my clients that my server can securely communicate with them. Now they are doing this to clients with a more strict manner.