Ideally, the keys would be per-manufacturer, like HDCP or (DVD-)CSS. Personally I don't think I'd love the idea of any kind of attestation like this, but if TPTB did implement it, I'd prefer a key per-manufacturer rather than each unit having its own unique signing key. We do have precedent, in the form of printer tracking dots, which were kept 'secret' from the public for 20 years. [0]

0: https://en.wikipedia.org/wiki/Printer_tracking_dots