Consider how companies can pledge not to circumvent the threat model

[jyasskin]

There was interest in having companies sign onto the threat model once it's stable, as something of a pledge not to try to circumvent it.

Even though most of the document is aimed at UA and specification conformance, I could imagine some parts aimed at websites something like HTML's notion of document conformance.

I'm hesitant to do this for a couple reasons:

1. I think it has proven to be confusing in HTML.
2. I don't want to help companies declare their love of motherhood and apple pie unless we can find ways to enforce that they back that up with action. In this context, that enforcement probably consists of "MUST"-level statements in this document, combined with some regulator who can impose penalties for breaking those rules. I'm not confident we can get either one.

However, I'm happy to listen to the rest of the group to discover I'm wrong.