Apple already shipped attestation on the web, and we barely noticed

The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.

You can see this as a stepping stone to there. if you squint.

Is it the idealism of the 70s coke to life? No. Is it some sane compromise - I think so.

What if we cannot trust our government ? Sorry it is pretty sure that no internet is going to solve that. That's on the real world.

Already exists in a bunch of countries. Works better in some than in others.

The issue is that you don't want everything tied to that ID. In a less than ideal world, ideally the ID would just attest that some random pseudo-ID is real. Like Webauthn, kinda.

This could be a really good thing if all it's doing is proving that your device isn't malicious, or being better able to detect whether you are a bot. If our end-user experience doesn't change but we stop filling out CAPTCHAs and seeing Cloudflare bot checker load screens, that would be a big plus.

This could be a really bad thing if it means that the web now will just widely reject alternative browsers or computers that have elevated administrative permissions.

I think if we want to see how this plays out, we can look at the Google Play store. A common example that already exists is that banking apps will block rooted Android devices, and it sounds like this attestation API will have the ability to do something similar.

In my opinion, that situation seems perfectly reasonable, and it also seems like most websites don't have the same incentive to block modified devices as higher security services like banks.

Depends on your definition of "ideal", and whether you even want to strive for such an "ideal". To me this sounds more like a "sterile" web. If we temporarily assume that humans won't do what they're experts at (finding ways around that system too), and take at face value that this will lead to this "cleanest" web space, we are still assuming that that's what consumers want. I would argue that the very existence, and success, of the web in the face of approximations to this "ideal" space in the native-app-world disproves this theory. We have the App Store, we have lock-down control and identifiability for apps, and yet the web still manages dominate commerce in the face of this. Consumers still end up going to the web, and arguably increasingly so with things like Figma. So where are the cries for this "sanitized" web? The demand certainly doesn't appear to be on the consumer end, that's for sure.

You do not, under any circumstances, have to “see the best of [a corporation’s] intentions”

Don’t shoot the messenger!

This is not going to work. The governments will create millions of fake identities to spread their propaganda, same way as they are making fake passports for spies.

Well, nobody is actually proposing this at the moment. Heck, neither Apple nor Google's scheme even gets close. All their schemes purport to do is ensure the "integrity" of the platform.

Integrity how, exactly?

> For example, this API will show that a user is operating a web client on a secure Android device.

So basically, it does not tell you that the user is a unique person, or give you any kind of usable identifier for a person. All it tells you, in case of this example and Apple's, is that the device is not rooted or jailbroken.

In practice, is this concept useful? Only as part of a larger cat and mouse game. Just like copyright protection schemes, remote attestation schemes are limited by what they're actually attesting. Very little can be done to stop cam rips in movie theaters, or any number of in-between steps that exploit the fact that a movie is just a series of pictures and frames of PCM samples at the end of the day. And likewise, devices may be expensive, but there's nothing stopping someone from acquiring many of them to do operations on. In fact, many people already own swaths of Android devices specifically for cheating the system. When they can be had for as cheap as $50 a pop in some cases, it's not really a meaningful barrier.

So what does this actually do? It just makes it more expensive and complex to run bot operations, and if you can raise the cost enough to sink the break-even point of doing so, then theoretically you've won! ... But it won't, because there's a lot to be gained by spamming and scamming people. All of these years of countermeasures and we're not even close to getting there. The amount of money that flows in the industry of cheating these systems is more than enough to just pay the cost.

Adding government IDs to the mix won't change anything. Almost every SPAM operation has a real person behind it, so getting a blind attestation that a person is indeed a citizen tells you almost nothing about them. I think just about the only way that could aid in any way is if it were set up in such a way that you did in fact receive a unique ID for each person, rather than just an attestation that you're dealing with a legitimate thing.

And if that's the end game of the Internet, then honestly, the whole experiment was not worth it.

That's why Android devices allow you to obtain root and unlock the bootloader but factory reset the device whilst doing it. Banks don't care about that feature because it's not accessible to malware and even if someone does it (e.g. because they physically swipe your phone for a few minutes) the login cookies are wiped in the process.

The problem with rooting or jailbreaking outside of this process is that it could have been done by malware instead of the user - you can't tell post-hoc - and even if it was done by the user, rooted phones often have semi-broken security systems e.g. they turn sudo on or users run random apps as root that were grabbed off anonymous GitHub accounts. From the bank's perspective all this is highly risky both for you and more importantly for them, as ultimately weak security = fraud = reputational and financial risk to the bank.

Still, realistically, what banks care about is devices that were silently rooted by malware (or physical thieves). Individual Linux hackers are such a tiny number of people they'd probably be OK with just letting those people get rinsed if they run malware. The problem is, how do you know which is which?

A meet-in-the-middle compromise for the banking use case is for some neutral standards body to certify OS builds against a set of concretely specified security goals, whether they're open source or not. There's no specific technical problem, it's a social issue that it's expensive to do such audits and open source hackers don't want to pay for things. LetsEncrypt solved the same problem with SSL by just brute forcing the issue with money, which may be the way Google/Apple choose to go here. If you want root on your device to customize your window manager or something then no, don't give yourself root, instead spin a deterministic OS build with whatever changes you would have made using root, ensure the OS build is secure and then submit it for auditing. Done properly the audit can be mostly automatic, e.g. if the SELinux rules match the set found in a base distro that's already trusted, then you can know that credential protection/debug APIs are configured as before, so then you can wave through changes to non-critical OS processes.

Secure hardware feels like it has no upside. It will not even be a speed bump for anyone spreading disinformation at any level of scale. It mildly inconveniences only extremrly unsophisticated/casual bad actors. And it greatly constrains who can make a browser and those with non-Trusted devices, such as Linux users or people who turn off Trusted Boot.

At least I have some say who is screwing me when my government is democratically elected (to whichever degree of democracy you have).

Or in other words: phone banking in western countries is a joke, because the people that might've popularized it were shut out of the system before it gained popularity.

And that's for morally ambiguous cases where the justification is popular and well established things like crime fighting, child porn and so on.

We don't know what will happen in future, but given the story so far, the chances of these companies saying to governments, sure, have 500,000 free accounts so you can spam our users with incompetent political propaganda, is virtually zero.

To me that's (again under legal / democratic protections) using some centralised public private key (probably) and a curated env and this is (sort of being very generous) a first step towards that world.

You wrote "I kind of get both sides here", but, to be clear, this is the polar opposite of both the WEI proposal and Apple's thing, both of which go to some lengths to not allow identification of actual humans (they focus on proving that the device is legit).

The chances that they would comply with future government requirements cannot possibly be "virtually zero."

The next step is barely a step.

By each individual site expending a great deal of effort to identify their users. Or by offloading it to someone else expending a great deal of effort like putting their site behind Cloudflare or restricting e-mails to legit providers.

For Google and PRISM, I'm sure it won't change your mind, but I worked there at the time and the reaction was genuine. If there were people inside the firm who knew about it at all it must have been a very small group of spies/double agents, and such people were never detected despite a thorough search. Given that it was all based on fiber taps done by telcos though, it's not clear why they'd need any insiders. The assumption of formal cooperation was based on the phrasing of one or two sentences in some leaked documents, but the way the whole thing was set up didn't actually require it so, what those insiders would have been doing was a bit unclear.

Anyway, this is all by the by. We can't know what will happen in future. But if they won't budge on E2E encryption then it seems unlikely they'd be willing to bypass anti-spam measures, which is far more detectable, far less justifiable, and probably doesn't fit within any existing laws.

Do you have any experience with how things have changed over the last few years at Google?

I have a friend who said that 2016 was really a turning point in the culture. Prior to that most people were all about liberal values like free speech, and user freedom, but in the last 6 or 7 years it's become very "moderation" or "censorship" friendly (depending on your views), including for things like OP topic. On the plus side he has said that privacy is don't that used to be an after thought of anything, but is now in the cultural zeitgeist, do it's not all bad. Do you have any experience you're willing to share on that?

I don't agree that privacy was an afterthought before then. There were a lot of internal controls and privacy considerations had been a part of the design process even when I first joined in 2006. Of course the level of effort ramped up over time as the company grew. The primary constraint then as now was simply that most users trust tech firms, don't include them in their threat model and will reject even tiny amounts of inconvenience in the name of privacy. So that really heavily constrains what can be done. For example it kills most attempts at proper end-to-end encryption, leaving us with this sort of strange pseudo-e2e-encryption that's more a legal hack than anything serious (the company that supplies you with the encryption equipment is your adversary, which makes no sense in any classical conception of cryptography).

Very few sites are putting in any significant effort to identify their users. Those largely predatory sites shouldn't be setting policy for the entire web.

Who said you had to choose between these two scenarios again? It's so bizarre that people see government as an oppositional force to government contractors operating under government charters.

It's kinda silly to start discussing implementation details of something that doesn't exist. Not to mention considering the alternative which is quite a bit more invasive than having an attested private pseodoidentity would be.

If you require some kind of authentication process to prove your identity, it doesn't matter whether your device has TPM-supported device attestation or not. If Apple or Google wanted to do that, they already have the in-browser infrastructure for it in the form of login with Apple or login with Google. Making such a thing anonymous for third parties (so they just know it's a human, rather than which human) would be trivial.

What is stopping them from recording the value returned to you that is then passed to the site you tried to visit? Does the data provided to the integrity checker allow for identification? Could the original vendor pass some value to use in the integrity check to prevent replay attacks, and could that value itself encode your personal information?

> Could the original vendor pass some value to use in the integrity check to prevent replay attacks, and could that value itself encode your personal information?

Well that value is most likely a cryptographic signature, a "challenge" or a combination of both. Unless there's some separate payload you can't really hide arbitrary data in hashes/signatures that would be used in such a process.

In the end "could" is a very loose word, PII as such is not really part of the process. In this current (Apple's PAT) case, the information is "you have an Apple device", can't currently hide anything else in that.

Imagine I am Twitter / Instragram and want to be sure that User X is the human owner of the account and just posted a brilliant comment / photo. Or a bank wanting to be sure to move money to a new account.

I can use webauthn to sign a nonce so I can be sure the device sending the request has access to private key for the HSM / secure enclave.

Now if the device is compromised, the OS is under malicious control, does this still hold? Can We assume the secure enclave is proof of the OS fails? I know the secure enclave is basically sealed off and as it is what signs my nonce then yeah I think even in face of OS compromise the webauthn section works.

Yes the nonce I generated has been signed, so the user has the device, but has the user seen the same content / bank transfer details that I am seeing? The user thinks they are sending grandma ten bucks but actually they are transferring 5000 to dodgy account, think they are ordering a sweater on Amazon but actually sending 10 airpods to a new address.

Yeah secure enclaves and other HSM identity systems work and webauthn would greatly reduce the amount of authentication failures - that's a huge win.

And it leaves anti-fraud measures pretty much where they are now - how likely is it this guy wants 20 airpods sent to Alabama?

The thing this is solving is "can we make the entire device as trustworthy as the secure enclave?" And frankly the answer is no. And if you cannot all you are doing then is saying does this device look like a human eyeball which is adjacent to "you cannot browse the web with adblock on".

So I was wrong earlier. This is all about can we trust the user has seen what content the web server ha seen. And no we cannot unless we can verify the whole stack - hardware to OS to javascript. And we are a long way from that.

Maybe we can build a seperate device for that - but really if we could we can build the first one just as securely.

This is basically trusted computing and who gets to sign which binaries?

Webauthn exists and is great and should be used everywhere.

We are fairly sure that the secure enclave / external HSM is so hard to break we can trust webauthn works at all but APT levels.

Any issues over "is the content the webserver gets what the user saw (ie are they compromised) is an issue of fraud prevention.

I have a seperate device from my bank - i have to enter the contents of the transaction. The trust level then is through the roof. Both devices need it be compromised at same time. one has no internet access.

At this poknt it seems obvious who could act as trust providers for content - anyone able to get a simple HSM into my hands as a seperate device.

Webauthn works great for authentication. we can pretty much trust the secure enclave to verify a nonce even if OS is compromised.

But we cannot trust the content. And it gets high friction. But basically you need the air solex HSM to take a nonce typed in by user and based on human verified values (ie dollar amount) and maybe hash values (though possibly compromised).

And such high friction destroys many assumptions and business models. It might be the best solution - will see if I can find any reading materials