←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 3 comments | 25 Jul 23 14:10 UTC | HN request time: 0s | source
Show context
lifeisstillgood ◴[25 Jul 23 14:29 UTC] No.36862777[source]
I kind of get both sides here. If we take the "see the best of others intentions" then a web that is populated by identified humans (and their authorised proxies!) is likely to be the "cleanest", most ideal web space we can see (a web full of sock puppets and link farms is not ideal).

The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.

You can see this as a stepping stone to there. if you squint.

Is it the idealism of the 70s coke to life? No. Is it some sane compromise - I think so.

What if we cannot trust our government ? Sorry it is pretty sure that no internet is going to solve that. That's on the real world.

replies(10): >>36862946 #>>36863031 #>>36863074 #>>36863126 #>>36863250 #>>36863286 #>>36863456 #>>36863735 #>>36864436 #>>36871915 #
1. wzdd ◴[25 Jul 23 16:05 UTC] No.36864436[source]
> then a web that is populated by identified humans (and their authorised proxies!)

You wrote "I kind of get both sides here", but, to be clear, this is the polar opposite of both the WEI proposal and Apple's thing, both of which go to some lengths to not allow identification of actual humans (they focus on proving that the device is legit).

replies(1): >>36864697 #
2. lifeisstillgood ◴[25 Jul 23 16:18 UTC] No.36864697[source]
Because the proving the human is legit is also the next obvious step, it's where many governments (democratic and not!) are heading. I mean it's not a huge leap to go from "this device number 1234 is legit to "paul bought device 1234" or "paul used device 1224 to access bank account 5678".

The next step is barely a step.

replies(1): >>36868634 #
3. wzdd ◴[25 Jul 23 20:11 UTC] No.36868634[source]
Actually, these two things are orthogonal.

If you require some kind of authentication process to prove your identity, it doesn't matter whether your device has TPM-supported device attestation or not. If Apple or Google wanted to do that, they already have the in-browser infrastructure for it in the form of login with Apple or login with Google. Making such a thing anonymous for third parties (so they just know it's a human, rather than which human) would be trivial.