Who determines what Attesters are acceptable?

[rektide]

This proposal is about creating a way to create attestation tokens. Currently there are at least two pieces of information proposed, signed by the attester: a verdict on trustability, and an attester identity.

How do new browsers ever get trusted? If we rely on each site operator to determine which attesters to trust, what hope is there for other browsers to ever get off the ground? It seems unlikely that smaller browsers will gain much recognition here. This seems to favor only extremely large entrenched forces.

[RupertBenWiser]

The attester is expected to render a verdict on trustability without knowing anything about the browser; the attester does not have to trust the browser and only interacts with it to communicate with the relying party.

One critical element is to ensure that attesters can be used by any browser that requests it. My thinking is that the specification should be explicit in this as a conformance requirement for attesters.

If we prevent the attester from discriminating against browsers (the explainer is centering this as a goal), we must also evaluate our impact on the relying party’s ability to discriminate against browsers. Today, scaled abuse use cases often profile the browser using heuristics to recognize automated abuse campaigns. And because of this, there is a consideration of whether the attestation verdict should contain the name of the package requesting attestation - which would disclose the browser’s application ID to the website. Whether these signals are included or not is still very much up for discussion, and would be subject to the same holdback concerns as all other signals.

The goal is to try to move away from secretive signal collection, detection, and enforcement. At the same time we need to solve for openness, user-to-user integrity, and privacy, and look forward to your continued participation as we share more details.

For now, I think the Attester-level acceptable browser policy could strike a good balance here but I definitely want to hear your thoughts on that alternative.

[jfmcbrayer]

I think the question of "what browsers are acceptable" is kind of to the side of "what attesters are acceptable". It's expected that there will be a fairly small number of attesters - realistically, Google, Microsoft, and Apple, plus maybe some providers of corporate "endpoint protection" spyware. Given that attesters are a practically closed set, doesn't this boil down to a proposal to let those entities decide who is "allowed" on the web?

[pinobatch]

Would distributors of GNU/Linux and AOSP/Linux systems be eligible attesters?

• Canonical (Ubuntu)
• Red Hat (RHEL, CentOS Stream, Fedora)
• SUSE
• Aaron Griffin (Arch Linux)
• Debian Project
• System76 (Pop! OS)
• Purism (Librem)
• Pine64 (Pinebook, PinePhone)
• Amazon (Fire tablet)

[AshtonKem]

I think the question of "what browsers are acceptable" is kind of to the side of "what attesters are acceptable". It's expected that there will be a fairly small number of attesters - realistically, Google, Microsoft, and Apple, plus maybe some providers of corporate "endpoint protection" spyware. Given that attesters are a practically closed set, doesn't this boil down to a proposal to let those entities decide who is "allowed" on the web?

Indeed. The entire "we don't let websites discriminate against browsers" seems like a rather paper thin fig leaf without specifying who the attestors are, and how new organizations can become one.

Attestor vs browser is a distinction without a difference if the attestors are all major corporations with aligned economic interests.