~~~~But your VM TPM won't be signed during manufacturing by a trusted root. No attestation.~~~~
OK I take it back, privacy is one of their specified goals:
> Note that the certificate chain for the TPM is never sent to the server. This would allow very precise device fingerprinting, contrary to our privacy goals. Servers will only be able to confirm that the browser still has access to the corresponding private key.
However I still wonder why they don't have TLS try and always create a client certificate per endpoint to proactively register on the server side? Seems like this would accomplish a similar goal?
> why they don't have TLS try and always create a client certificate per endpoint to proactively register on the server side
That is effectively what Token Binding does. That was unfortunately difficult to deploy because the auth stack can be far removed from TLS termination, providing consistency on the client side to avoid frequent sign outs was very difficult, and (benign) client side TLS proxies are a fairly common thing.
Dude; please stop spamming misinformation, this was already debunked in previous commentary you saw and responded to, showing that the website never sees the raw TPM data at any stage under this proposal.
Session cookies have zero correlation to fingerprinting.
Well, it's a good thing Device Bound Session Credentials (DBSC) as proposed here has no way to actually send said endorsement key anywhere; rending the objection irrelevant. The TPM is only for secure storage as verified by the browser itself, not the website being visited.
> You all don't understand how any of this tech works but you think you do.
We do; and it is specifically called out in the spec that the certificate chain is not submitted, due to the potential for overpowered fingerprinting. As such, this battle, should they make a move to change that, needs to be fought a different day. Fighting against hypotheticals is pointless.
Edit: For the pedantic, fighting against hypothetical things that they could do if they invented something that doesn't exist right now, is pointless.
Edit 2: You can't boil a frog without ecosystem cooperation. The internet isn't going to bow to inconsistent adoption. They already made it clear with WEI they have no interest.
No, fighting against things that have already happened is pointless. We only ever fight against hypotheticals. We fight to avoid something happening that has not happened.
> Edit: For the pedantic, fighting against hypothetical things that they could do if they invented something that doesn't exist right now, is pointless.
But it ALREADY EXISTS on Android[0] and has been proposed by google to be added to chrome before [1]. They are OBVIOUSLY using a boil the frog approach here like forcing android devs to register to sideload [2]. This is obviously designed to slowly roll out these checks small steps at a time. To not see that is to be willingly ignorant.
Actually, I came up with that all on my own after I noted to myself that capture-recapture would work; and it amused me so much that I resolved to try to come up with a proper list filling out the idea. I did get some of the other ideas from LLMs, though.
That reminds me of another more obvious way these folks are projecting.
They place so much value on their own ability to munge words together and spew internally consistent language constructs. The existence of a technology -- a machine -- that can do this and do it better than them is a threat to them. The AIs small enough to run locally on my own GPU are better at bullshitting than these people.
It's almost like sophistry isn't particularly interesting or special.
> the optimum is a bit thicker than our guidance suggests
That's probably confounded. Anything over a BMI of 23 better be an increasing proportion of muscle, and even then there's a point that the stress on the heart isn't worth it.
Almost every physical and mental heath condition does bad things to nutrition and internal energy stores, even if only at a diet level.
It's hard to see since so many people are overweight or obese to start with, but the overall correlation goes that way enough to cause confounding.
reply