This would be verification that any branding on the HTTP Basic Auth popup represents the company it claims to. This would be optional — any site that didn’t use this would still have the default (generic/unbranded) browser behavior.
The stated (and valid) concern is that malicious actors would use fraudulent branding on those browser auth popups — let’s tell the user we are MSFT or AAPL and steal their password.
One solution is for the branding to consist entirely of NFT assets that can all be tracked to a definitive owner, and use some DNS-based glue (ala DKIM/SPIF for email) to link the NFT to the TLD.
Then your browser can refuse to show the MSFT logo (and show a big red fraud alert page) if the owner of the branding can’t be reliably traced back to Microsoft (owner of the site).
At this point you're talking about checking a signature. Naively, it seems to me like you could skip the NFT entirely and embed a verifiable sig in a securely delivered DNS record. Then it's linked to the domain. You can do this now, with tooling that already exists and is deployable today. You'd need to deliver the record securely to avoid attacks on the glue anyway.
Of course, neither the NFT nor the sig-in-DNS approach actually solves the problem of a visually identical but technically different image (use a slightly different color in a few places, etc.) being used to trick people. I'm not sure what we've gained. The malicious use case would seem like it's not effectively prevented.
There probably is, provided you can get a perceptual model that correctly models all human visual perception and reduce it to a hash. I am not sure one exists currently. Until then, it really does seem like we're trying to find a way to re-implement trademarks in a way that doesn't require the interpretive work that trademarks rely on.
I suspect there's a lot of complexity hidden in the perceptual model requirement, though.
The stated (and valid) concern is that malicious actors would use fraudulent branding on those browser auth popups — let’s tell the user we are MSFT or AAPL and steal their password.
One solution is for the branding to consist entirely of NFT assets that can all be tracked to a definitive owner, and use some DNS-based glue (ala DKIM/SPIF for email) to link the NFT to the TLD.
Then your browser can refuse to show the MSFT logo (and show a big red fraud alert page) if the owner of the branding can’t be reliably traced back to Microsoft (owner of the site).