It doesn’t have very concrete answers. It’s really more of a couple of ie thoughts, with an exhortation for people to provide ideas on how to fix this. For example:
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)