The primary complaint that people have about attestation is not in the signing, but rather in what and who is doing the signing.
In a PGP signing scenario the user would be signing the environment saying “this is me, and this is my environment ”. The Google proposal has the browser deciding if the environment is an acceptable one (dictated by what Google decides is acceptable) and then signs the request whether the user agrees or not
Which is to say that it’s not a matter of identity (or not much) but of authority, and the proposal is to shift the authority from the owner of the environment (the user) to that of the browser-maker (who is coincidentally also the owner of the largest ad network)
The primary complaint that people have about attestation is not in the signing, but rather in what and who is doing the signing.
In a PGP signing scenario the user would be signing the environment saying “this is me, and this is my environment ”. The Google proposal has the browser deciding if the environment is an acceptable one (dictated by what Google decides is acceptable) and then signs the request whether the user agrees or not
Which is to say that it’s not a matter of identity (or not much) but of authority, and the proposal is to shift the authority from the owner of the environment (the user) to that of the browser-maker (who is coincidentally also the owner of the largest ad network)