zlacker

>>reacto+(OP)
There is one thing I'm not quite clear on here:

  >The attestation is a low entropy description of the device the web page is running on.
  >The attester will then sign a token containing the attestation and content binding (referred to as the payload) with a private key.
  >The attester then returns the token and signature to the web page.
  >The attester’s public key is available to everyone to request.

I'm assuming "attester" here means "hardware authenticator." How is the attestation low entropy if it's presumably signed by a key that is unique & resident to my device? There is nothing higher entropy than a signature w/ "my" private key. That is literally saying "I [the single universal holder of the corresponding private key] signed this attestation." These days that key is realistically burned into my device at manufacturing time, and generally even if I can enroll keys on "my" device (big if), there is a very limited number of keyslots on hardware authenticators. Certainly not enough slots to present a random throwaway identity to each webpage.

I don't understand how you can have public/private key crypto as the basis for attestation and also have privacy? The two seem mutually exclusive. Is the private key supposed to be shared among a large cohort? (Which seems rather unwise, as it would make the blast radius of a compromised key disastrously huge.)

>>drbawb+fm
Maybe your device sends a signed attestation to the OS vendor and they generate a more generic attestation (basically "this is a legit Chrome browser running on Android but I won't tell you anything else").