How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
He writes: "Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app."
It's honestly comical and a little sad.
[1]: http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-o...
Disclosure: I work at Google but not on this.
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)