Google Web Environment Integrity Is the New Microsoft Trusted Computing

>>neelc+(OP)
The problem here is that most people don't give a crap. I was explaining this situation to my girlfriend last night over a drink. She's a high level academic with a strong mathematical and logical background in a different field but she didn't really formulate an opinion on it past "if my stuff keeps working, why is it a problem?". Which is fair, because it's a hypothetical risk, but the side effects are a net negative and the open nature of the web is at risk.

As always people see the happy path down the middle of the forest, not the creatures waiting to leap out and eat them two steps down the line.

>>baz00+8t
> she didn't really formulate an opinion on it past "if my stuff keeps working, why is it a problem?".

Once upon a time, I was a homeless teenager running from a cult. If not for software I wouldn't have gotten out of that.

WEI (and other such things) are mainly about regulating who is allowed to write software, and so the way I think about it is this: If WEI existed when I was a homeless teenager, I might be dead.

I do not think I would like your girlfriend very much if she said keeping "her" stuff working was more important than my life, although I could understand her not understanding how big of a deal it is when you talk abstractly about the "open nature of the web" without putting it into human terms;

The "open" part is really important to get across because it means anyone who has the ability to can contribute: Does such a high level academic with a strong mathematical and logical background understand what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?

>>geocar+Hz
>WEI (and other such things) are mainly about regulating who is allowed to write software

No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.

>if she said keeping "her" stuff working was more important than my life

Arguing that you would be dead if your viewpoint isn't correct is a bad argument.

>what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?

It would be a better analogy to say that "employers can run background checks on people who want to work for them." Because it is up to each website to choose which attestors they trust and the websites have the choice of doing whatever they want with information or not requiring attestation at all.

>>charci+fE
> Arguing that you would be dead if your viewpoint isn't correct is a bad argument

When discussing tradeoffs, it's not about correctness but value judgments. Is it preferable for people like geocar to die than to continue allowing people to access all websites with arbitrary devices and software?

Of course, there are services that could be exposed through a website where the consequences of improper use would be catastrophic, but I would argue the web is usually inappropriate for control of life-critical systems without other safeguards or redundancies.

>>Zak+cp1
My point is that he wouldn't die if attestation on the web had existed, but is saying that he would be dead to try and manipulate the people he is arguing with.

>>charci+1U1
We know neither their story nor the full impact of web attestation if Google is successful in popularizing it. It definitely has the potential to shift a huge amount of power to site owners from users, which constrains what kind of software can become popular.

Might that apply to the software geocar credits with saving their life? Without knowing more, we can't say. There's a good chance it applies to things like running open source operating systems and browsers.

zlacker