zlacker

[parent] [thread] 7 comments
1. Avaman+(OP)[view] [source] 2023-07-25 14:39:26
> The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.

Already exists in a bunch of countries. Works better in some than in others.

The issue is that you don't want everything tied to that ID. In a less than ideal world, ideally the ID would just attest that some random pseudo-ID is real. Like Webauthn, kinda.

replies(1): >>helloj+Sm1
2. helloj+Sm1[view] [source] 2023-07-25 19:40:52
>>Avaman+(OP)
How would a user ever verify that every attlestation/id check isn't recording their web activity?
replies(1): >>Avaman+2o1
◧◩
3. Avaman+2o1[view] [source] [discussion] 2023-07-25 19:45:27
>>helloj+Sm1
Hash and sign functions usually don't allow reversal of those operations. Attestation doesn't require more cryptography.

It's kinda silly to start discussing implementation details of something that doesn't exist. Not to mention considering the alternative which is quite a bit more invasive than having an attested private pseodoidentity would be.

replies(1): >>helloj+qF1
◧◩◪
4. helloj+qF1[view] [source] [discussion] 2023-07-25 20:55:06
>>Avaman+2o1
I'm less concerned with reversing hashes and more concerned with tracking via the attlestation provider.

What is stopping them from recording the value returned to you that is then passed to the site you tried to visit? Does the data provided to the integrity checker allow for identification? Could the original vendor pass some value to use in the integrity check to prevent replay attacks, and could that value itself encode your personal information?

replies(1): >>Avaman+tY1
◧◩◪◨
5. Avaman+tY1[view] [source] [discussion] 2023-07-25 22:28:07
>>helloj+qF1
> What is stopping them from recording the value returned to you that is then passed to the site you tried to visit?

> Could the original vendor pass some value to use in the integrity check to prevent replay attacks, and could that value itself encode your personal information?

Well that value is most likely a cryptographic signature, a "challenge" or a combination of both. Unless there's some separate payload you can't really hide arbitrary data in hashes/signatures that would be used in such a process.

In the end "could" is a very loose word, PII as such is not really part of the process. In this current (Apple's PAT) case, the information is "you have an Apple device", can't currently hide anything else in that.

replies(1): >>helloj+Zb2
◧◩◪◨⬒
6. helloj+Zb2[view] [source] [discussion] 2023-07-25 23:59:59
>>Avaman+tY1
Thanks for the response. As a second question, would what prevent someone with an "approved" apple device from firing off a bunch of token requests and then distributing those tokens to different entities for those entities to submit to the origin to pass the validation test?
replies(1): >>Avaman+f43
◧◩◪◨⬒⬓
7. Avaman+f43[view] [source] [discussion] 2023-07-26 08:43:24
>>helloj+Zb2
They could, but I'm sure there are rate-limits in place against that.
replies(1): >>helloj+VJ3
◧◩◪◨⬒⬓⬔
8. helloj+VJ3[view] [source] [discussion] 2023-07-26 13:28:17
>>Avaman+f43
Good to know. And the rate limits themselves have to apply to user agents in the old style, right? Because there is no identifying information apart from current browser fingerprinting methods. If abused, do we foresee captchas having to be placed as a guard against attlestation abuse?
[go to top]