top | item 45052870

(no title)

kbaker | 6 months ago

~~~~But your VM TPM won't be signed during manufacturing by a trusted root. No attestation.~~~~

OK I take it back, privacy is one of their specified goals:

> Note that the certificate chain for the TPM is never sent to the server. This would allow very precise device fingerprinting, contrary to our privacy goals. Servers will only be able to confirm that the browser still has access to the corresponding private key.

However I still wonder why they don't have TLS try and always create a client certificate per endpoint to proactively register on the server side? Seems like this would accomplish a similar goal?

discuss

arnarbi|6 months ago

> why they don't have TLS try and always create a client certificate per endpoint to proactively register on the server side

That is effectively what Token Binding does. That was unfortunately difficult to deploy because the auth stack can be far removed from TLS termination, providing consistency on the client side to avoid frequent sign outs was very difficult, and (benign) client side TLS proxies are a fairly common thing.

Some more on this in the explainer: https://github.com/w3c/webappsec-dbsc#what-makes-device-boun...

IlikeKitties|6 months ago

[deleted]

gjsman-1000|6 months ago

Dude; please stop spamming misinformation, this was already debunked in previous commentary you saw and responded to, showing that the website never sees the raw TPM data at any stage under this proposal.

Session cookies have zero correlation to fingerprinting.