Recently, Google announced their new proposal for Web Environment Integrity in which "trusted" organizations may attest to the validity of a web request.<p>Now I'm not a cryptography expert by any means, but the more I read about it the more I feel like it is very similar to PGP's key-signing concept whereby individuals can attest to the trustworthiness of a PGP key by staking their own trustworthiness on-top of it which also carries the trustworthiness of those who signed <i>their</i> key, and so on.<p>In the end, wouldn't it be better to implement a similar system (if it must be implement at all) whereby the browser or OS signs the user's key and any other company or individual who has signed that OS or browser can attest to the trustworthiness of that browser?<p>Again, I don't have a full understanding of any of these concepts so if this is a dumb idea please tell me.
The primary complaint that people have about attestation is not in the signing, but rather in what and who is doing the signing.<p>In a PGP signing scenario the user would be signing the environment saying “this is me, and this is my environment ”. The Google proposal has the browser deciding if the environment is an acceptable one (dictated by what Google decides is acceptable) and then signs the request <i>whether the user agrees or not</i><p>Which is to say that it’s not a matter of identity (or not much) but of authority, and the proposal is to shift the authority from the owner of the environment (the user) to that of the browser-maker (who is coincidentally also the owner of the largest ad network)