[staticassertion]

Zero Trust != VPN. Zero Trust means that the network is not what determines trust.

Consider this: * You go to your office, connect to the network * Now you have access to internal services, by virtue of being on the network

In a Zero Trust network it does not matter what network you are on. Trust is handed out individually, based on the identity/ role of the user and the context of their session (is their os patched? running security tools?).

[Thorrez]

How does the site know the user's OS is patched? The User Agent? How about whether security tools are running?

The attacker can surely use a patched OS. Are the security tools secret? If not, then the attacker can run the security tools too.

[staticassertion]

> How does the site know the user's OS is patched? The User Agent?

User agent is a great place for a version 0, sure. 99% of your assets aren't compromised, so worrying about a bypass isn't important to most of them. For a v0 just knowing that most of your boxes are patched is a huge win.

Of course you'll want client certificates on devices, or some sort of TPM, which is how Chromebooks work. The attacker having a box is not enough - identity is a key principal of zero trust networks.