[hedora]

Attestation is going to be abused. The only thing it is useful for is establishing centralized control over client software. That'll eventually imply that all clients are user hostile, probably both from a surveillance capitalism perspective, and from a government surveillance perspective.

This isn't a theoretical concerns. All of the groundwork (except device attestation at login) has already been laid:

- The US CLOUD act already says that service providers have to provide the government with access to all information they're technically capable of accessing.

- Microsoft's existing client debugging mechanisms allow them to pull files from windows machines with management approval.

Once there's a de facto ban on running web browser binaries that aren't produced by a FAANG (established by the passkey standard), all the vendors have to do is add MS-style telemetry / debugging, and it's game over. In all likelihood, there will be legislation in a few years that forces any holdouts to implement that sort of a mechanism.