logoalt Hacker News

microtonalyesterday at 2:10 PM2 repliesview on HN

I think there are two fights that are both worth fighting:

1. Completely outlawing remote attestation.

2. In a world where remote attestation is given, let it be controlled in a fair way and not just by Google and Apple.

The risk is that only fighting for (1) leaves you in a world with remote attestation, where only Google and Apple can decide who gets to pass and who not. In fact, that is pretty much the world we are in already.

I agree that they are both worth fighting for, but I think (2) is much easier to accomplish, simply because Play Integrity is probably a DMA violation. (IANAL blah blah)


Replies

Retr0idyesterday at 2:17 PM

Allowlisting GrapheneOS's AVB keys does not meaningfully achieve 2, see https://news.ycombinator.com/item?id=48732675

It would be a win for GrapeheneOS users though, so I hope they do get support.

jt2190yesterday at 2:45 PM

Why is attestation always bad, all the time? When two people interact there’s a trust/risk calculation on both sides. Isn’t attestation just a means of reducing risk for both parties? (We can debate who should control the attestation process and how it should work but your point 1 suggests that there is never a good form of attestation.) What would we do instead?

show 6 replies