Well, it's a good thing Device Bound Session Credentials (DBSC) as proposed here has no way to actually send said endorsement key anywhere; rending the objection irrelevant. The TPM is only for secure storage as verified by the browser itself, not the website being visited.
> You all don't understand how any of this tech works but you think you do.
We do; and it is specifically called out in the spec that the certificate chain is not submitted, due to the potential for overpowered fingerprinting. As such, this battle, should they make a move to change that, needs to be fought a different day. Fighting against hypotheticals is pointless.
Edit: For the pedantic, fighting against hypothetical things that they could do if they invented something that doesn't exist right now, is pointless.
Edit 2: You can't boil a frog without ecosystem cooperation. The internet isn't going to bow to inconsistent adoption. They already made it clear with WEI they have no interest.
No, fighting against things that have already happened is pointless. We only ever fight against hypotheticals. We fight to avoid something happening that has not happened.
> Edit: For the pedantic, fighting against hypothetical things that they could do if they invented something that doesn't exist right now, is pointless.
But it ALREADY EXISTS on Android[0] and has been proposed by google to be added to chrome before [1]. They are OBVIOUSLY using a boil the frog approach here like forcing android devs to register to sideload [2]. This is obviously designed to slowly roll out these checks small steps at a time. To not see that is to be willingly ignorant.
