The idea is that it would be similar to hardware attestation in Android. In fact, that's where Google got the idea from.
Basically, this is the way it works:
-
You download a web browser or another program (possibly even one baked into the OS). This is the "attester". Attesters have a private key that they sign things with. This private key is baked into the binary of the attester (so you can't patch the binary).
-
A web page sends some data to the attester. Every request the web page sends will vary slightly, so an attestation can only be used for one request - you cannot intercept a "good" attestation and reuse it elsewhere.
-
The attester takes that data and verifies that the device is running stuff that corresponds to the specs published by the attester - "this browser, this OS, is not running this program, subject to these rate limits," etc.
-
If it meets the requirements, the attester uses their private key to sign. (Remember that you can't patch out the requirements check without changing the private key and thus invalidating everything.)
-
The signed data is sent back to the web page, alongside as much information as the attester wants to provide. This information will match the signature, and can be verified using a public key.
-
The web page looks at the data and decides whether to trust the verdict or not. If something looks sketchy, the web page has the right to refuse to send any further data.
They also say they want to err towards having fewer checks, rather than many ("low entropy"). There are concerns about this being used for fingerprinting/tracking, and high entropy would allow for that. (Note that this does explicitly contradict the point the authors made earlier, that "Including more information in the verdict will cover a wider range of use cases without locking out older devices.")
That said - we all know where this will go. If Edge is made an attester, it will not be low entropy. Low entropy makes it harder to track, which benefits Google as they have their own ways of tracking users due to a near-monopoly over the web. Google doesn't want to give rivals a good way to compete with user tracking, which is why they're pushing "low-entropy" under the guise of privacy. Microsoft is incentivized to go high-entropy as it gives a better fingerprint. If the attestation server is built into Windows, we have the same thing.