It looks like they propose to mix false signals to prevent this from being abused, but oh. That's easy to bypass. Require two attestations back to back to see whether they differ, or put up a page saying, "can you please try again?"

The open question is circling around the question, can we make it work in a way, such that it doesn't work for bad guys, but works for good guys.

Mathematics & cryptography doesn't work like that. It doesn't discriminate. It levels everyone. It'll either become an iron fist or a Swiss Cheese. There can be no middle. This is maths.

What about neurodivergent people who cannot function on an "approved" OS because of the inherent ways it manages, stores, and presents information? What if that OS has an ACID compliant browser capable of accessing the banks website if they didn't have remote attestation?

What about the millions of people unable to afford to upgrade their hardware to Windows 11? Or that don't have TPM available and therefore can't use any other Windows version because 10 fell out of support, so they're running a Linux distro with an unapproved web browser?

Yes, because it's stupid; they don't need to. The bank cares about correctly identifying who I am, not what client I am using. Nor do they exclude certain browsers because those browsers make it easier for a user to lie about who they are; they don't. Banks exclude certain browsers because their technically incompetent coders convinced their technically incompetent managers to do so.

This is true. In these discussions of trust, my measurement of a bad actor is who is in a position to harm me and has a history of causing harm.

High on my list are LEO and other government interests (fed,state,local).

That "proposal" is doublethink in its purest form. WEI is a technology for restricting access to web services. But at the same time, it would try to prevent web service providers from doing exactly that?