Mastodon Feed: Post

slightlyoff@toot.cafe ("Alex Russell") wrote:

Welp:

https://httptoolkit.com/blog/apple-private-access-tokens-attestation/

...and it checks out:

https://www.fastly.com/blog/private-access-tokens-stepping-into-the-privacy-respecting-captcha-less#:~:text=The%20client%20then%20blinds%20the%20challenge%20and%20includes%20it%20in%20a%20token%2Drequest%20message%20to%20a%20system%20(%E2%80%9Cattester%E2%80%9D)%20that%20(1)%20can%20attest%20to%20the%20property%20the%20website%20cares%20about%20(like%20running%20on%20a%20verified%20iOS%20device)%20and%20(2)%20is%20trusted%20by%20the%20system%20that%20issues%20the%20token%20(%E2%80%9Cissuer%E2%80%9D).%C2%A0

Attachments:

• `The client then blinds the challenge and includes it in a token-request message to a system (“attester”) that (1) can attest to the property the website cares about (like running on a verified iOS device) and (2) is trusted by the system that issues the token (“issuer”).` (remote)