I'm not denying there are challenges and potential bad outcomes with this, you're asking valid questions that I don't claim to have a good answer for.
My point is that the WEI proposal is trying to solve a genuine and increasingly important issue for providers on the web. And, there's at least a possible outcome where we have many trusted providers that maintain the core parts of the open web that we love while giving these providers some better solution than what exists now.
As for why would they trust Brave? I imagine it'd be similar to TLS now, where website owners probably wouldn't even think about this and they'd just use CA chains provided by browsers, operating systems, etc.
> My point is that the WEI proposal is trying to solve a genuine and increasingly important issue for providers on the web.
> Given how much large platforms have struggled to fight bots, and that it's only going to get worse with the rise of AI, I think something like this is going to end up being a necessity eventually.
I want my browser experience to be focused on solving _my_ issues. Helping trillion dollar big tech companies fighting bots is honestly very low in my priority list of browser (anti)features.
The security model of TLS is chained to the DNS. What one proves by holding a TLS cert is that one owns a given domain, no more no less (I mean there's EV certs but no one cares about EV certs).
You won't ever have that with browser builds because there's nothing like that to tie them to.. (user agent string?). There will be no basis upon which to build trust except for market share, and to gain market share you have to already be trusted.
Also, for WEI to work, you need to certify a lot more then just the build of the browser.... You need to certify all of the shared libraries it pulls in (including the userspace graphics libraries), everything that runs in kernel mode, the firmware, and the actual hardware.
I would assert that the idea you are proposing is simply not going to happen. There is just no way that anything other than an unmodified build of a big-name browser running on an OS from a big-name vendor gets certified.
I'm much more worried about abusive service providers, which this will enable. A browser is a user agent. It ought to act on behalf of the user, not some random website I'm visiting.
> My point is that the WEI proposal is trying to solve a genuine and increasingly important issue for providers on the web.
There is no issue. In general the companies who encounter this "issue" the most are already making plenty of money. They have billions of dollars available to fight bots and they're free to use them if they think it's worth it. No one writes sophisticated bots for Mom&Pop websites, there's nothing to be gained from doing so.
My point is that the WEI proposal is trying to solve a genuine and increasingly important issue for providers on the web. And, there's at least a possible outcome where we have many trusted providers that maintain the core parts of the open web that we love while giving these providers some better solution than what exists now.
As for why would they trust Brave? I imagine it'd be similar to TLS now, where website owners probably wouldn't even think about this and they'd just use CA chains provided by browsers, operating systems, etc.