After a conversation with the team earlier in the week, I'm comfortable with this shipping as an origin trial to get some feedback from the wild about how it works and whether it solves the problems the team is aiming to solve.
That said, I have a few thoughts about things that we should revisit before moving from OT to stable:
1. The integration with exfiltration mitigation tools like CSP, extensions, etc. needs to be spelled out and implemented. It would be Bad™ if this communication channel wasn't visible to (and blockable by) extensions, and similarly bad if developers weren't able to constrain it via something like `connect-src`.
a. We're in the process of strengthening the promise we make to use around mixed content, and the confidentiality of user data on pages that aren't positively marked as "Not Secure". Delegating the ability to decide what's trustworthy-enough to the page, as opposed to keeping that responsibility in the browser, feels very odd, and I suspect we're going to find out that it enables more bad things than we know about today. vasilvv@, et al. rightfully point out that we're already shipping this mechanism via WebRTC's data channels. That means there's no incremental risk in moving to OT, but it's something I'm uncomfortable with. The team suggested that there were ways of making the carveout from the web PKI somehow costly to the implementer, such that it couldn't be used for bad purposes. I'd like to hear more about those mitigations before shipping. vasilvv@ noted that there's a lifetime limit on certs accepted by the fingerprinting mechanism. I'd like to hear how that works out, and whether there are other forcing functions we can put into place for the future.
b. It's not clear how we know whether or not to trust any URL-based filtering mechanism if that mechanism can't rely upon the assertions of actual ownership that would be provided by gathering a publicly trusted cert for a given hostname. vasilvv@ suggested that embedding the fingerprint in the `quic-transport:` URL scheme might give us the ability to perform that kind of filtering, and prevent folks from abusing this mechanism to avoid extensions. I'm interested in hearing more about what that might look like.
So. LGTM to origin trial, with the understanding that we'll continue the conversations around the questions above.