The difference, to me, is that eliminating the ability for someone who isn't the operator of a website to present a valid cert for that website is an improvement for security and reliability.

> it would need to be compatible with existing MITM tooling

In my ideal world it wouldn't be, it would be done on the endpoint before/after the traffic is encrypted/decrypted. There would be no need to mitm anything, the OS would happily show you the content and be legally required to provide facilities for the user/software to do so.

Regulating away mitm proxies doesn't make sense because we don't need to do it, you can prevent middleboxes with nothing other than tech by breaking the ability to mitm connections.

> Regulating away mitm proxies doesn't make sense because we don't need to do it, you can prevent middleboxes with nothing other than tech by breaking the ability to mitm connections.

You can, because you're talking about middleboxes. But you can't really prevent the owner of the device from MITM-ing traffic, you can just make their life needlessly harder. Or you can attempt to make them not be the owner of the device, so that they are not fully in control, which is unacceptable.

I agree middleboxes shouldn't exist, but the only reason they are able to is because you're not the owner of the device you're communicating from. That's a problem you can solve with legislation.

> In my ideal world it wouldn't be, it would be done on the endpoint before/after the traffic is encrypted/decrypted. There would be no need to mitm anything, the OS would happily show you the content and be legally required to provide facilities for the user/software to do so.

This sounds technically unfeasible. HTTP can be done by any number of userland libraries. How is the OS to ensure that all such libraries are compliant?

On top of that, you're talking about the creation of a new kind of protocol for this kind of thing here. There's an insane amount of tooling currently using HTTP proxies for this which cannot be easily replaced.