> If you make something possible, it will be used.

Sure, but that's not without tradeoffs. I come back to:

> Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.

And I come back to: if it would never work, why not drop support? "We pinky promise" is just not good enough.

> if it would never work, why not drop support?

Because passkeys are designed to replace passwords across multiple different service contexts, that have different requirements. Just because there's no reason to use it for one use case doesn't mean it's not actually useful in a different one. See things like FIPS140 (which everyone ignores unless they're legally required not to).

Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process? Why would they decide to wake up and say "I know, I'm going to require that all of my users authenticate just with a Yubikeys and nothing else"?

> Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process?

A misguided administrator is very likely to think "They can't use a malicious device to access our service".

What's the benefit for a private service?

Is there a difference? It's a field in the response payload that nobody is filling out except the corps that need it. Would it make you feel better if they moved it to an appendix and called it an optional extension?

> Would it make you feel better if they moved it to an appendix and called it an optional extension?

That kind of thing can make a huge difference once this standard starts becoming e.g. required for government procurement.

As long as it required an extension and extra application.

I should need to install an enterprise authenticator app, which speaks webpki-enterprise, if you want to enable that shit.