Great, they can use standards that aren't targeted at running services for the general public. It seems like the requirements already diverged.

Drop attestation from passkeys, and I become a promoter. Keep it, and I suggest people stay away.

If it's not something anyone intends to use on public services, this should be uncontroversial. Dropping attestation simplifies implementation, and makes adoption easier as a result.

What makes you think that the Webauthn standards are "targeted at running services for the general public"?

> It seems like the requirements already diverged.

No, the requirements are _contextual_. This isn't a new idea.

The fact that sites targeted at the general public are prompting me to use them. Should websites avoid using passkeys and webauthn? Would you like to tell them that they're doing it wrong?

I missed a word out from my question. Let me try again.

What makes you think that the Webauthn standards are _only_ "targeted at running services for the general public"?

Yeah, so if you want me to trust them, the harmful parts need to get removed from specs used in public contexts.

I would love to use public key cryptography to authenticate with websites, but enabling remote attestation is unacceptable. And pinky swears that attestation won't be used aren't good enough. I've seen enough promises broken. It needs to be systematic, by spec.

Passwords suck. It's depressing that otherwise good alternatives carry poisonous baggage.

If you make something possible, it will be used.

> If you make something possible, it will be used.

Sure, but that's not without tradeoffs. I come back to:

> Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.

And I come back to: if it would never work, why not drop support? "We pinky promise" is just not good enough.

> if it would never work, why not drop support?

Because passkeys are designed to replace passwords across multiple different service contexts, that have different requirements. Just because there's no reason to use it for one use case doesn't mean it's not actually useful in a different one. See things like FIPS140 (which everyone ignores unless they're legally required not to).

Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process? Why would they decide to wake up and say "I know, I'm going to require that all of my users authenticate just with a Yubikeys and nothing else"?

> Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process?

A misguided administrator is very likely to think "They can't use a malicious device to access our service".

What's the benefit for a private service?

Is there a difference? It's a field in the response payload that nobody is filling out except the corps that need it. Would it make you feel better if they moved it to an appendix and called it an optional extension?

> Would it make you feel better if they moved it to an appendix and called it an optional extension?

That kind of thing can make a huge difference once this standard starts becoming e.g. required for government procurement.

As long as it required an extension and extra application.

I should need to install an enterprise authenticator app, which speaks webpki-enterprise, if you want to enable that shit.