Attestation does not belong in a standard that's used with consumer devices. Make the payloads extensible so that corporations/gov can add their own attestation data as an extension if they want, but websites have no business being able to enforce whether I am using a Microsoft or Google approved device, and e.g. banks inevitably will unthinkingly add it as a "best practice" if it's there (they already do this with mobile apps). This decreases user security as the options we all know will make up the acceptable list are compromised with built-in malware today.

Attestation is going to be abused. The only thing it is useful for is establishing centralized control over client software. That'll eventually imply that all clients are user hostile, probably both from a surveillance capitalism perspective, and from a government surveillance perspective.

This isn't a theoretical concerns. All of the groundwork (except device attestation at login) has already been laid:

- The US CLOUD act already says that service providers have to provide the government with access to all information they're technically capable of accessing.

- Microsoft's existing client debugging mechanisms allow them to pull files from windows machines with management approval.

Once there's a de facto ban on running web browser binaries that aren't produced by a FAANG (established by the passkey standard), all the vendors have to do is add MS-style telemetry / debugging, and it's game over. In all likelihood, there will be legislation in a few years that forces any holdouts to implement that sort of a mechanism.