[cr7pt0]

I think the whole attestation thing is generally a terrible idea. It's not impossible to extract data from secure hardware, right now there is not a lot of incentive to do it because it's not going to get you much, spend a month of hardware research to get one user's key, no thanks. But with whole batches of devices having the same private attestation key stored on the device this incentives essentially ransom of security key vendors. I.e. Lets say I am a hacker that spends a month of hardware research finding a vulnerability and extracting the attestation private from a token. Its worth my time because I know this vendor has 100,000+ keys out there that uses this same attestation key. I then request that vendor send me $500,000 in bitcoin or I release the private publicly. The vendor pays the ransom because it's cheaper than recalling 100,000+ security keys. Another issue here is it's not if but when this happens, so when it does how do all of the web sites out there update to block the hacked keys? Lots of web sites never will. Time to rethink the attestation key being stored each token, that's a bad idea.