[zacharyvoase]

WebAuthn uses such a directory already. Most implementations validate the attestation against a public database of ‘trusted’ device types (and DAA enables this to be done without compromising anonymity, up to the uniqueness of a device type)

[hirsin]

That's not a trust statement, and it's not reliable as a proof. You can reliably tell you've seen this authenticator before, but that doesn't solve the problem being described here

[zacharyvoase]

Trust is a ladder, and identifying the make/model of device is but one rung of it.