[spopejoy]

Until the UX problem is solved making it infallible for noobs to manage PKI, it's probably better for the bank to manage it. Your ideal world at a minimum requires:

- an on-card UI. Yubikey-style one-button-tap is not enough, you actually need to verify the transaction details.

- integration with backend systems to support rotation and recovery because otherwise folks will screw this up and lock themselves out

There's a reason webauthn passkey has obfuscated PKI to oblivion, because they simply can't figure out how to entrust end users with keys.

To be clear, I'm a PKI fan and want all of these things to exist, but we're very far from it. In the interim, a bank-managed PKI is a welcome improvement.