[reginald78]

Pretty telling thread. Tim Cappalli, one of the spec writers drops by to criticize the export feature and suggests that the attestation feature should be used to punish them for not implementing the fully locked in version.

The credential exchange changes nothing IMO, the rod to punish anyone who doesn't want their credentials stored on a tech giants servers is still there.

[bloopernova]

I halfway expect a v2 specification where keys are only stored on a few "Certified Attestation-capable" providers (i.e. facebook, google, apple, amazon)

Then watch them get hacked through a systems management plugin like Clownstrike, or Solarwinds.

[CuriousCosmic]

That's not what happened. He said quote "which would allow RPs to block you, and something that I have previously rallied against".

This is something that has been proposed that Tim fought against but mentioned in the thread to provide context of the types of kneejerk reactions the spec authors have had to push back against.

[tadfisher]

Let's be truthful and show the remainder of that parenthetical:

> (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations)

I read "these situations" to mean "non-spec-compliant providers", where "spec-compliant" means to prevent plaintext export of resident keys.