[blibble]

> You seem tied to a narrative where a user can install a native app that gets permission to call core OS/platform APIs that let the app get all the public keys of passkeys on the device

yes? one of the main points of passkeys is that if your device is compromised: all your accounts aren't.

with your system, they are

> In reality, only the platform/OS and highly trusted actors/components that are already within the existing trust model

no, they aren't, if they were, the HSM/secure enclave wouldn't be needed at all

I've entertained this nonsense for almost 2 hours now, I'm done

the fact is, if the public key gets out, then your system is compromised

and I have shown you most (df not all) roaming authenticators have a way to enumerate public keys

as does every software HSM I've ever interacted with

[csuwldcat]

A roaming authenticator does not have access to a CTAP mechanism to query the platform’s credential store. CTAP defines how the platform queries a roaming authenticator, in that direction. There is no CTAP command whereby an authenticator queries the platform for 'all passkeys you have' because the platform is the client in its protocol model. Platform / synced passkeys managed by the OS are not present on the roaming authenticator, so credential management APIs invoked from the roaming authenticator cannot enumerate them (it can only enumerate what it stores).